Scripted IPSec policies on Windows XP (without AD/GPOs)

From: Rasmus Rønlev (rr.its_at_cbs.dk)
Date: 05/27/05

  • Next message: k levinson: "RE: Scripted IPSec policies on Windows XP (without AD/GPOs)" 
    Date: Fri, 27 May 2005 03:08:20 +0200
To: Security Focus Microsoft Mailinglist <focus-ms@securityfocus.com>

    Hi,

    Not really having much luck searching on Google, I thought I’d turn to this
    list, in hopes someone is able to help :)

    The scenario I have is, that I got Windows XP (SP2) clients, that I want to
    do ‘outbound’ packet filtering on. The unusual thing at this point in time
    is, that they’re running on an NT4 domain. This means I do not have access
    to AD based GPO rollout of IPSec (gpo policies in general).

    I’ve been experimenting with making an “IP Security Policy” on a local
    computer through the mmc. However, I need to apply the same policy on
    multiple computers – i.e. be able to script it in some way. As a note, I do
    have access to deploying various types of script jobs to the Windows XP
    computers.

    So my question is two fold;

    1.) Is it possible either through the ‘local’ mmc based “IP Security Policy”
    or using another tool to export the given IPSec policy (for importing
    elsewhere and/or using in a script)

    2.) Does anyone know of a way to script applying this IPSec policy onto
    other/client PC’s (They’re all Windows XP SP2 boxes).

    Hope you all got some good ideas ;)

    Regards,
    r@smus

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: k levinson: "RE: Scripted IPSec policies on Windows XP (without AD/GPOs)"

    Relevant Pages

    • Re: Startup Bat File
      ... Should i have a group with computers or users.. ... So it looks like it needs to be moved to the logon script within the user ... Login script under user settings in the policy. ... Domain Admins - Read, Write, Create All Child Objects, Delete All Child ...
      (microsoft.public.windows.group_policy)
    • Re: To force the local admin password
      ... I have very strange issue with a policy. ... I would like to force the local admin password on the computers. ... So I created a policy with a script to apply when the ... The local administrator password is not changed on all computers. ...
      (microsoft.public.windows.server.active_directory)
    • Re: IPSEC Policy question
      ... Ipsec policy is computer configuration so the "computers" that want this to ... The filter needs to contain entries for ports 80/443. ...
      (microsoft.public.windows.group_policy)
    • Re: pushprinterconnection.exe
      ... Then you create a VB script ... issue is that you'll need to organize your computers according to printer. ... So if you have your accounting dept. printing to the accounting printer, ... -Create policy that runs the script when ANY user logs in on computers the ...
      (microsoft.public.windows.group_policy)
    • Re: IPSec and Group Policy
      ... group policy to the ou where the computer/workstations are memebers. ... the IPSec policy that may be active. ... show the IPSec policy in action between two client computers, ... IPSec policies assigned to an organizational unit will override an ...
      (microsoft.public.win2000.security)