Once you have become familiar
with the process of setting up IPSec policies, you should review the
choices you can make to further increase their security. You can, for
example, change the frequency with which the master and session keys are
created. Changing keys more frequently increases security. Other
possibilities are to use stronger authentication and to harden security
methods by ensuring that the most secure security protocols are used.
1.1. Hardening Authentication
As you know, a shared
secret is best used only for testing. It does make the test easier, and
is also quite useful in troubleshooting. By using a shared secret, you
eliminate the possibility that Kerberos or certificate authentication is
the problem. When both computers are joined in the same domain, or if a
trust relationship exists between the domains they are members of,
Kerberos is a good choice as well. However, when computers are not
joined in a domain, certificates may be used. Using certificates is more
complex. Each computer will require its own certificate and, if the
certificates are not issued by the same Certification Authority (CA),
then a copy of the root certificate for the issuing CA will need to be
available in the computer certificate store of the other computer.
2. Hardening Security Methods
As implemented in
Windows, IPSec provides several possible choices of integrity,
encryption, and Diffie-Hellman settings. If the default settings are
used, it is possible that the actual security settings used may not be
the most secure. When multiple choices exist, the settings are
negotiated at connection, and the first option that can be used will be
selected.
To ensure that the most
secure settings are selected, you should limit choices and make sure
the list of choices is in the order of most to least secure. You should
be aware of the computers on your network that will need to make a
connection using IPSec and may have to adjust your choices accordingly.
For example, Windows Server 2003 is the only Windows operating system
that can use the Diffie-Hellman group 3 setting. If you can (or need to)
ensure that only Windows Server 2003 computers are allowed to make the
connection, then you can ensure that it is selected. However, don't
block Windows 2000 and/or Windows XP machines from making a connection,
if you require and permit them to do so.
You should modify
the defaults to provide the best security for your situation. To change
the defaults, make selections during the creation of the IPSec policy
or use the following procedure. This procedure modifies the settings to
ensure that only 3DES, SHA1, and Diffie-Hellman high(3) security methods
are used.
On ComputerA, open the
IPSecurityPolicy1 console and double-click on the Block TS policy to
open it. Select the General tab and then click the Settings button, as
shown on Figure 1.
On the Key Exchange Settings page, click the Methods button, as shown in Figure 2.
Select the 3DES, SHA1,
Medium (2) security method and click Edit. Use the drop-down box for the
Diffie-Hellman group and select High (2048), as shown in Figure 3. Then click OK.
Select the 3DES, MD5
security method and click Remove. Select each of the two DES security
methods and remove them. Ensure that the page looks like Figure 4 and then click OK.
Click OK twice more to
close the policy. On ComputerB, repeat the process, only this time, edit
the Secure TS policy. Test the policy by opening a Remote Desktop
connection from ComputerB to ComputerA. Verify the security method
settings by double-clicking on the Security Associations node and
double-click to open the SA. (The SA settings will not indicate the
Diffie-Hellman group used.)
If
IPSec policies are not working as you expected after you have made
changes, it may be because the policy has not refreshed. You can force a
policy refresh by stopping and restarting the IPSec Services. This
action will quickly clear any policy information. |
