DESKTOP

Windows Server 2003 : Configuring a Windows IPSec Policy (part 2) - Assigning the Policy, Creating Additional Rules

10/9/2012 9:19:10 PM

3. Assigning the Policy

Before assigning the policy, you must test your ability to connect remotely using Terminal Services. If you are not able to connect, then you should test communications before you assign the policy; otherwise, you will not know if you have written a successful policy or if communications are failing for other reasons.

To test Terminal Services, follow these steps:

  1. On ComputerA, open the Start → Control Panel → Systems applet and select the Remote page.

  2. Ensure that the Allow Users To Log On checkbox is selected and click OK.

  3. On ComputerB, select Start → All Programs → Accessories → Communication, Remote Desktop Connection.

  4. Enter the IP address of ComputerA and click Options.

  5. Enter your password and the domain name.

  6. Enter your user ID if it is different on ComputerB.

  7. Click the Experience page and select the connection speed: "LAN (10 Mbps or higher)."

  8. Click Connect.

  9. The TS Remote Desktop window will appear and display the desktop of ComputerA. If it does not, troubleshoot this process and resolve it before you proceed.

  10. Log off and close the connection by clicking Start → Shutdown, and then choosing Log Off, and clicking OK.

  11. From the Remote Desktop Connections window General page, click the Save As button and save the file with a name of ComputerA.

  12. Now, let's assign the policy. On ComputerA, in the IPSecurityPolicy1 console, right-click the Block TS policy and click Assign.

4. Testing the Policy

On ComputerB, open the Remote Desktop Connection. If the IP address of ComputerA is not in the Computer window, use the drop-down arrow to select it, or use the Options button and then the Open button to open the ComputerA connection information saved earlier. Click the Connect button. The connection will fail. Click the OK button to close the warning window.

Testing a blocking policy is simple. If your policy is more complex (for example, if it includes encryption requirements or other secure communications), setting up the testing will also be more complex. In the next section, we'll continue with the creation of our policy and then provide information on how to monitor and test this more complex setup.

5. Creating Additional Rules

The ultimate goal of this policy is to allow one particular computer and only that computer to connect using Terminal Services. To do so you must add another rule.

11.3.5.1. Create a permit rule

If all traffic to the Terminal Services port is blocked, you can specify a computer or computers from which to permit TS traffic. Because the IPSec Policy Agent service will attempt to match packets against the more specific rules first, packets from the allowed computers will be accepted because it matches the "permit" rule, while packets from all other computers won't match that rule, but will match the generic "block" rule.

To create a permit rule, follow these steps:

  1. Open the IPSecuirtyPolicy1 console created earlier on ComputerA.

  2. Right-click the Block TS policy and select Un-assign. Double-click the policy to open it.

  3. Click Add on the Block TS policy properties page to add a rule. (You must add a new rule because an IPSec rule can only have one filter action.)

  4. On the IP Filter List page, click Add to add a filter list.

  5. Name the filter list Permit ComputerB and provide the description Permits ComputerB to TS to ComputerA.

  6. Click Add to add a filter. In the "Source address" drop-down list, select "A specific IP Address."

  7. Enter the IP address of ComputerB. In the "Destination address" drop-down list.

  8. Select My IP Address, as shown in Figure 7.

    Figure 7. Select the source

  9. Select the Protocol tab. In the Select a protocol type box, select TCP.

  10. In "Set the IP protocol port," select To This Port and enter 3389, then click OK. Click OK to close the IP Filter list page.

  11. In the "IP Filter lists" box, select Permit ComputerB, and then click the Filter Action tab.

  12. In the Filter Actions: list, select Permit then click Close.

  13. On the Rules page, two rules should be selected, as shown in Figure 8. Click OK.

Figure 8. The Rules page will show two rules are selected

Now let's test the policy. In the IPSecurityPolicy1 console created earlier on ComputerA, right-click the Block TS policy and select Assign. On ComputerB, open the Remote Desktop Connection. If the IP address of ComputerA is not in the Computer window, use the drop-down arrow to select it, or use the Options button and then the Open button to open the ComputerA connection information saved earlier. Click the Connect button. You should get the ComputerA desktop. This proves that the exception, ComputerB, is able to use Terminal Services to ComputerA.

To test that all other computers are blocked, log off the current connection. Change the IP address of ComputerB. On ComputerB, open the Remote Desktop Connection. If the IP address of ComputerA is not in the Computer window, use the drop-down arrow to select it, or use the Options button and then the Open button to open the ComputerA connection information saved earlier. Click the Connect button. The connection should fail.

Change the IP address of ComputerB back to its original address and test the connection again. When you are able to connect using the Remote Desktop Connection, log off, and close the connection.

5.2. Changing the permit rule to secure

Now that you've established a channel that only the approved computer, ComputerB, can use, practice securing the content of the communication and adding the additional security that authentication will provide. The easiest way to do this is to change the Permit rule to Secure.

