Internet Protocol Security Policy

Overview
Building A Custom IPSec Policy
Building A Custom IPSec Policy On A Client Managed Workstation
- Apply The Policy To Computers
Testing And Verification
Building A Custom IPSec Policy On A Client Managed Workstation
Example: Allow select servers full access to a workstation.
References
Appendix: Set Local Policy
Appendix: Copy Security Policy Into Production

Overview

Microsoft provides three Security Policies, one for a client workstation and two for Servers, that are disabled by default. See [4] Introduction We are going to build a fourth.

Using a Group Policy Object, GPO, editor select:

	Computer Configuration
	    Windows Settings
		Security Settings
		    IP Security Policies on Active Directory

From this selection build Filters that describe the limitation you wish to impose on a collection of computers. Once the Filters are defined define a Security Policy:

identifying one or more Filters
whether information is enabled or prohibited
on information going from the computer or into the computer

Once the Security Policy is defined apply the GPO Policy to one or more Organizational Units.

"IPSec http://www.ietf.org/rfc/rfc1825.txt is the result of a long process of study, analysis, and argument by working groups in the Internet Engineering Task Force." [4]

Building A Custom IPSec Policy

SEE [1] section Configuring an IPSec Filter List for a description of IPSec transport mode versus IPSec tunnel mode.

From the Active Directory policy editor select IP Security Policy on Active Directory:

Create filters.

	Right click, select Manage IP filter lists and filter actions
	select tab Manage IP Filter Lists

Filter: E.g., SNMP Blocked

Create a filter destined to block SNMP traffic on TCP port 161.

	select Add
	Name: SNMP -- Blocked
	Description: 161/tcp/udp and 162/tcp/udp -- deny to all
	Check Use Add Wizard

Define a filter

	select Add
	select Next
	select Any IP Address as the Source address. Select Next
	select My IP Address as the Destination address. Select Next
	select the protocol type of TCP. Select Next
	For Select the IP Protocol port select From any port
		and To this port enter 161. Select Next
	select the Edit Properties check box. select Finish
	select Description tab. Type Purpose: Block SNMP packets from any source to the computer's TCP port 161.
	select OK.

Repeat step 2. to create a filter destined to block SNMP traffic on TCP port 162.
Repeat step 2. to create a filter destined to block SNMP traffic on UDP port 161.
Repeat step 2. to create a filter destined to block SNMP traffic on UDP port 162.

Filter: E.g., SNMP Permitted On Campus

Create a filter destined to allow SNMP traffic on TCP port 161 to on campus computers.

	Right click, select Manage IP filter lists and filter actions
	select tab Manage IP Filter lists

	select Add
	Name: SNMP -- Permitted
	Description: 161/tcp/udp and 162/tcp/udp -- restrict to campus
	Check Use Add Wizard

Define a filter

	select Add
	select Next
	select A specific IP subnet as the Source address.
	Enter IP Address: 129 97 0 0
	Enter Subnet Mask: 255 255 0 0. Select Next
	select My IP Address as the Destination address. Select Next
	select the protocol type of TCP. Select Next
	For Select the IP Protocol port select From any port
		and To this port enter 161. Select Next
	select the Edit Properties check box. select Finish
	select Description tab. Type Purpose: Allow on campus access to SNMP 161/tcp.
	select OK.

Repeat step 2. to create a filter destined to permit SNMP traffic on TCP port 162.
Repeat step 2. to create a filter destined to permit SNMP traffic on UDP port 161.
Repeat step 2. to create a filter destined to permit SNMP traffic on UDP port 162.

The end product should appear as:

Filter: Remaining Filters

Repeat the above actions for:

