RE: Scripted IPSec policies on Windows XP (without AD/GPOs)
From: Rasmus Rønlev (rr.its_at_cbs.dk)
Date: 05/27/05
- Previous message: Brian A. Reiter: "RE: Scripted IPSec policies on Windows XP (without AD/GPOs)"
- In reply to: Brian A. Reiter: "RE: Scripted IPSec policies on Windows XP (without AD/GPOs)"
- Next in thread: Thor (Hammer of God): "Re: Scripted IPSec policies on Windows XP (without AD/GPOs)"
- Reply: Thor (Hammer of God): "Re: Scripted IPSec policies on Windows XP (without AD/GPOs)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 27 May 2005 19:08:05 +0200 To: 'Security Focus Microsoft Mailinglist' <focus-ms@securityfocus.com>
Hey,
Thanks for the responses.
First, it seems netsh ipsec (even in WinXP SP2) commands are only supported
with Windows 2003 Server products. I did originally hope for being able to
use netsh for scripting my way out of it - but this doesn't seem to be
possible - at least it hasn't been on the Windows XP boxes I've checked.
Secondly, I'm looking at the 'DCOM IPSec Mitigation Tools' that K Levinson
suggested. I actually was made aware of ipseccmd earlier today (my email was
sent last night my local time ;) - and have been toying around with it along
with the IP Security Policy snap-in. I'm thinking this is the viable
solution when combined with the information coming in the toolpack :)
So thanks to both of you. If anyone else knows of other methods please
enlighten me, as they might be better or easier to use!
Regards,
r@smus
-----Original Message-----
From: Brian A. Reiter [mailto:breiter@wolfereiter.com]
Sent: 27. maj 2005 18:58
To: 'Rasmus Rønlev'; 'Security Focus Microsoft Mailinglist'
Subject: RE: Scripted IPSec policies on Windows XP (without AD/GPOs)
You should look into netsh.exe. Netsh is the command-line management tool
for all network configuration settings in Windows XP and Windows Server
2003.
> 1.) Is it possible either through the ‘local’ mmc based “IP
> Security Policy”
> or using another tool to export the given IPSec policy (for
> importing elsewhere and/or using in a script)
You can certainly import and export a policy with the MMC snap-in to a
"policy file". I believe you can also import and export a policy using
netsh.
> 2.) Does anyone know of a way to script applying this IPSec
> policy onto other/client PC’s (They’re all Windows XP SP2 boxes).
You can use netsh to script changes to IPSec. Adding a rule using netsh
would look something like this.
netsh ipsec static add filter filterlist="Outbound Filter" srcaddr=me
dstaddr=any description="HTTP out" protocol TCP srcport=0 dstport=80
A source port of 0 maps to any.
See this article in Technet for a more complete reference of netsh.
http://tinyurl.com/amku6
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Brian A. Reiter: "RE: Scripted IPSec policies on Windows XP (without AD/GPOs)"
- In reply to: Brian A. Reiter: "RE: Scripted IPSec policies on Windows XP (without AD/GPOs)"
- Next in thread: Thor (Hammer of God): "Re: Scripted IPSec policies on Windows XP (without AD/GPOs)"
- Reply: Thor (Hammer of God): "Re: Scripted IPSec policies on Windows XP (without AD/GPOs)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
