Re: IpSEC in Windows an Unix system

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 02/07/05

Next message: Louise Bowman [MSFT]: "Re: IpSEC in Windows an Unix system"
Previous message: Shannon Jacobs: "Re: How to fix broken security in Windows 2000?"
In reply to: Ignacio: "IpSEC in Windows an Unix system"
Next in thread: Louise Bowman [MSFT]: "Re: IpSEC in Windows an Unix system"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 7 Feb 2005 15:02:04 -0600

I don't know how to configure the Unix server offhand, but you can easily
create an ipsec policy for Windows 2000/XP Pro/W2003 domain computers via
security policy. Security policy is a subset of Group Policy under user
configuration/Windows settings/security settings where you will see IP
security policy. Windows comes with three default configured ipsec policies
for require, request, or client/respond. Any ipsec policy configured in a
Windows domain must however be configured to exempt at least domain
controllers from the ipsec negotiation policy or the domain can come to a
halt.

You have three options for computer authentication - kerberos, preshared key
[least secure but great for testing] , or certificate. Then you can tweak
the policy to use ESP or AH, though most of the time ESP is used for traffic
encryption and integrity. You will need to make sure that all computer can
use common methods for key exchange and ESP such as Diffie Hellman level,
DES, 3DES, SHA, or MD5. You may find ipsecmon helpful in troubleshooting
ipsec security associations with Windows 2000 computers and the mmc Ipsec
Monitor snapin for XP Pro and Windows 2003. The link below may help
ore. --- Steve

http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp

"Ignacio" <Ignacio@discussions.microsoft.com> wrote in message
news:B1DEA107-ED9D-438F-8068-2A75921DCA9E@microsoft.com...
> Hi:
>
> I nedd config a GPO in my domain to all the computers use only IPSEC, I
> have
> another UNIX-based server (HP-UX), and I need all the clients conect with
> this server (over IPSEC), can I do it? if its possible, what software I
> need?
>
> Thks.

Next message: Louise Bowman [MSFT]: "Re: IpSEC in Windows an Unix system"
Previous message: Shannon Jacobs: "Re: How to fix broken security in Windows 2000?"
In reply to: Ignacio: "IpSEC in Windows an Unix system"
Next in thread: Louise Bowman [MSFT]: "Re: IpSEC in Windows an Unix system"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

IPSEC with certificates on Windows XP (Certificate don´t have a private key )
... I have a question for the Microsoft CSP and IPSEC. ... I have installed a small network of 4 computers. ... computers and two windows 2000 computers. ... The program certreq.exe generate a certificate request. ...
(microsoft.public.platformsdk.security)
Re: domain users force only local server access
... You can restrict computers using ipsec policies. ... complex topic and domain controllers need to be exempt from any policy to ...
(microsoft.public.win2000.security)
Re: Null NetworkName registry value and XP SP2
... XP SP2 determines which firewall profile to use at any given point in time. ... having the connection specific DNS suffix different from the Windows Domain ... Is the connection specific DNS suffix on the problematic computers ... > Policy settings are configured, ...
(microsoft.public.windows.group_policy)
Re: Preventing PCs from accessing the network
... Ipsec policies can be used to prevent non domain computers from accessing domain ... resources if the resource computer has a "ipsec require" policy. ... or port isolation. ...
(microsoft.public.win2000.networking)
Re: Green Admin - Brute Force Attack - Pls Help
... Ipsec configuration is very similar [if ... specifics on how to use ipsec "filtering" policy to protect computers. ... is managing a network - particularly one in a hostile environment. ...
(microsoft.public.security)