1. Extending IPSec Operations
Even IPSec protected
systems are vulnerable to attack during times when the IPSec policy is
not in effect. Following are two times when this may occur:
During startup (after the IPSec driver starts, but before the IPSec Policy Agent service starts).
When
Group Policy fails and the IPSec Policy is newly implemented or
modified through Group Policy. (Group Policy IPSec policies are cached
in the local computer registry and can be used when a domain controller
is not available at computer boot. However, no changes to Group Policy,
and, therefore, to IPSec policy, will be downloaded if there is a Group
Policy failure.)
To ensure protection
against these potential gaps in coverage, you should use persistent
policies and configure the IPSec driver mode.
1.1. Use Persistent Policies
You can only assign one IPSec policy per computer. However, you can establish a persistent IPSec policy using the netsh command that will work in concert with that IPSec-assigned policy. Use persistent policies to do the following:
Extend IPSec for
individual computers that receive an IPSec policy via Group Policy.
(The Group Policy based IPSec policy may have to be general to work for a
large number of computers. The persistent policy can be applied to a
single computer and the restrictions it requires may be added.)
Temporarily extend or override local IPSec policy.
Provide additional protection during computer startup.
Provide protection when Group Policy based IPSec policies fail to be applied.
To make a policy persistent, first create the policy using netsh.
It is not possible to create a persistent policy using the GUI. For
example, assume a simple policy called Block80 is created to block all
port 80 traffic to the local computer. To make the policy persistent,
assign the policy using netsh, as follows:
set policy name=Block80 assign=yes
Make the policy persistent by using the netsh as follows:
set store location=persistent
1.2. Configure IPSec Driver Modes
In Windows Server 2003, the IPSec
driver operates in one of several modes. You can configure driver modes
to improve security. IPSec driver modes are established during computer
startup and are adjusted using netsh. IPSec Driver modes are as follows:
Startup
The IPSec
driver is loaded into this mode during Windows Server 2003 operating
system boot. There are three communication options within this mode.
Operational
When the IPSec Policy Agent starts, it changes the IPSec Driver mode to operational mode.
Diagnostic
Can be set by using the netsh command.
1.2.1. Startup mode
The IPSec Computer Startup communication options during startup mode are as follows:
Permit
This is the default
startup mode if an IPSec policy has never been assigned and if the
IPSec Policy Agent is set to Disabled or Manual startup mode. No IP
packets are processed by IPSec.
Block
All inbound and
outbound IP packets are dropped unless they match filters created for
use during block mode, or they are DHCP traffic (so that a computer can
obtain an IP address). To configure block mode use the netsh ipsec dynamic set config bootexemptions
command. For example, to set the computer to block mode and apply a
filter that will allow the use of the Remote Desktop connection during
startup, issue the command netsh ipsec dynamic set config bootexemptions value=tcp:0:3389:inbound.
Stateful
All outbound
traffic is allowed and inbound permit filters are created in response to
outbound traffic. All other inbound traffic is dropped including
unicast, broadcast and multicast. If an IPSec policy is assigned to a
computer and the IPSec Policy Agent service is set to automatic startup,
then the computer startup mode of the IPSec driver will be stateful
mode.
The computer startup mode can be modified by using the netsh ipsec static set config bootmode value={stateful | block | permit} command, or by modifying the registry. To modify the registry, add and set the DWORD value OperationMode under the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC.
Use a value of 0 to set Permit mode, 1 for Block mode, and 3 for Stateful mode.
1.2.2. Operational mode
After the IPSec
Services service starts, the IPSec Policy Agent sets the IPSec driver to
operational mode. If computer startup mode filters are in place, they
are discarded. The operational mode cannot be changed by using commands
or registry settings. Instead configure IPSec policies and IPSec
persistent policies to ensure the protection that you desire.
Operational modes are as follows:
Secure
All IPSec
policy filters are enforced. If a persistent policy is configured the
persistent policy is applied, the IPSec Policy Agent sets the IPSec
driver into secure mode and applies the Active Directory IPSec policy or
local policy if one is assigned. If no persistent policy is configured,
secure mode cannot protect the computer until the Active Directory or
local policy can be applied.
Permit
No IPSec protection
is provided, so no IP packets are processed by IPSec. The Permit
operational mode is active when the IPSec service is manually stopped.
Block
All inbound and
all outbound traffic is dropped. If filters are configured for computer
startup mode, they are not applied here. Block mode is active if a
persistent policy is configured but cannot be applied.
1.2.3. Diagnostic mode
Diagnostic
mode is disabled by default. Diagnostic mode can be used to record all
inbound and all outbound dropped packets and other packet processing
errors to the System Event log. To enable diagnostic mode, use the netsh ipsec dynamic set config ipsecdiagnostics value={0-9}. Larger numbers mean that more information is collected. A value of 0 disables diagnostic mode.
2. Designing IPSec Policies to Meet Secure Communications Needs
It's
not enough to know how to create an IPSec policy. You must also know
when to create one. While it is important to consider security for
communications on the LAN, it is not a good idea to attempt to protect
all communications on the LAN with IPSec. So, when should IPSec be used?
There is no single
answer to that question. Remote
access via the Remote Desktop connection was restricted to secured
communication from a single computer. Likewise, other administrative
access scenarios are good candidates for IPSec. In addition, the
following list shows a number of scenarios where IPSec might be used:
Protect communications between a web application and a Microsoft SQL Server.
Protect Active Directory replication across a firewall.
Prevent rogue computers from accessing domain resources. (Requires certificate authentication.)
Block access during startup by creating persistent policies.
Block access to well-known ports utilized by Trojans (for example, TFTP inbound and outbound, and SMTP inbound on the desktop).
Block
access to other ports on computers where these services should be
disabled, such as telnet and web server. (Services should be disabled
but might be enabled anyway; blocking the port provides defense in
depth.)
Restrict access to ports or IP addresses to specific computers.
Protect
communications between sensitive servers and authorized users, such as
financial databases and authorized financial department staff computers.