To change the rule, open the IPSecurityPolicy1 console created earlier on ComputerA. Right-click the Block TS policy and select Un-assign. Double-click the policy to open it. On the Rules page, select the Permit ComputerB rule and click Edit. Select the Filter Action page. Select the Require Security action. Click the Edit button. Note that the "Negotiate security" button is selected and that several security methods are listed, as shown in Figure 9.

Figure 9. Review the Security Methods page

Click OK to close. Select the Authentication Methods page. Note that Kerberos is selected as the default security method. If both of these computers are in a domain, this is a good choice. If they are not, then for your tests you must change the method or the connection will fail.

Click the Add button. In the New Authentication Method Properties page shown in Figure 10, click the "Use this string [preshared key]" button and enter the word secret in the text box. Using a preshared key is OK in a test; in a production environment, you should use Kerberos or certificates.

Click OK. Select the Kerberos method and click Remove. Click the Tunnel Setting page and ensure that the "This rule does not specify an IPSec tunnel" button is selected. Click the Connection Type page and ensure the "All network connections"

Figure 10. Use a preshared key for the tests

button is selected. Click Close, and then click OK. On the IPSecurityPolicy1 console, select the Block TS policy and select Assign.

5.3. Creating an IPSec policy on ComputerB

Before you can test the policy, you must create a negotiate security policy for ComputerB. Remember, blocking and permitting policies do not require IPSec peers, but securing policies do. The connection security is negotiated between two computers.

Here are the steps to follow:

  1. Open an MMC on ComputerB by clicking Start → Run, and enter mmc. Click the OK button.

  2. Select the File menu, and select Add/Remove Snap-in, and then click Add.

  3. On the Add Standalone Snap-ins page, select IP Security Policy Management, then and click Add. From the Select Computer or Domain dialog, accept the default "Local computer" selection, and click Finish. Then click Close, and click OK.

  4. On ComputerA, in the IPSecurityPolicy1 console created earlier, right-click on the IP Security Policies on Local Computer container and select Create an IP Security Policy.

  5. Click Next on the wizard welcome page. Name the policy Secure TS, enter a brief description, and then click Next. Click to deselect the default response rule.

  6. Click Next, then click Finish.

  7. In the Secure TS Properties Rules page, click Add. This time you will use the wizard to add a rule.

  8. Click Next at the wizard welcome page. On the Tunnel Endpoint page, note the default is not to specify a tunnel and click Next.

  9. On the Network Type page, note that the default is to use the "All network connections" selection and click Next.

  10. On the IP Filter List page, click Add to create the filter list. Name the filter list Secure TS Filter. Click Add to add a filter. This time you will use the wizard to add a filter.

  11. Click Next. On the IP Traffic Source page, leave My IP Address in the Source drop-down list, then and click Next.

  12. On the IP Traffic Destination page, select "A specific IP address" in the Destination address drop-down list, add the IP address for ComputerA, and then click Next.

  13. On the "IP Protocol type" page, select TCP in the Select a Protocol Type box, and then click Next.

  14. On the "IP Protocol port" page, select To This Port and enter 3389, then click Next. Click Finish. Click OK to close the IP Filter List page.

  15. In the "IP Filter lists" box, select Secure TS Filter and then click Next.

  16. On the Filter Actions page, select Filter Action Require Security and then click Next. Click to deselect the Use Add Wizard button and click Add to add a Filter Action.

  17. On the Authentication Method page, select "Use this string to protect the key exchange [preshared key]" and type the word secret in the text box. Click Next followed by Finish. Click OK twice.

  18. In the IP Security Policies1 console, right-click on the Secure TS policy and select Assign.
Other  
 
Most View
Microsoft SharePoint 2010 Web Applications : Presentation Layer Overview - Ribbon (part 1)
The Cyber-athletic Revolution – E-sports’ Era (Part 1)
Windows Server 2003 : Implementing Software Restriction Policies (part 4) - Implementing Software Restriction Policies - Creating a Path Rule, Designating File Types
Sql Server 2012 : Hierarchical Data and the Relational Database - Populating the Hierarchy (part 1)
Two Is Better Than One - WD My Cloud Mirror
Programming ASP.NET 3.5 : Data Source-Based Data Binding (part 3) - List Controls
Windows 8 : Configuring networking (part 5) - Managing network settings - Understanding the dual TCP/IP stack in Windows 8, Configuring name resolution
Nikon Coolpix A – An Appealing Camera For Sharp Images (Part 2)
Canon PowerShot SX240 HS - A Powerful Perfection
LG Intuition Review - Skirts The Line Between Smartphone And Tablet (Part 2)
Popular Tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
Top 10
Review : Acer Aspire R13
Review : Microsoft Lumia 535
Review : Olympus OM-D E-M5 Mark II
TomTom Runner + MultiSport Cardio
Timex Ironman Run Trainer 2.0
Suunto Ambit3 Peak Sapphire HR
Polar M400
Garmin Forerunner 920XT
Sharepoint 2013 : Content Model and Managed Metadata - Publishing, Un-publishing, and Republishing
Sharepoint 2013 : Content Model and Managed Metadata - Content Type Hubs