Windows Server 2003 : Extending IPSec Operations, Designing IPSec Policies to Meet Secure Communications Needs

10/11/2012 3:10:04 AM

1. Extending IPSec Operations

Even IPSec protected systems are vulnerable to attack during times when the IPSec policy is not in effect. Following are two times when this may occur:

  • During startup (after the IPSec driver starts, but before the IPSec Policy Agent service starts).

  • When Group Policy fails and the IPSec Policy is newly implemented or modified through Group Policy. (Group Policy IPSec policies are cached in the local computer registry and can be used when a domain controller is not available at computer boot. However, no changes to Group Policy, and, therefore, to IPSec policy, will be downloaded if there is a Group Policy failure.)

To ensure protection against these potential gaps in coverage, you should use persistent policies and configure the IPSec driver mode.

1.1. Use Persistent Policies

You can only assign one IPSec policy per computer. However, you can establish a persistent IPSec policy using the netsh command that will work in concert with that IPSec-assigned policy. Use persistent policies to do the following:

  • Extend IPSec for individual computers that receive an IPSec policy via Group Policy. (The Group Policy based IPSec policy may have to be general to work for a large number of computers. The persistent policy can be applied to a single computer and the restrictions it requires may be added.)

  • Temporarily extend or override local IPSec policy.

  • Provide additional protection during computer startup.

  • Provide protection when Group Policy based IPSec policies fail to be applied.

To make a policy persistent, first create the policy using netsh. It is not possible to create a persistent policy using the GUI. For example, assume a simple policy called Block80 is created to block all port 80 traffic to the local computer. To make the policy persistent, assign the policy using netsh, as follows:

    set policy name=Block80 assign=yes

Make the policy persistent by using the netsh as follows:

    set store location=persistent

1.2. Configure IPSec Driver Modes

In Windows Server 2003, the IPSec driver operates in one of several modes. You can configure driver modes to improve security. IPSec driver modes are established during computer startup and are adjusted using netsh. IPSec Driver modes are as follows:


The IPSec driver is loaded into this mode during Windows Server 2003 operating system boot. There are three communication options within this mode.


When the IPSec Policy Agent starts, it changes the IPSec Driver mode to operational mode.


Can be set by using the netsh command.

1.2.1. Startup mode

The IPSec Computer Startup communication options during startup mode are as follows:


This is the default startup mode if an IPSec policy has never been assigned and if the IPSec Policy Agent is set to Disabled or Manual startup mode. No IP packets are processed by IPSec.


All inbound and outbound IP packets are dropped unless they match filters created for use during block mode, or they are DHCP traffic (so that a computer can obtain an IP address). To configure block mode use the netsh ipsec dynamic set config bootexemptions command. For example, to set the computer to block mode and apply a filter that will allow the use of the Remote Desktop connection during startup, issue the command netsh ipsec dynamic set config bootexemptions value=tcp:0:3389:inbound.


All outbound traffic is allowed and inbound permit filters are created in response to outbound traffic. All other inbound traffic is dropped including unicast, broadcast and multicast. If an IPSec policy is assigned to a computer and the IPSec Policy Agent service is set to automatic startup, then the computer startup mode of the IPSec driver will be stateful mode.

The computer startup mode can be modified by using the netsh ipsec static set config bootmode value={stateful | block | permit} command, or by modifying the registry. To modify the registry, add and set the DWORD value OperationMode under the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC.

Use a value of 0 to set Permit mode, 1 for Block mode, and 3 for Stateful mode.

1.2.2. Operational mode

After the IPSec Services service starts, the IPSec Policy Agent sets the IPSec driver to operational mode. If computer startup mode filters are in place, they are discarded. The operational mode cannot be changed by using commands or registry settings. Instead configure IPSec policies and IPSec persistent policies to ensure the protection that you desire. Operational modes are as follows:


All IPSec policy filters are enforced. If a persistent policy is configured the persistent policy is applied, the IPSec Policy Agent sets the IPSec driver into secure mode and applies the Active Directory IPSec policy or local policy if one is assigned. If no persistent policy is configured, secure mode cannot protect the computer until the Active Directory or local policy can be applied.


No IPSec protection is provided, so no IP packets are processed by IPSec. The Permit operational mode is active when the IPSec service is manually stopped.


