IP Security Policy was: Re: Simple software firewalls for Windows 2000 Server

From: Michael A. Covington (look_at_www.covingtoninnovations.com.for.address)
Date: 06/22/04


Date: Mon, 21 Jun 2004 19:12:14 -0400


> > Use the built-in IPSec filter functionality. See
> >
>
http://www.microsoft.com/windows2000/techinfo/howitworks/security/ip_security.asp
> > and
> >
>
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp.
>
> I know about IPSec and am using it. It's monstrously complicated and does
> not keep a log.

Speaking of IP Security Policy,

I've had no trouble doing relatively simple things, but when attempting more
elaborate setups, I fear I get mixed up trying to determine which rule
pre-empts which. The more specific rule is supposed to win -- right? What
are the exact criteria of specificity?

(There's a theorem in formal logic that if you have an axiom that "the more
specific rule wins," there will be situations in which your axiom cannot
tell you which of two conflicting rules will win. I'm not kidding. It's
called a "Tweety triangle.")

Also, exactly what does the "Mirrored" checkbox do? Any truth to the rumor
that it does not work as advertised?

What I *like* about IP Security Policy is that very specific rules can be
set. For instance, I have a machine that accepts TCP 3389 (Remote Desktop)
only from the static IP address of my home DSL line.



Relevant Pages

  • Re: Kerberos Question
    ... However if you use ipsec negotiation within the domain by ... default kerberos computer authentication will be used and required. ... >> Security Policy and Domain Controller Security Policy and disable storage ...
    (microsoft.public.windows.server.security)
  • Tunnel mode IPSec in Win2k
    ... I'm trying to set up a "client" win2k box to talk to a LAN over ipsec. ... Something like this (cue bad ascii diagram) ... if there wasn't a filter, ... Local IPSec Policy Active: 'New IP Security Policy' ...
    (microsoft.public.win2000.networking)
  • Re: The art of negotiation and trust in IPSEC
    ... To clarify, if I have two machines that are not members of any Domain, and they have IPSEC enabled via a the security policy - so will the machines be able to talk IPSEC with each other? ... machine certificates in an AD domain if you have an Enterprise Certificate ... >> I guess it comes down to trust, ...
    (microsoft.public.win2000.security)
  • Re: IPSec
    ... > What service/component provides it? ... One may most conveniently use IPsec via the two upper ... Local Security Policy. ... >> The Windows IPsec does implement the IPsec protocols. ...
    (microsoft.public.windowsxp.security_admin)