The Ultimate Windows Server 1002003 System Administrators Guide [Electronic resources] نسخه متنی

IP SECURITY

IP Security was developed by the Internet Engineering Task Force to enable IP authentication, encryption, and data integrity. IPSec services use the Public Key Infrastructure (PKI) to share secret keys over the network and establish secure communication sessions. Once established, the connections are transparent to users and applications. In the section, "Virtual Private Networks," IPSec tunnel mode was discussed and IPSec transport mode was implemented using L2TP over IPSec. Here we will see that when applying IP Security to your internal network, routing and network conditions may alleviate the need for a tunnel, in which case IPSec may be implemented in transport mode. Transport mode has no specified tunnel endpoints, and traffic flows between source and destination hosts without encapsulation or redirection. Group policies applied to Active Directory containers dictate the traffic type that is encrypted and signed either with Encrypted Security Payload or by Authentication Header IPSec drivers. Packets are encrypted on the way out and decrypted on the way in, independent of TCP/IP stack processing (Figure 13.31).

The following are Windows Server 2003 enhancements for IPSec:

Fail-safe policies are immediately applied to the system during the bootup sequence before Active Directory or local policies are applied to the system. This ensures that the system has persistent IPSec policy settings even if group policies are not successfully applied to the system.

When IPSec policies are configured to start automatically, stateful inspection filtering is implemented until IPSec policies are applied. There are a variety of settings for this command using the following command:

Netsh ipsec dynamic set config /?

The RSoP snap-in, which is introduced briefly in Chapter 8, can fully analyze IPSec policies on any system in your network.

The IP Security Monitor snap-in replaces ipsecmon.exe for monitoring current IPSec security states and policies.

New features available through the IP Security Policy Management and IP Security Monitor snap-ins may be access via scripts using the following command:

netsh ipsec <rest of command>

Individual IPSec packets use a standard format that involves an Authentication Header and an Encapsulated Security Payload. The AH contains authentication information that uses digital signatures, and the message body is encrypted in the ESP to prevent data snooping. Table 13.5 lists some of the industry standards used with the Windows Server 2003 IPSec implementation.

Understanding IPSec Policies

IP Security policies can be assigned to either local computers or Active Directory containers to determine the security services a system will use when communicating with other systems. Some systems require higher security than others. For this reason, IPSec policies allow the administrator granular control over the security protocols accepted at individual machines.

SETTING IPSEC POLICIES

IPSec policies are located in the Group Policy tree under Computer Configuration Windows Settings Security Settings IP Security Policies on Active Directory. The default policies are defined as follows and may be assigned to any GPO.

Secure Server (require security) accepts initial unsecured communications but requires clients to establish IPSec using a security method acknowledged by it.

Server (request security) accepts unsecured communications but requests that clients establish IPSec using a security method acknowledged by it. This policy allows unsecured communication if the other system does not have IPSec policies.

Client (respond only) should be assigned to computers that are secure within the intranet. When communication is initiated with other computers, IPSec is not presented. However, if the remote computer requests secure communications, this policy is acknowledged.

To assign a security policy to a GPO, right-click the policy and select Assign. The Policy Assigned column should read Yes and all other policies should read No (Figure 13.32).

Creating a New IPSec Policy

Creating a new security policy involves right-clicking the IP Security Policies from a selected GPO tree and selecting Create IP Security Policy (Figure 13.33 on page 605). The IP Security Policy Wizard appears.

The creation process is straightforward, but keep in mind a couple of concepts. First, the default response rule, which is a part of every security policy, can be deactivated by the administrator if so desired (this can be done later). This filter enables the system to establish secure communication when other rules fail. Second, an authentication method must be established (Figure 13.34 on page 606).

AUTHENTICATION METHODS

The system administrator''s ability to view security policies is a critical operating system requirement. View policy rules by right-clicking Properties for an IP Security Policy (Figure 13.35 on page 606), selecting a filter, and clicking Edit.

The Authentication Methods tab presents the chosen method of authentication (Figure 13.36 on page 607).

Kerberos version 5
the default authentication method for clients who are part of a trusted Windows Server 2003 domain. The client does not need to be running Windows Server 2003.

Public Key Certificate
used for clients who are not running Kerberos and for extranet and Internet access. The client and server must share a trusted CA to use certificate authentication.

Preshared Key
requires a key to be shared between the client and server using an out-of-band method (telephone, snail mail, etc.) and manually configured on both systems. The shared string is used only for authentication, not for data encryption.

