|
Important: Several
features in the Windows Server 2003
family implementation of IPSec are not
provided in Windows 2000 or in Windows
XP. To ensure that the same IPSec policy
functions as expected on computers
running the Windows Server 2003 family
and on computers running Windows 2000 or
Windows XP, test the policy thoroughly
on all relevant operating systems before
deployment. If you plan to apply IPSec
policies that use the new features that
are available only in the Windows Server
2003 family implementation of IPSec, do
not use the Windows 2000 or the Windows
XP version of the IP Security Policy
Management console to manage these
policies. The settings in the earlier
versions of the IP Security Policy
Management console will override the
settings in the Windows Server 2003
family IPSec policy, and the new
features will not be functional.
Lets say you want to
block PING traffic for a set of
computers. In order for this tip to
work, you need the following to be true:
-
An exiting Active
Directory infrastructure (working
with no errors, duh...).
-
All computers that
need to be configured must be
running Windows 2000 or higher.
-
An OU where the
computer accounts should be placed.
If no OU is applicable for your
situation, you'll need to configure
the GPO on the Domain level, and
thus affect all the members in the
domain. That's why I suggest
creating an OU and placing the
computer accounts in it.
Next we need to configure
IPSec Policies inside the GPO. We can do
so by editing the GPO, and manually
configuring the IPSec Policy, just like
you did in Block Ping Traffic with
IPSec. The only difference is that here
you're editing the IPSec policies as a
part of a larger GPO, not just for the
local computer.
If all the above exists
we can now begin the configure the GPO.
-
Open
Active Directory Users & Computers.
Right-click the domain (or an OU if
you want to only configure a
specific set of computers). Choose
Properties.
-
In the
Properties window click the Group
Policy tab. Click New to configure a
new GPO (if you don't have one set
for that OU already). Give it a
descriptive name, such as Secure
Services.
Note: If you're configuring a
Windows Server 2003 DC computer that
has GPMC installed (read Download
GPMC), you can shorten this action
by simply opening the Group Policy
Management snap-in from the
Administrative Tools and selecting
your desired GPO.
-
Click
Edit to edit the GPO.
-
Navigate to Computer Settings >
Windows Settings > Security Settings
> IP Security Policies on Active
Directory. You can now manually
configure the IPSec Policy. See
Block Ping Traffic with IPSec for
examples.
Or, if
already configured, import it as an
.IPSEC file.
-
After
the new IPSec Policy is in place,
right-click it and select Assign.
-
In order for the
changes to take place, either reboot
the client computers or refresh
their computer policy.
Run
the following command:
In
Windows XP and Windows Server 2003
you should type
When
assigning an IPSec policy in Active
Directory, consider the following:
-
The
list of all IPSec policies is
available to assign at any level in
the Active Directory hierarchy.
However, only a single IPSec policy
can be assigned at a specific level
in Active Directory.
-
An
IPSec policy that is assigned to an
organizational unit in Active
Directory takes precedence over a
domain-level policy for members of
that organizational unit.
-
An
IPSec policy that is assigned to the
lowest-level OU in the domain
hierarchy overrides an IPSec policy
that is assigned to a higher-level
OU, for member computers of that OU.
-
An OU
inherits the policy of its parent OU
unless either policy inheritance is
explicitly blocked or policy is
explicitly assigned.
-
IPSec
policies from different
organizational units are never
merged.
-
The
highest possible level of the Active
Directory hierarchy should be used
to assign policies to reduce the
amount of configuration and
administration required.
-
An
IPSec policy might remain active
even after the Group Policy object
to which it is assigned has been
deleted. Because of this, you should
unassign the IPSec policy before you
delete the policy object. To prevent
problems, use the following
procedure:
-
Unassign the IPSec policy in the
Group Policy object.
-
Wait 24 hours to ensure that the
change is propagated.
-
Delete the Group Policy object.
If you
delete the Group Policy object
without following this procedure,
computers in the Active Directory
container to which the IPSec policy
is assigned treat the IPSec policy
as if it cannot be located and
continue to use a cached copy.
-
Before
assigning an IPSec policy to a Group
Policy object, verify the Group
Policy settings that are required
for the IPSec policy. For example,
if an IPSec policy requires
certificate authentication, assign
the Group Policy settings that allow
computers to enroll for certificates
(usually one or two days before you
assign the IPSec policy that
requires use of the computer
certificate). In addition, you
should test the certificate
enrollment process and resolve any
errors before assigning the IPSec
policy.
|