Name Description	Protocol	Source	Destination	Address	Mask
SMB -- Permitted	TCP	Any	445	129.97.0.0	255.255.0.0
445/tcp -- restrict to campus
SMB -- Blocked	TCP	Any	445	0.0.0.0	255.255.255.255
445/tcp -- deny to all
UPnP -- Permitted	TCP	Any	5000	129.97.0.0	255.255.0.0
1900/udp and 5000/tcp -- restrict to campus network	UDP	Any	1900	129.97.0.0	255.255.0.0
UPnP -- Blocked	TCP	Any	5000	0.0.0.0	255.255.255.255
1900/udp and 5000/tcp -- deny to all	UDP	Any	1900	0.0.0.0	255.255.255.255
UDP -- Permitted	UDP	Any	Any	129.97.0.0	255.255.0.0
Allow UDP traffic from on campus
UDP -- Blocked	UDP	Any	445	0.0.0.0	255.255.255.255
Deny all UDP protocols
RDP -- Permitted	TCP	Any	3389	129.97.0.0	255.255.0.0
RDP -- Blocked	TCP	Any	3389	0.0.0.0	255.255.255.255
3389/tcp -- deny to all (Terminal Services)
NetBIOS -- Permitted	TCP	Any	139	129.97.0.0	255.255.0.0
	TCP	Any	138	129.97.0.0	255.255.0.0
	TCP	Any	137	129.97.0.0	255.255.0.0
	TCP	Any	135	129.97.0.0	255.255.0.0
	TCP	Any	150	129.97.0.0	255.255.0.0
	UDP	Any	138	129.97.0.0	255.255.0.0
	UDP	Any	137	129.97.0.0	255.255.0.0
	UDP	Any	135	129.97.0.0	255.255.0.0
NetBIOS -- Blocked	TCP	Any	139	0.0.0.0	255.255.255.255
	TCP	Any	138	0.0.0.0	255.255.255.255
	TCP	Any	137	0.0.0.0	255.255.255.255
	TCP	Any	135	0.0.0.0	255.255.255.255
	TCP	Any	150	0.0.0.0	255.255.255.255
	UDP	Any	138	0.0.0.0	255.255.255.255
	UDP	Any	137	0.0.0.0	255.255.255.255
	UDP	Any	135	0.0.0.0	255.255.255.255
ICA -- Permitted	TCP	Any	1494	129.97.0.0	255.255.0.0
ICA -- Blocked	TCP	Any	1494	0.0.0.0	255.255.255.255

Create A Filter Action

	select Manage Filter Actions
	select Add. Select Next.
	Name: Block
	Description: Block data
	select Next
	Filter Action: select Block
	select Finish

Policy: Recommended Network Security Policy for UW

Create a Security Policy at Active Directory policy item, IP Security Policy on Active Directory:

	Right click, select Create IP Security Policy. Select Next.
	Name: Recommended Network Security Policy for UW
	Description: Policy and Filters as recommended by the IST Security personnel.
	Select Next.
	Clear the Activate the default response rule
	select Edit the properties Select Finish.
	select the Rules tab
	select Add. Select Next
	select This rule does not specify a tunnel. Select Next
	select All network connections. Select Next
	select Windows 2000 default (Kerberos v5 protocol)
	select SNMP Blocked
	select Next.
	select Block
	select Edit properties. Select Finish.
	select OK.
	select Add. Select Next
	select This rule does not specify a tunnel. Select Next
	select All network connections. Select Next
	select Windows 2000 default (Kerberos v5 protocol)
	select SNMP Permitted
	select Next.
	select Permit
	select Finish.

Add the remaining twelve filters setting a Filter Action of Block or Permit as appropriate. Once created, the security policy appears in every GPO. Its Assign status is set on a per GPO basis.

Activate the Policy

	Right click the policy name: Recommended Network Security Policy for UW
	select Assign

Apply The Policy To Computers

Link the GPO, IP Security, to one or more Organizational Units such as Academic Support.

Building A Custom IPSec Policy On A Client Managed Workstation

While a GPO can distribute the policies to workstations registered in ADS non registered workstations must handle their own security builds.

Testing And Verification

See Penetration Tests for a suite of off site tests that verify a workstation's security policies.

Audit Success and Failure of Audit Logon Events and Audit Object Access. Run gpresult.exe on the client workstation. If the Securityis in effect from a GPO you will see:

The computer received "IP Security" settings from these GPOs:

        IP Security

In the Security log:

	615	IPSec Services has started successfully

Event 615 messages appear every n minutes where n is the interval specified when defining the policy, Check for policy changes every:. Default is 180 minutes.

Run the IP Security Monitor, ipsecmon, to monitor, in real time, network access to a workstation. This utility is likely found only on a domain controller.

Select Properties of Network and Dial-up Connections. Select TCP/IP Properties. Select Advanced. Select Options. The name of the Security policy is reported.

From the XP Support Tools run ipseccmd show all and all effective policies are reported by name.

Example: Allow select servers full access to a workstation

The desire is to Block all access to a workstation, all sources. Then Permit access by the Domain Controllers and the server that will deliver software. The effect is to protect a workstation from outside interference during an upgrade of the operating system. I will:

Create a Security Group whose members control who will be affected by the IPSec policy.
Create a GPO in which I define an IPSec policy.
Create an IPSec Filter that includes the permitted servers.
Create an IPSec Policy referencing filters.
Allow only the new Security Group to access the GPO.

Run dsa.msc.

