Re: Scripted IPSec policies on Windows XP (without AD/GPOs)

From: Thor (Hammer of God) (thor_at_hammerofgod.com)
Date: 05/27/05

  • Next message: Jonathan Glass: "Re: Scripted IPSec policies on Windows XP (without AD/GPOs)" 
    To: Rasmus Rønlev <rr.its@cbs.dk>, "'Security Focus Microsoft Mailinglist'" <focus-ms@securityfocus.com>
Date: Fri, 27 May 2005 11:49:02 -0700

    The SP2 support tools contain ipseccmd.exe, which is a command line based
    ipsec policy configuration tool that will run on both XP and Win2k3. That
    will do just what you want it to do...

    Check out this KB for detailed instructions:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;813878

    IPSecCmd is basically an updated version of the older ipsecpol resource kit
    tool for Win2k. And though an older article (specific to Win2k), this
    technet piece by Steve Riley provides a more detailed overview of the IPSec
    gui with further references to ipsecpol syntax-- ipsecpol's syntax won't
    work with XP's ipseccmd, but I think the article's content would be of value
    to you as it provides theory and best practices context.

    http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.mspx

    hth
    T

    ------
    *Secure your infrastructure*
    Microsoft Ninjitsu: Securely Deploying MS Technologies
    security training delivered by Timothy Mullen.
    Registration now open Blackhat Vegas 2005:
    http://www.blackhat.com

    ----- Original Message -----
    From: "Rasmus Rønlev" <rr.its@cbs.dk>
    To: "'Security Focus Microsoft Mailinglist'" <focus-ms@securityfocus.com>
    Sent: Friday, May 27, 2005 10:08 AM
    Subject: RE: Scripted IPSec policies on Windows XP (without AD/GPOs)

    Hey,

    Thanks for the responses.

    First, it seems netsh ipsec (even in WinXP SP2) commands are only supported
    with Windows 2003 Server products. I did originally hope for being able to
    use netsh for scripting my way out of it - but this doesn't seem to be
    possible - at least it hasn't been on the Windows XP boxes I've checked.

    Secondly, I'm looking at the 'DCOM IPSec Mitigation Tools' that K Levinson
    suggested. I actually was made aware of ipseccmd earlier today (my email was
    sent last night my local time ;) - and have been toying around with it along
    with the IP Security Policy snap-in. I'm thinking this is the viable
    solution when combined with the information coming in the toolpack :)

    So thanks to both of you. If anyone else knows of other methods please
    enlighten me, as they might be better or easier to use!

    Regards,
    r@smus

    -----Original Message-----
    From: Brian A. Reiter [mailto:breiter@wolfereiter.com]
    Sent: 27. maj 2005 18:58
    To: 'Rasmus Rønlev'; 'Security Focus Microsoft Mailinglist'
    Subject: RE: Scripted IPSec policies on Windows XP (without AD/GPOs)

    You should look into netsh.exe. Netsh is the command-line management tool
    for all network configuration settings in Windows XP and Windows Server
    2003.

    > 1.) Is it possible either through the 'local' mmc based "IP
    > Security Policy"
    > or using another tool to export the given IPSec policy (for
    > importing elsewhere and/or using in a script)

    You can certainly import and export a policy with the MMC snap-in to a
    "policy file". I believe you can also import and export a policy using
    netsh.

    > 2.) Does anyone know of a way to script applying this IPSec
    > policy onto other/client PC's (They're all Windows XP SP2 boxes).

    You can use netsh to script changes to IPSec. Adding a rule using netsh
    would look something like this.

    netsh ipsec static add filter filterlist="Outbound Filter" srcaddr=me
    dstaddr=any description="HTTP out" protocol TCP srcport=0 dstport=80

    A source port of 0 maps to any.

    See this article in Technet for a more complete reference of netsh.
    http://tinyurl.com/amku6

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Jonathan Glass: "Re: Scripted IPSec policies on Windows XP (without AD/GPOs)"

    Relevant Pages

    • Re: IpSEC in Windows an Unix system
      ... create an ipsec policy for Windows 2000/XP Pro/W2003 domain computers via ... Windows comes with three default configured ipsec policies ... ipsec security associations with Windows 2000 computers and the mmc Ipsec ...
      (microsoft.public.win2000.security)
    • Re: Configured IPSec Policy is not working.
      ... As for the RRAS filters themselves, they're fairly basic, requiring ipsec ... and encryption will depend on the security settings of the connection. ... why exactly do you want to use l2tp without any ipsec protection rather ... > What is the default filter rule and filter policy ...
      (microsoft.public.win2000.ras_routing)
    • Re: IPsec tunnel from the commandline
      ... as I know this can only be scripted for Windows 2003 with netsh. ... > Can someone please help me by showing me how to create an IPSec tunnel ... The servers are at different ...
      (microsoft.public.security)
    • Re: Microsoft IPSec via group policy
      ... I have tried setting IPSec up in group policy however I'm running into some ... I go to the XP client and do ...
      (Security-Basics)
    • Re: Microsoft IPSec via group policy
      ... I have tried setting IPSec up in group policy however I'm running into some ... I go to the XP client and do ...
      (Security-Basics)