All inbound and all outbound traffic is dropped. If filters are configured for computer startup mode, they are not applied here. Block mode is active if a persistent policy is configured but cannot be applied.

1.2.3. Diagnostic mode

Diagnostic mode is disabled by default. Diagnostic mode can be used to record all inbound and all outbound dropped packets and other packet processing errors to the System Event log. To enable diagnostic mode, use the netsh ipsec dynamic set config ipsecdiagnostics value={0-9}. Larger numbers mean that more information is collected. A value of 0 disables diagnostic mode.

2. Designing IPSec Policies to Meet Secure Communications Needs

It's not enough to know how to create an IPSec policy. You must also know when to create one. While it is important to consider security for communications on the LAN, it is not a good idea to attempt to protect all communications on the LAN with IPSec. So, when should IPSec be used?

There is no single answer to that question. Remote access via the Remote Desktop connection was restricted to secured communication from a single computer. Likewise, other administrative access scenarios are good candidates for IPSec. In addition, the following list shows a number of scenarios where IPSec might be used:

  • Protect communications between a web application and a Microsoft SQL Server.

  • Protect Active Directory replication across a firewall.

  • Prevent rogue computers from accessing domain resources. (Requires certificate authentication.)

  • Block access during startup by creating persistent policies.

  • Block access to well-known ports utilized by Trojans (for example, TFTP inbound and outbound, and SMTP inbound on the desktop).

  • Block access to other ports on computers where these services should be disabled, such as telnet and web server. (Services should be disabled but might be enabled anyway; blocking the port provides defense in depth.)

  • Restrict access to ports or IP addresses to specific computers.

  • Protect communications between sensitive servers and authorized users, such as financial databases and authorized financial department staff computers.

  •  Windows Server 2003 : Configuring a Windows IPSec Policy (part 4) - Using Group Policy to Implement IPSec, Monitoring and Troubleshooting IPSec
  •  Windows Server 2003 : Configuring a Windows IPSec Policy (part 3) - Setting Up the IPSec Monitor and Testing the Policy, Writing Policies Using netsh
  •  Windows Server 2003 : Configuring a Windows IPSec Policy (part 2) - Assigning the Policy, Creating Additional Rules
  •  Windows Server 2003 : Configuring a Windows IPSec Policy (part 1) - Using the IPSec Policy Wizard to Create a Policy
  •  Windows Server 2003 : Specifics of the Windows Implementation
  •  Delete & Recover Data (Part 4) - Securely Deleting Data Using Eraser 6.0
  •  Delete & Recover Data (Part 3) - Dealing With Corrupted Files
  •  Delete & Recover Data (Part 2) - Recovering Files Using Disk Digger
  •  Delete & Recover Data (Part 1)
  •  Batch File Basics (Part 3)
    Most View
    My SQL : Replication for High Availability - Redundancy, Planning
    BlackBerry Bold : What If Your BlackBerry Was Lost or Stolen?
    Hasselblad H5D - The Leader In Digital Medium Format Photography (Part 2)
    Samsung Glaxy Note 8.0 - An 8-Inch Android Tablet
    Home Cinema Joy Can Be Yours - Just Seek Out Some Cheap Thrills (Part 2) : Sony STR-DH820
    Give Your Tablet A New Lease Of Life (Part 2)
    Zime (Beta) - Give New Dimensions To Your Calendar Organizational Side
    The Best Bargain Components (Part 1)
    Hydro Series H80i High Performance Liquid CPU Cooler
    On Test - Postcard Apps (Part 1)
    Top 10
    Fuel Cell Reckoning – Liquid Asset (Part 4)
    Fuel Cell Reckoning – Liquid Asset (Part 3)
    Fuel Cell Reckoning – Liquid Asset (Part 2)
    Fuel Cell Reckoning – Liquid Asset (Part 1)
    Interconnect Townshend F1 Fractal-Wire Review
    Moving-coil Cartridge Rega Apheta Review
    NuForce Primo 8 Quad-Speaker Earphones Review (Part 3)
    NuForce Primo 8 Quad-Speaker Earphones Review (Part 2)
    NuForce Primo 8 Quad-Speaker Earphones Review (Part 1)
    Formula E Testing – Fast Charger (Part 2)