RE: Scripted IPSec policies on Windows XP (without AD/GPOs)

From: Brian A. Reiter (breiter_at_wolfereiter.com)
Date: 05/27/05

  • Next message: Rasmus Rønlev: "RE: Scripted IPSec policies on Windows XP (without AD/GPOs)" 
    To: "'Rasmus Rønlev'" <rr.its@cbs.dk>, "'Security Focus Microsoft Mailinglist'" <focus-ms@securityfocus.com>
Date: Fri, 27 May 2005 12:58:07 -0400

    You should look into netsh.exe. Netsh is the command-line management tool
    for all network configuration settings in Windows XP and Windows Server
    2003.

    > 1.) Is it possible either through the ‘local’ mmc based “IP
    > Security Policy”
    > or using another tool to export the given IPSec policy (for
    > importing elsewhere and/or using in a script)

    You can certainly import and export a policy with the MMC snap-in to a
    "policy file". I believe you can also import and export a policy using
    netsh.

    > 2.) Does anyone know of a way to script applying this IPSec
    > policy onto other/client PC’s (They’re all Windows XP SP2 boxes).

    You can use netsh to script changes to IPSec. Adding a rule using netsh
    would look something like this.

    netsh ipsec static add filter filterlist="Outbound Filter" srcaddr=me
    dstaddr=any description="HTTP out" protocol TCP srcport=0 dstport=80

    A source port of 0 maps to any.

    See this article in Technet for a more complete reference of netsh.
    http://tinyurl.com/amku6

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Rasmus Rønlev: "RE: Scripted IPSec policies on Windows XP (without AD/GPOs)"

    Relevant Pages

    • RE: Scripted IPSec policies on Windows XP (without AD/GPOs)
      ... it seems netsh ipsec commands are only supported ... possible - at least it hasn't been on the Windows XP boxes I've checked. ... I'm looking at the 'DCOM IPSec Mitigation Tools' that K Levinson ... with the IP Security Policy snap-in. ...
      (Focus-Microsoft)
    • Assign IPSec Policy via cmd prompt
      ... I also know netsh but i'm not able to reach a command that do the job. ... My target is to assign the Policy, tehn run a job, and then unassign ... i'd like to have this as an automatic procedure ...
      (microsoft.public.security)
    • Re: Clients hanging, file share browsing slows, logins take minute
      ... I performed those steps (using netsh method) when I made the ... This may be due to the new RSS TCP Chimney Offload feature enabled on 2003 ... workload from the CPU to a network adapter during network data transfer. ... Windows Server 2008, TCP Chimney Offload enables the Windows networking ...
      (microsoft.public.windows.server.active_directory)
    • Re: Effects of not using any GPO in AD?
      ... Do not remove the Default Domain Policy or the Default Domain Controllers ... These provide a base line set of policies that if left alone, ... > upgraded Windows Server 2003-based single domain (upgraded ... > Policy Object and configure all workstations's local GPO ...
      (microsoft.public.windows.group_policy)
    • Re: Hide "Previous Versions" (VSS) Tab in Explorer Via GPO
      ... and enable the policy that makes explorer pay attention to that key. ... Any one of the above options will remove the tab. ... Use Software Restriction Policies in Windows Server 2003 ... 824526 Microsoft Windows Server 2003 Software Restriction Policies ...
      (microsoft.public.windows.server.active_directory)