Create a Global Security Group.
On a Domain Controller create a Global Security Group named XP Upgrade in the Organizational Unit OU=Security Groups, OU=Academic Support. Add the computer name SYSLAB11 to the group. Eventually only the computers listed in this group will be affected by the access restrictions.

Create a GPO.
Right click the Policies OU and select Properties.

	Select the tab Group Policy
	Select New
	XP Upgrade (not to be confused with the Security Group of the same name)
	Properties
		Disable User Configuration
	Edit
	Windows Settings
		Security Settings
			 IP Security Policies on Active Directory

Create a filter.
There is an existing filter named All IP Traffic that will be used to block access by everyone.

	Select Manage IP filter lists and filter actions
	Add
	Name: Boss Machines
	Description: Full access by a specific list of servers.
	Use Add Wizard
	Add
	Next
	select A specific DNS Name as the Source address.
	Host Name: SYSLAB12
	select My IP Address as the Destination address. Select Next
	select the protocol type of any. Select Next
	select the Edit Properties check box. select Finish
	select OK.

Repeat the above for SYSLAB15, SYSLAB16, ROSEWOOD.

Create a Security Polcy.
Select Active Directory policy item, IP Security Policy on Active Directory:

	Right click, select Create IP Security Policy. Select Next.
	Name: XP Upgrade (not to be confused with the Security Group, or GPO, of the same name)
	Description: Limit access to the workstation by the DCs and required servers.
	Select Next.
	Clear the Activate the default response rule
	select Edit properties Select Finish.
	select the Rules tab
	Use Add Wizard
	select Add. Select Next
	select This rule does not specify a tunnel. Select Next
	select All network connections. Select Next
	select Windows 2000 default (Kerberos v5 protocol) Next
	select ALL IP Traffic
	select Next.
	select Block
	select Edit properties. Select Finish.
	select OK.
	select Add.

Repeat for Boss Machines and Permit.

Enable the Security Policy.

	Right Click the IPSec policy XP Upgrade
	Select Assign

Exit the Group Policy Editor.

Adjust the Access Security List of the GPO to permit only computers listed in the SG.

	Select the GPO XP Upgrade
	Select Properties
	Select Security tab
	Add
	Type 'XP Upgrade' (the security group)
	Select Apply Group Policy, Allow
	Remove Authorized Users
	OK
	Close

Apply the GPO to all of Academic Support.
The GPO named XP Upgrade that defines an IPSec policy named XP Upgrade is applied to every computer in Academic Support but will only be received by the computers that are members of the Security Group XP Upgrade.
```
	Right Click OU Academic Support
	Select Properties
	Select Group Policy
	Add
	Seek XP Upgrade
	OK
```

Wait several minutes, reboot SYSLAB11, the experimental workstation, and reboot SCOTER, the control workstation, and verify the results.

Logon to each of SYSLAB11 and SCOTER. Run gpresult.exe and notice that:
```
	COMPUTER SETTINGS
		Applied Group Policy Objects
			XP Upgrade
```
exists on SYSLAB11 and not on SCOTER. Notice also that SYSLAB11 is a member of the XP Upgrade Security Group and SCOTER is not.
From SYSLAB12, SYSLAB15, SYSLAB16 and ROSEWOOD a ping to SYSLAB11 and SCOTER should succeed. From any other computer a ping to SYSLAB11 and SCOTER should fail.

References

[1] Step-by-Step Guide: Step-by-Step Guide to Internet Protocol Security (IPSec)
[2] SNMP Example: HOW TO: Configure Network Security for the SNMP Service in Windows 2000
[3] Reg Files: Index of /security/howto/2002-10-16; A list of files that includes a README document and two Registry files that define a set of filters and an IP Security Policy. Another Registry file modifies the registry to exclude this policy.
[4] Introduction: Robichaux on Security - June 2000
[5] IPSec For W2K Server: IP Security for MS Windows 2000 Server
[6] IPSec Tunneling: How to Configure IPSec Tunneling in Windows 2000

Appendix: Set Local Policy

As an administrator:

	secpol.msc

Run the console to create a Local policy in IP Security Policy on Local Computers.

Appendix: Copy Security Policy Into Production

The policies of IP Security Policies on Active Directory in the GPO IP Security are exported from SYSLAB15 and imported onto DOUGLASFIR. The SYSLAB15 file C:\UW_Recommend.ipsec contains the definitions. All four policies are imported.

Policy Recommended Security Policy for UW is enabled (Assign). The OU Test\Info Systems & Technology is assigned the GPO IP Security. Computers of several IST staff are moved into Test for purposes of testing the secirity policy.