TUNNEL SETTINGS

The Tunnel Setting tab allows the administrator to enter the destination or endpoint for an IPSec tunnel. Although we are not discussing tunneling here, this is where IPSec tunneling would be enabled. Windows Server 2003 is equipped with Layer 2 Tunneling Protocol, which is preferred over IPSec as a tunneling implementation. IPSec should be used only for interoperability with systems that do not support PPTP or L2TP. To use L2TP, select the default option This rule does not specify an IPSec tunnel (Figure 13.37 on page 608).

CONNECTION TYPE

The Connection Type tab enables the user to select the type of connection to be used. The three choices are All network connections, LAN connections only, and Remote access connections only (Figure 13.38). Connection Type allows the security policy to be limited to a couple of network connects. The local area network refers to the local adapter card, and the remote access option applies to both dial-in and VPN connections. When using this policy with tunneling, make sure to enable Remote access directly or through the All network connections selection.

IP FILTER LIST

The IP Filter List tab enables selection of default filters and addition of filters. These filters define IP addresses and subnets to which the IPSec rule will apply (Figure 13.39 on page 609).

On the IP Filter List tab, click Add and follow the wizard''s instructions to add a filter to the rule. Click Edit to modify a filter. Click Edit to display filter properties (Figure 13.40 on page 609). On the Addressing tab, the drop-down lists under Source address and Destination address each list five methods for setting filters on the address. Security policies implemented on a successful source/destination address match are determined by the filter actions, to be discussed next.

An IP packet will match the chosen filter if both its source and destination addresses match the filter''s source and destination address ranges. From the drop-down lists, you can choose a particular address or a range of addresses.

My IP address.
The IP address of the system to which the rule has been applied. If My IP is the filter''s source address, the rule is applied to all outgoing IP packets sent to the addresses specified in the filter''s destination address. On the other hand, if it is the filter''s destination address, the rule is applied to all incoming IP packets sent from the addresses specified in the filter''s source address.

Any IP address.
Any IP value in the source or destination address of the IP packet will match this filter field.

A specific IP address.
The entered IP address is compared with the source or destination IP address field in the IP packet.

A specific IP subnet.
An IP address range specified by subnet is compared with the source or destination IP address in the IP packet.

Check the Mirrored box to create a reverse version of the current filter. This enables the rule to be applied to both inbound and outbound IP packets. Mirrored should not be used for IPSec tunneling rules. A tunneling filter specifies the tunnel destination IP address required to set up the IPSec tunnel.

The Protocol tab reveals transport layer protocols and port specifications for advanced protocol filtering (Figure 13.41). The Description tab allows detailed explanation and filter naming.

IP FILTER ACTIONS

Filter actions determine if and how the rule will negotiate for secure connections and the security methods to be used. On the Filter Action tab, click Add and follow the wizard''s instructions to add a filter action. Select a filter action to modify and click Edit (Figure 13.42). This brings up the Security Methods tab.

The Security Methods tab (Figure 13.43) has several options to configure. The first three work as follows:

Permit.
The rule will refuse to negotiate IP security and ignore all incoming secure communications. Only plain-text nonsecured communication will be permitted.

Block.
All communications that meet the filter''s requirements are blocked. There is no IP secure communication and no plain-text communication.

Negotiate security.
Communications that match a rule filter undergo IP security negotiation. Security methods are tried in descending order as listed under Security method preference order.

The security properties options for a connection are

Accept unsecured communication, but always respond using IPSec.
This option allows a client to initiate a plain-text communication session but will immediately request that the client agree on a security method. If the client and server cannot establish a secure connection, communication will be terminated.

Allow unsecured communication with a non-IPSec-aware computer.
This option will first request negotiation for secure communication, but will disable IP security for clients that do not support IPSec. IPSec security is not required for this rule.

Session key perfect forward secrecy.
A new master key will need to be regenerated before a session key is obtained.

Click Edit to modify advanced features for security methods (Figure 13.44). To display available custom IP security settings, select Custom settings and click Settings (Figure 13.45). Specific algorithms for data integrity (AH), encryption (ESP), and session key lifetime are configurable.

NOTE Shared keys for IPSec may be distributed to users with profiles that were created using the Connection Manager Administration Kit for Windows Server 2003. The user installs the profile when configuring her VPN client to obtain its assigned shared key.