Configuring IPSec Policies through GPO

How can I configure an IPSec Policy through GPO?

As written in previous articles (see related articles at bottom of page), Windows 2000/XP/2003 machines have a built-in IP security mechanism called IPSec (IP Security). IPSec is a protocol that’s designed to protect individual TCP/IP packets traveling across your network by using public key encryption. Besides encryption, IPSec will also let you protect and configure your server/workstation with a firewall-like mechanism.

When working on one single computer you can easily set up and assign IPSec Policies either from the Command Prompt by using the NETSH command, or from an MMC console that’s loaded with the IP Security snap-in.

However when working with more than one computer, one might need a better way than going through each computer and re-configuring the IPSec Policy. We need a method in which we can use the same IPSec Policy on multiple computers, or at least have the same policy set up on a number of computers.

One method of configuring many computers to use the same IPSec Policy is to perform Exporting and Importing IPSec Policies. However in this article we will use the second method – use of Active Directory Group Policy Objects (or GPOs).

Important: Several features in the Windows Server 2003 family implementation of IPSec are not provided in Windows 2000 or in Windows XP. To ensure that the same IPSec policy functions as expected on computers running the Windows Server 2003 family and on computers running Windows 2000 or Windows XP, test the policy thoroughly on all relevant operating systems before deployment. If you plan to apply IPSec policies that use the new features that are available only in the Windows Server 2003 family implementation of IPSec, do not use the Windows 2000 or the Windows XP version of the IP Security Policy Management console to manage these policies. The settings in the earlier versions of the IP Security Policy Management console will override the settings in the Windows Server 2003 family IPSec policy, and the new features will not be functional.

Lets say you want to block PING traffic for a set of computers. In order for this tip to work, you need the following to be true:

  • An exiting Active Directory infrastructure (working with no errors, duh…).

  • All computers that need to be configured must be running Windows 2000 or higher.

  • An OU where the computer accounts should be placed. If no OU is applicable for your situation, you’ll need to configure the GPO on the Domain level, and thus affect all the members in the domain. That’s why I suggest creating an OU and placing the computer accounts in it.

Next we need to configure IPSec Policies inside the GPO. We can do so by editing the GPO, and manually configuring the IPSec Policy, just like you did in Block Ping Traffic with IPSec. The only difference is that here you’re editing the IPSec policies as a part of a larger GPO, not just for the local computer.

If all the above exists we can now begin the configure the GPO.

  1. Open Active Directory Users & Computers. Right-click the domain (or an OU if you want to only configure a specific set of computers). Choose Properties.

ipsec agent1 small

  1. In the Properties window click the Group Policy tab. Click New to configure a new GPO (if you don’t have one set for that OU already). Give it a descriptive name, such as Secure Services.

Note: If you’re configuring a Windows Server 2003 DC computer that has GPMC installed (read Download GPMC), you can shorten this action by simply opening the Group Policy Management snap-in from the Administrative Tools and selecting your desired GPO.

  1. Click Edit to edit the GPO.

  2. Navigate to Computer Settings > Windows Settings > Security Settings > IP Security Policies on Active Directory. You can now manually configure the IPSec Policy. See Block Ping Traffic with IPSec for examples.

ipsec gpo small

Or, if already configured, import it as an .IPSEC file.

ipsec gpo1 small ipsec gpo2 small

  1. After the new IPSec Policy is in place, right-click it and select Assign.

ipsec gpo3 small

  1. In order for the changes to take place, either reboot the client computers or refresh their computer policy. Run the following command:

    ​secedit /refreshpolicy machine_policy /enforce

    In Windows XP and Windows Server 2003 you should type

    ​gpupdate /force

When assigning an IPSec policy in Active Directory, consider the following:

  • The list of all IPSec policies is available to assign at any level in the Active Directory hierarchy. However, only a single IPSec policy can be assigned at a specific level in Active Directory.

  • An IPSec policy that is assigned to an organizational unit in Active Directory takes precedence over a domain-level policy for members of that organizational unit.

  • An IPSec policy that is assigned to the lowest-level OU in the domain hierarchy overrides an IPSec policy that is assigned to a higher-level OU, for member computers of that OU.

  • An OU inherits the policy of its parent OU unless either policy inheritance is explicitly blocked or policy is explicitly assigned.

  • IPSec policies from different organizational units are never merged.

  • The highest possible level of the Active Directory hierarchy should be used to assign policies to reduce the amount of configuration and administration required.

  • An IPSec policy might remain active even after the Group Policy object to which it is assigned has been deleted. Because of this, you should unassign the IPSec policy before you delete the policy object. To prevent problems, use the following procedure:

  1. Unassign the IPSec policy in the Group Policy object.

  2. Wait 24 hours to ensure that the change is propagated.

  3. Delete the Group Policy object.

If you delete the Group Policy object without following this procedure, computers in the Active Directory container to which the IPSec policy is assigned treat the IPSec policy as if it cannot be located and continue to use a cached copy.

  • Before assigning an IPSec policy to a Group Policy object, verify the Group Policy settings that are required for the IPSec policy. For example, if an IPSec policy requires certificate authentication, assign the Group Policy settings that allow computers to enroll for certificates (usually one or two days before you assign the IPSec policy that requires use of the computer certificate). In addition, you should test the certificate enrollment process and resolve any errors before assigning the IPSec policy.

Related articles

You may find these related articles of interest to you: