IP Security (IPsec)

The IP Security (IPsec) protocol is a standard that provides cryptographic security services for IP traffic.
IPsec packets are forwarded by routers like any other packet on the network.

There are two ways to set up IPSec in a Windows Server 2008 environment.
IPSec Policies are applied through Group Policy or we can setup Connection Security Rules.

We can use IPSec between Windows and non-Windows computers and you will see questions about that
on the exam. We're trying to authenticate or protect data between two machines. One of them is Windows
and one of them is non-Windows. IPSec will do that. It is an industry standard. It's not a Microsoft thing.

The IPSec protocols include:

• AH (Authentication Header) provides packet-level authentication.

• ESP (Encapsulating Security Payload) provides encryption and authentication.
• IKE (Internet Key Exchange) negotiates connection parameters, including keys, for the other two
services.

There are two modes of IPSec

IPSec by default operates in Transport Mode use this whenever L2TP (Layer 2 Titling Protocol) can be
used to travel across the Internet

In transport mode, the network traffic is IPsec-protected by the originating computer and it stays protected
all of the way through the network to the destination computer. The IPsec-protected packets are routed to
their destination as standard IP datagrams by the routers along the way. Transport mode provides end-to-
end security. A transport mode connection security rule requires only two IP addresses: the source and
destination computers. The following diagram illustrates transport mode, where each computer
establishes an IPSec protected connection from itself to a remote server.

Transport mode IPsec

Tunnel Mode this is used when L2TP isn’t used and the IP packet gets protected. It's encapsulated in
another header this is usually used inside a network. Tunnel Mode is not supported for remote access
VPN.

If somebody's using VPN, the will be using Transport mode not Tunnel Mode be aware of that on the
exam.

In tunnel mode, the network traffic is IPsec-protected only for a part of the trip between the origin and
destination computers, typically as it traverses an untrusted network. For example, an organization with
two geographically separated private intranets that are separated by the internet, can use an IPsec tunnel
mode connection to treat the two separate intranets as one logical network. To do this, a computer on
each intranet is designated as the IPsec gateway, or tunnel endpoint. Clients and servers in each intranet
treat their local gateway as a router. But instead of routing packets across the Internet like a typical router,
the gateway creates an IPsec-protected connection, or tunnel, and then sends the packets through the
tunnel. Traffic is sent plain text between the client and the local gateway, then sent IPsec-protected from
the local gateway to the remote gateway, and then finally sent plain text again. A tunnel mode rule
requires four IP addresses: the two tunnel endpoints, or gateway computers, and the two sets of
computers that are accessible to each other through the tunnel, referred to as endpoints.

Let's talk about group policies. If I'm using IPSec with group policies, then I have some choices about how
I set up my individual machines. I can set it to be respond only. This is the client setting. This computer
will never initiate secure communications; however, if a computer contacts it and says hey, I want to
negotiate an IPSec communication, it will turn on, start to negotiate that and it will communicate with that
computer using IPSec.

The second policy setting that we can use is server, which is request security and this is just the opposite
from client. This machine will always request secure traffic from another machine. OK? And if the other
machine will go IPSec, then fine, we're going to go IPSec. If it won't, then we're going to do unsecured
traffic.

The secure server is the top level and this is only secure communications. If you won't do IPSec with me,
then we're not going to communicate.

IPSec Policies
IPSec Policies define how a computer or computers handle IPSec communications.
You can assign an IPSec Policy either to an individual computer by using Local Security Policy or to a
group of computers by using Group Policy. Although you may define many IPSec Policies for use on a
computer or network, only one policy is ever assigned to a computer at any given time.

IPSec is a protocol built to protect the TCP / IP private network environment using "public key encryption".
One of the first things that you should know about IPSec is that it’s slower than a normal IP packet
because of the larger packet size and the overhead required for encryption and decryption. The larger
packet size also means that IPSec can consume more network bandwidth than traditional IP packets.
Needless to say you probably only want to use IPSec for communications that really need to be secure.

Understanding IPSec
IPSec is a protocol that you can used to

Authenticate and encrypt traffic between two computers

Block specific traffic from entering or leaving a computer
Allow specific traffic to enter or leave a computer

Because IPSec operates at the network layer of the OSI model (Layer 3), IPSec has an advantage over
SSL and other methods that operate at higher layers. Applications must be written to be aware of and use
SSL, while applications can be used with IPSec without being written to be aware of it. Thus encryption
occurs transparently to the upper layers.

Understanding How IPSec Works

Think of IPSec policies as a collection of packet filters that enforce security policy on IP traffic. Each filter
describes some network protocol action. If traffic leaving or arriving at the device (a computer or other IP
network device) on which the policy is active matches one of the filters, the traffic is either blocked,
allowed, or, before it can proceed, an IPSec connection is negotiated between the sending and receiving
devices.

Filters can be the receipt or initialization of a specific protocol, a connection request from or to a specific
device, or another action that can be determined by protocol, port, IP address, or range. These filters are
defined in the IPSec policy in a rule.

Example filters
All traffic from IP address 192.168.5.77
All traffic to IP address 192.168.5.101
All traffic on port 23, telnet’s default port
Traffic from 192.168.6.99 on port 23

Filters are combined into filter lists, which are, in turn, part of rules. Each rule also defines a filter action.
Filter actions are Block, Allow, or Negotiate Security.
Each rule can have only one filter action, but a policy can be made up of many rules.

For example, if the required result is only telnet sessions that originate from a specific computer will be
accepted and must be encrypted, two rules should be written.
One rule to block all telnet traffic and another rule to allow telnet traffic from the specific computer.

If traffic leaving or arriving at a computer on which a policy is assigned matches a filter in one of the
assigned policy’s policy rules, the filter action associated with that rule is applied.

When an IPSec policy is evaluated, the more specific rule will take precedence.
If the telnet traffic originates with the specified computer, the communication is negotiated, and, assuming
the policy configuration matches where necessary, allowed to proceed. If the traffic originates from any
other IP address, because no specific rule exists for the address, the more general rule is triggered and
the communication will be blocked.
Filters, Filter Actions, and Rules

An IPSec policy consists of a set of filters, filter actions, and rules.

• Filters are used to match traffic. It consists of:

• A source IP address or range of addresses
• A destination IP address or range of addresses
• An IP protocol, such as TCP, UDP, or "any"
• Source and destination ports (for TCP or UDP only)

Note An IP filter list is used to group multiple filters together so that multiple IP addresses and
protocols can be combined into a single filter.

• Filter Actions specifies which actions to take when a given filter is invoked. It can be one of the
following:

Permit. The traffic is not secured; it is allowed to be sent and received without intervention.
Block. The traffic is not permitted.
Negotiate security. The endpoints must agree on and then use a secure method to communicate.
If they cannot agree on a method, the communication does not take place. If negotiation fails, you
can specify whether to allow unsecured communication or to whether all communication should be
blocked.

• Rules Associates a filter with a filter action and is defined by the IPSec policy.

IPSec Policies

Here the IPSec Policy is made up of three rules. The first rule has priority because it defines traffic the
most specifically—both by type (Telnet or Post Office Protocol 3 [POP3]) and by address (from
192.168.3.32 or 192.168.3.200). The second rule is the next most specific, defining traffic by type only
(Telnet or POP3). The third rule is the least specific because it applies to all traffic and therefore has the
lowest priority.

IPSec Policy Steps

Note order is not necessary important i.e. ipsec policy maybe created first as you can create the filter list
and actions during the IP Security Rule Wizard

Create a Filter List

Filters ip traffic by subnet, ip address (source and destination)protocol or server type (DNS, WINS, DHCP,
default gateway.)

Create Filter Actions for ip packets

Predefined Permit unsecured – Request Security (Optional) – Require Security – or create a Block action

Create an IPsec Policy

The IP Security Policy Wizard simply gives you an opportunity to create an “empty” policy, to
name that IPSec Policy, and to enable the Default Response Rule.
(The Default Response Rule allows insecure communication for pre Windows Vista clients.)

Create the IP Security Rule

Add the IP Filter and Filter Actions created (The Rule) into the new Policy

Configure if you want to use IPSec in tunnel mode and which connections the rule will apply (all network
connections, lan, or remote connections)
Choose the authentication method, Kerberos within an active directory environment, Certificates or Pre-
shared keys

Activate the IPsec Policy Ensure the Policy is assigned

Using IP Security Policy to Manage IPSec

Configure the Management MMC snap-in ( secpol.msc)

1. Start > Run > MMC > Enter

2. Use the File menu to select Add/Remove Snap-in.
3. Click Add
4. Select the IP Security Policy Management snap-in and press the Add button.
5. Choose where you wish to manage: a local computer, The Active Directory domain, Another Active
Directory domain, Another computer
6. Press Finish. Close. OK.
To create a new custom IPSec Policy, open a Local Security Policy or a GPO.

Local IPSec Policy useful when configuring a small number of clients i.e. 2

IPSec Policies applied through Group Policy

You can find Security Settings in a GPO in the Computer Configuration > Policies > Windows Settings
container.

Note the diagram also shows how to import Policies

There are three built in IPSec policies already installed. You can either implement these policies into your
network as is, or you can use them as a building block for more complex policies.

1. The Client (Respond Only) policy. Designed to be run on client machines that mostly don’t need
to worry about security. The client will never initiate secure communications on its own. However,
if a server requests that the client go into secure communications mode, the client will respond.
2. The Secure Server (Require Security) policy. This policy is for servers that require all
communications to be secure. Once this policy has been applied, the server will neither send or
accept insecure communications.
3. The Server (Request Security) policy. Contrary to the name, this policy can be used on both
client and server PCs. This policy will use IPSec security for all outbound security. However, this
policy will accept insecure inbound communications. If a client requests a secure session, the
policy will allow the client to establish one.

Block a computer from accessing the web

How do we prevent web access with IPSec? For some reason, you need to block web access for a user,
especially in the hours worked or in particular hours.

Create a Filter List

Click to MMC console on the left, select Manage IP Filter Lists and Filter Actions
In the window Manage IP Filter Lists tab, select Add

In the IP Filter List window, enter a name HTTP, HTTPS and select Add to configure the IP Filter
At the Welcome window, select Next

You can fill in a policy description.

If you put a checkmark in the Mirrored. Match packets with the exact opposite source and
destination addresses option. This will allow the trigging of the filter action when packets moving in the
opposite direction as specified in the filter as detected by the IPSec Policy Agent.

In the IP Traffic Source window, select My IP Address and select Next

In the IP Traffic Destination window, select Any IP Address and select Next
In the IP Protocol Type window, select TCP

In the IP Protocol Port window, select From any Port. To this port Port 80 (HTTP port)
The IP Filter List window now displays the IP Filter

Click Add to add another filter, HTTPS port 443 (Any IP to Any IP, Protocol TCP, Destination Port 443)
Once we have setup the 2 HTTP and HTTPS ports (port 80 and port 443), Click OK.

The Filter List HTTP, HTTPS has been created with 2 IP Filters listed

Now we need to setup a Filter Action

Continue back to the window Manage IP Filter Lists and Filter Actions, select Manage Filter Actions.
After you have attached the desired IP filter list to the rule, you can specify a filter action for the rule in the
Security Rule Wizard. In Group Policy, the following three IP filters are predefined for IPSec Policy rules:

Permit – This filter action permits the IP packets to pass through unsecured.
Request Security (Optional) – This filter action permits the IP packets to pass through unsecured but
requests that clients negotiate security (preferably encryption).
Require Security – This filter action triggers the local computer to request secure communications from
the client source of the IP packets. If security methods (including encryption) cannot be established, the
local computer will stop communicating with that client.

Here we will block the traffic, select Add

In the window Filter Action Name, type the name Block and click Next
In the window Filter Action General Options, select Block and click Next

This takes us back window Manage IP Filter Lists and Filter Actions

If required you can create more filter actions by clicking Add otherwise click close and deselect the Use
Add Wizard

After creating the filter actions and filter lists, you need to create a policy and rules to associate the filters
with the filter actions.
Create an IPsec Policy

Create the Blocking Policy

Open the IP Security Policy Management snap-in ( secpol.msc)

1. Right-click the IP Security Policies on Local Computer node and select Create IP Security Policy.
2. The IP Security Policy Wizard launches, Click Next on the welcome page.
3. Give the new Policy a Name and Description > Next.
4. Clear Activate The Default Response Rule, and click Next.
The default response rule allows insecure communication.
In most cases, you will not want this so you will need to remove the rule, you can always re-enable later.
5. At the Default Response Rule Authentication Method, leave the default setting, click Next> Click Finish.

1. In the IPSec MMC window, select IP Security Policies on Local Computer and select Create IP Security
Policy

IP Security Policy Wizard launches

2. The Welcome screen appears > Next
3. IP Security Policy Name, enter a name and description easy to remember such as Block Web
Access Select Next

4. Request for Secure Communication,

Deselect the Active Default Response Rule > Next.

The default response rule allows insecure communication.

In most cases, you will not want this so you will need to remove the rule, you can always re-enable later.

6. The IP Security Policy is created select Edit properties and Finish

Create the IP Security Rule

The Properties dialog box for the policy appears. Keep in mind that a security policy consists of a set of
rules. If any of the conditions we set in any of the rules matches a connection, then the settings of the rule
are triggered. The only rule included in the policy at this point is the default response rule, but it is not
selected and we will not select it. Instead, we will add our own rule.

Make sure that there is a checkmark in the Use Add Wizard checkbox and click the Add button as we
are going to add the IP Filter and Filter Actions created (the rule) into the new Policy
Use Add Wizard if selected will launch the security rule wizard if not you can configure manually

The Security Rule wizard launches

At the Welcome window, select Next

In the Tunnel Endpoint window, select The rule does not specify a tunnel, select Next
Tunnel Endpoint page Configure this page only when you want to use IPSec in tunnel mode.
In the Network Type window, select All Network Connections and select Next

Use this page if you want to limit the rule to either the local area network or remote access connections

Authentication Method page Security can be negotiated only after the IPSec clients are authenticated.
By default, IPSec rules rely on Active Directory directory service and the Kerberos protocol to authenticate
clients. However, you can also specify a certificate infrastructure or a preshared key as a means to
authenticate IPSec clients.
(Note that this page does not appear if you select Permit on the Filter Action page.)

With IPSec is we want to make sure that both computers on each end are who we think they are and that
we're passing our information securely to the right people. Watch for this on the exam. You got three
choices on authentication.

1. Kerberos within an active directory environment, that's the best way to go.

2. If one of the computers is not in active directory, certificates are the way to go. We're going to generate
certificates and we're going to hand out, private keys and public keys.

3. The pre-shared key is not as secure as Kerberos or your certificates and you want that to be your
absolute last choice. Be very, very careful about choosing pre-shared keys on the exam. It's not the best
way to go. OK?

The IP Filter List page appears we can see the HTTP, HTTPS filter list created earlier
To create a new IP filter list, click the Add button
Use this page to specify the set of IP Filters you want to attach to the rule. In Group Policy, two IP filter
lists are predefined for IPSec Policy rules: All ICMP Traffic and All IP Traffic.

In the IP Filter List window, select the IP Filters created HTTP, HTTPS. Select Next

In the Filter Action window, select the Filter Action "Block" that we created Select Next
(otherwise create it now, click add)

Check that the new IP Filter HTTP, HTTPS is selected. OK

Finally Activate the IPSEC Policy: Block HTTP, HTTPS

Goto the IPSec MMC, the policy appears in the right hand pane
To activate the policy, right-click IPSec Policy and then click Assign

Done! Test you should be able to browse the Web

You can customize the blocked access to Chat, Mail or Online Games ... Add more by the corresponding
port.
Only one policy can be active per machine.
If you assign a second IPSec Policy to a computer, the first IPSec Policy automatically becomes
unassigned. If Group Policy assigns an IPSec Policy to a computer, the computer ignores any IPSec
Policy assigned in its Local Security Policy.

If setup is successful, it should state that the policy is assigned.

Firewalls and IPSec

If a firewall separates two hosts that use IPSec to secure the communication channel, the firewall must
open the following ports:

• TCP port 50 for IPSec Encapsulating Security Protocol (ESP) traffic

• TCP port 51 for IPSec Authentication Header (AH) traffic
• UDP port 500 for Internet Key Exchange (IKE) negotiation traffic

Connection Security Rules

Firewall rules These rules control whether network traffic passing between the local computer and the
rest of the network should be allowed or blocked. Firewall rules can be configured locally using the
Windows Firewall with Advanced Security snap-in or on targeted computers by using Group Policy.

Connection security rules These rules determine how network traffic passing between the local
computer and other computers on the network should be protected using IPsec. Unlike firewall rules,
which function unilaterally, connection security rules require that both computers involved have either a
connection security rule or a compatible IPsec policy configured. Connection security rules can be
configured locally using the Windows Firewall with Advanced Security snap-in or on targeted computers
by using Group Policy.

Use connection security rules to configure IPSec settings for connections between computers.
Like IPSec Policies, connection security rules evaluate network traffic and then block, allow, or negotiate
security for messages based on the criteria you establish. Unlike IPSec Policies, however, connection
security rules do not include filters or filter actions. The features provided by filters and filter actions are
built into each Connection Security Rule, but the filtering capabilities in connection security rules are not
as powerful as those of IPSec Policies.
Can you configure a Connection Security Rule that encrypts only Telnet traffic?
Answer: No. Connection security rules are not port-specific.

Connection security rules do not apply to types of IP traffic, such as IP traffic that passes over port 23.
Instead, they apply to all IP traffic originating from or destined for certain IP addresses, subnets, or
servers on the network.

Implementing IPSec through Connection Security Rules

Creating and Configuring a Connection Security Rule

To create a Connection Security Rule in a GPO, first browse to and expand
Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall
With Advanced Security > Windows Firewall With Advanced Security – LDAP://address. Beneath
this node select and right-click the connection security rules node, and then, from the shortcut menu,
choose New Rule.
This brings up the Rule Type page for the New Connection Security Rule Wizard.
This rule will enable IPsec security between two machines we’ll select the Server-to-server option and
click Next
Isolation: Use this template to isolate a server by specifying criteria that must be met for computers
wanting to communicate (for example, that they must be members of the domain).

Authentication Exemption: Use this template to allow specific computers, groups of computer, or IP
address ranges to be excluded from being required to authenticate themselves. This is commonly used to
allow communication with computers before the type of authentication configured is possible (for example,
with domain controllers for Kerberos).

Server-to-server: Use this template to authenticate between two computers, groups of computers,
subnets, or any combination.

Tunnel: Use this template to secure communications between two computers through a tunnel such as
with a virtual private network (VPN).

Custom: Use this template to tailor all aspects of the connection security rule.

On the Endpoints page we define the endpoints to which we want this rule to apply. In this example, we
have a server named APP1 and we want to make sure that all connections to APP1 are secured with
IPsec. For the Endpoint 1 computer, click the Add button.

In the IP Address dialog box we’ll select the This IP address or subnet option and enter the IP address
of APP1. Then click OK.

Now we’ll configure the Endpoint 2 to be any computer. We’ll select the These IP addresses option for
Endpoint 2 and then click Add. In the IP Address dialog box, we’ll select the This IP address or subnet
option and enter 10.0.0.0/24 and then click OK.
Before we leave the Endpoints page, notice that there is a Customize button. When you click this
button, you can see the Customize Interface Types dialog box that’s shown in Figure 8. By default, the
rule applies to all interfaces, but if you want to limit the types of interfaces that the rule is applied to, you
can change from All interface types to These interface types. We will use the default settings, so we
won’t change anything here.
On the Requirements page you can choose what kind of authentication you want to use. In this example,
we’ll choose Require authentication for inbound connections and request authentication for
outbound connections. When we do this, whenever we have a combination of Endpoint 1 and Endpoint
2 hosts communicate, there will be a request for authentication when the computer sends an outbound
request, and authentication will be required when there is an inbound request. This means that whenever
a computer tries to connect to APP1, authentication will be required on the inbound connections to APP1.
It’s a little confusing, but when you think about it, it does make sense. It also means all other computers,
when connecting to APP1, are going to request authentication from APP1, but in those cases it’s optional.
What we’re really interested in are the inbound connections to APP1, and this rule is able to mandate that
incoming connections to APP1 require authentication.

On the Authentication Method page you choose the authentication method. The default setting (which
we’ll use) is the Computer Certificate option. The default Signing Algorithm is RSA (default) and the
default Certificate Store type option is Root CA (default). Click the Browse button to find the root CA
certificate you use in your organization.
In the Windows Security dialog box you’ll see a list of certificates. The root CA for this organization is
corp-DC1-CA so select that one and click OK.

Now you can see on the Authentication Method page that we’re using a computer certificate for
authentication and that we trust certificates issued by the CA noted in the CA name text box. Click Next.
The Profile page allows you to limit the local network location types to which the connection rule will
apply. The profiles you can enable for the rule are Domain, Private, and Public, we’ll use the Domain
profile only and uncheck the other profiles. This will avoid problems if domain members connect to other
networks that use the same private address spaces and the same IP addresses.
On the Name page enter a name for the rule and click Finish.

The rule is now created in Group Policy and will be automatically deployed to domain members

Once you finish creating a new connection security rule, the rule is automatically enabled to disable the
rule right-click it and select Disable Rule.

If you double click or right and select properties on the rule in the Group Policy editor, you can make
changes. Just click on the appropriate tab and make the changes the rule will be updated for all the
machines to which this Group Policy is applied.
The computers tab

You might have noticed that there were no options for configuring the IPsec settings in the rule.
The reason for that is that IPsec settings are set on a global basis, which is unfortunate, but that’s how
Microsoft decided to do that. If you want to see the IPsec settings, you need to right click on the Windows
Firewall with Advanced Security node, and then click Properties.
This brings up the Windows Firewall with Advanced Security dialog box.

If you click the IPsec Settings you can see the IPsec defaults section.
Also notice that there are sections for IPsec exemptions and IPsec tunnel authorization.
If we click the Customize button in the IPsec defaults section, you can see that the Key exchange
(Main Mode), Data protection (Quick Mode), and Authentication method options are all set to Default.

Computer Kerberos version 5 authentication is the default authentication method.

IPsec Settings: In this tab, you can customize the IPsec defaults. You can change and customize the key
exchange, data protection, and authentication method. You can also set IPsec exemptions.

IPsec defaults. These are the default IPsec settings that are applied when you create Connection
Security rules (the new name for IPsec policies). Note that when you create connection Security Rules
that you will have the option to change the settings on each rule from the defaults.

IPsec exemptions. By default, IPsec exemptions are disabled. However, you might find network
troubleshooting using Ping, tracert and other ICMP dependent tools a lot easier if you change it from the
default No (default) to Yes.
The Client

When we go to one of the domain computers that will connect to APP1 and open the WFAS console, you
can see in the Connection Security Rules node the new Connection Security Rule. Note that this is just
a listing of the rule; it doesn’t indicate that the rule was active. It just indicates that the rule is available on
the computer.
If you click on the Monitoring\Connections Security Rules node, you can see any active Connection
Security Rules. In this case, we can see that there is an active Connection Security Rule, indicating that
our IPsec connection worked! When we double click on the active rule, we can see the details of the
connection.
Under the Monitoring section, from the left-side panel, you can find the following information: which
firewall rules - both inbound and outbound - are active, which connection security rules are active and if
there are any active security associations.

One important note is the fact that the Monitoring panel will show only the active rules for the current
profile. If there are any rules which are enabled for other profiles, you will not see them on the list.
Now we’ll move to the Monitoring\Security Associations\Main Mode section in the left pane of the
WFAS console. Here we see information about the Main Mode connection, including information about
the authentication method, and information about the encryption and integrity algorithms.

Security Associations
After two computers negotiate an IPSec connection, whether through IPSec Policies or connection
security rules, the data sent between those computers is secured in what is known as a Security
Association (SA). Security for an SA is provided by the two IPSec protocols—Authentication Header (AH)
and Encapsulating Security Payload (ESP).

Exam Tip: You need to know the basic difference between AH and ESP for the 70-642 exam. If you need
encryption, use ESP. If you just need to authenticate the data origin or verify data integrity, use AH.
Using Netsh to Manage IPSec
Any task you can perform with the IP Security Policy snap-in and the IP Security Monitor snap-in, you can
do with the Netsh command. You can also perform tasks with Netsh that you cannot do from a console,
such as the following: instituting computer startup security, performing computer startup traffic
exemptions, running diagnostics, performing default traffic exemptions, performing strong CRL checking,
performing IKE (Oakley) logging, modifying logging intervals, and creating a persistent policy.

You create policies by configuring IKE parameters and adding rules that are composed of filter lists, filter
actions, and other configuration parameters.

Using Netsh to Manage IPSec

Netsh is a native Windows Server 2003 command-line tool that you can use to display or modify the local
or remote network configuration of a computer running Windows Server 2003. You can run Netsh from a
batch file or from the command prompt. The Netsh IPSec commands cannot be used on any other
Windows computer.

To set the Netsh IPSec context, type static or dynamic in the Netsh IPSec context to establish and
monitor IPSec.
Once you have a context, you can use the Netsh commands to produce a policy or monitor IPSec activity.

Two modes are possible.

Static mode allows you to create, modify, and assign policies without affecting the active IPSec policy.
Dynamic mode displays the active state and immediately implement changes to the active IPSec policy.

Dynamic Netsh commands affect the service only when it is running.

If it is stopped, dynamic policy settings are discarded.

Using Netsh to Monitor IPSec You can use Netsh to monitor the current IPSec session.
Monitoring consists of either displaying policy information, getting diagnostics and logging IPSec
information.

First, you might want to know what the current IPSec Policy is, to find out, use the Show command.
If you choose to use the Show All command, a lot of information will be returned.

Netsh ipsec static show all

Sometimes it is useful to look at only a portion of the IPSec configuration information.

You can enter commands from the Netsh IPSec Dynamic or the Netsh IPSec Static context, or, with
modification, from the command line.
Using IPSec Tools

This section describes two useful IPSec diagnostic tools Netdiag.exe

• IPSecpol.exe

Netdiag.exe

Before creating a new policy, determine if your system already has an existing policy. You can do this by
performing the following steps:

To check for existing IPSec policy

1. To install Netdiag.exe, run the Setup.msi program from the \Support\Tools folder on the Windows
2000 Server CD.

The tools are installed in C:\Program Files\Resource kit.

2. Run the following command from the command line:

3. netdiag /test:ipsec

If there are no existing filters, then the output looks like the following:

IP Security test . . . . . . . . . : Passed IPSec policy service is active, but no policy is assigned.
Question
You are the network administrator for a single Active Directory domain named abc.com.
All servers run Windows Server 2003. All client computers run XP. All computers are members of the
domain.
The Secure Server (Require Security) IPSec policy is assigned to a file server named Server2.
The policy is configured as shown in the exhibit.

Users report that they cannot access shared folders on Server2.

Users were able to access shared folders on Server2 prior to the implementation of the IPSec policy.
You need to ensure that all client computers in the domain can access the shared folders on Server2.
You must ensure that all communications between client computers and Server2 be encrypted.
What should you do?

A. On Server2, enable the All ICMP Traffic IP Security rule in the properties of the Secure Server IPSec
policy.
B. On Server2, enable the <Dynamic> IP Security rule in the properties of the Secure Server IPSec
policy.
C. On all client computers, assign the Client (Respond Only) IPSec policy.
D. On all client computers, install an IPSec communication certificate in the local machine store.

Answer C

Explanation: IPSec is used to protect data that is sent between hosts on a network, which can be remote
access, VPN, LAN, or WAN. IPSec ensures that data cannot be viewed or modified by unauthorized
users while being sent to its destination. Before data is sent between two hosts, the source computer
encrypts the information.
It is decrypted at the destination computer.
The Client (Respond Only) IPSec policy is used for computers that should not secure communications
most of the time, but if requested to set up a secure communication, they can respond.
By applying the Client (Respond Only) IPSec policy on the client computers you will be ensure them
access to the shard folders on Server2 as well as ensure that communications between them and Server2
be encrypted.

Incorrect answers
A. When the Server Secure (Require Security) option is selected, the server requires all communications
to be secure. If a client is not IPSec-aware, the session will not be allowed. With this setting on Server2
you will not comply with what is required by the question. You need to apply settings to the client
computers rather than the server in this scenario.
B. It does not matter whether you enable the <Dynamic> IP Security rule in the properties of the Secure
Server (Require Security) IPSec policy, it will not comply with the requirements of the question.
D. Applying the measures on the client computers is correct, however you need to assign Client (Respond
Only) IPSec policy and not install IPSec communication certificate on the local machine.

Question
You are an administrator of an Active Directory domain. All servers run Windows Server 2003.
All client computers run Windows XP Professional. All computers are joined to the domain.
abc has a main office and five branch offices. At one of abc's branch offices, a network administrator uses
Remote Desktop to assign the Secure Server (Require Security) IPSec policy to a domain controller
named DC2.
Users report that they cannot access resources on DC2. John reports that he can no longer establish a
Remote Desktop connection to DC2.
On a client computer named computer1 in the branch office, you run the ping DC2 command and receive
a reply. You do not have physical access to DC2.
You want to restore access to resources on DC2 for all users. You need to make all configuration
changes remotely.
Which two actions should you perform on Testking1? (Choose two)

A. Use the Services console to connect to DC2 and stop the IPSec Services service.
B. Use IP Security Monitor to connect to DC2.
C. Run the net stop "ipsec services" command.
D. Install an IPSec certificate in the local machine store.
E. Assign the Client (Respond only) IPSec policy.

Answer A, E

Explanation: IPSec has predefined security policies that can be implemented via the IP Security Policy
Management console. A security policy can be described as a set of rules and filters that provide a level
of security. In this scenario, the Secure Server (Require Security) policy was assigned to DC2. This
means that all IP communication to or from DC2 must use IPSec. The result being that all DNS, web
requests and all else which uses an IP connection must either be secured with IPSec or is simply blocked.
To solve this issue, first use the Services console to connect to DC2 and stop the IPSec Services service.
Next, assign the Client (Respond only) IPSec policy.
This policy specifies that a Windows 2000, XP, or a Windows Server 2003 IPSec client will negotiate
IPSec security with a peer that supports it - it will not try to initiate security. It accepts IPSec when the
remote end requires it.

Incorrect Answers
B. IP Security Monitor is to assist you with the standard monitoring of IPSec.
C. Running the net stop "ipsec services" cmd does not ensure that you will be able to connect to the
remote desktop.
D. IPSec certificate installation in the local machine store is not going to help you to accomplish your task
of enabling access to resources in this scenario.

Question
You are the administrator of an Active Directory domain. All servers run Windows Server 2003 all clients
XP.
A server named Server1 contains confidential data that is only available to users in Human Resources.
You want all computers in the HR department to connect to Server1 by using an IPSec policy.
You assign the Server (Request Security) IPsec policy for Server1. Using Network Monitor, you notice
that some computers in the HR department connect to Server1 without using the IPSec policy.

You need to configure Server1 to ensure that all computers connect by using the IPSec policy. What
should you do?

A. Assign the Secure Server (Require Security) IPSec policy.

B. Assign the Client (Respond Only) IPSec policy.
C. Unassign the Server (Request Security) IPSec policy.
D. Restart the IPSec Services service.

Answer A

Explanation: The Secure Server (Require Security) policy specifies that all IP traffic must use IPSec. The
Secure Server (Require Security) default policy is ideal for Server1 that needs high security. When this
option is selected, the server requires all communications to be secure. If a client is not IPSec-aware, the
session will not be allowed.

Incorrect Answers
B. Assigning the Client (Respond Only) IPSec policy on Servver1 will not ensure that all computers that
connect need to employ IPSec policy. This setting is used for computers that should not secure
communications most of the time, but if requested to set up a secure communication, they can respond.
C. Unassigning the Server (Request Security) IPSec policy will defeat the purpose of having all computers
that connect using the IPSec policy. This is used for computers that should secure communications most
of the time. In this policy, the computer accepts unsecured traffic but always attempts to secure additional
communications by requesting security from the original sender.
D. Restarting IPSec Services service will not ensure that all connecting computers are IPSec aware.

Question
You are the network administrator for King.com. The network consists of a single Active Directory domain.
All servers run Windows Server 2003. All client computers run Windows XP and are members of the
domain.
All users in the King Sales Staff (TSS) use only their designated computers. The TSS users frequently
access confidential data stored on servers in the domain.
To ensure that confidential data is not compromised during data transmissions, you want to secure all
communication between the TSS computers and all domain servers. You must ensure that all other users
will continue to have access to the domains servers.
Which two actions should you perform? (Each correct answer present part of the solution. Select two.)

A. Assign the Server (Request Security) IPSec policy on all servers.

B. Assign the Secure (Require Security) IPSec policy on all servers.
C. Assign the Client (Respond Only) IPSec policy on all servers.
D. Create and assign a new IPSec policy on all servers. Activate the Default Response rule.
E. Assign the Client (Respond Only) IPSec policy on all TSS computers.
F. Enable Internet Connection Firewall (ICF) on all TSS computers.

Answer A, E

Explanation: The Client (Respond Only) policy specifies that a Windows 2000, XP, or Server 2003 IPSec
client will negotiate IPSec security with any peer that supports it but that it won't attempt to initiate
security. Let's say you apply this policy to a Server 2003 computer. When it initiates outbound network
connections, it won't attempt to use IPSec.
When someone opens a connection to it, though, it will accept IPSec if the remote end asks for it.
The Server (Request Security) policy is a mix of the Client (Respond Only) and the Secure Server
(Require Security) policy. In this case, the machine will always attempt to use IPSec by requesting it when
it connects to a remote machine and by allowing it when an incoming connection requests it. This policy
provides the best general balance between security and interoperability.
To ensure that there is no compromise on confidential data during transmissions between the TSS
computers and all the domain servers without disrupting access you need to assign the Server (Request
Security) IPSec policy on all the servers. In addition you also need to assign the Client (Respond Only)
IPSec policy on all the TSS computers.

Incorrect answers
B. The Secure Server (Require Security) policy specifies that all IP communication to or from the policy
target must use IPSec. In this case, all DNS, WINS, and web requests and everything else that uses an
IP connection either has to be secured with IPSec or will be blocked. This may not be what you want
unless you plan to implement IPSec on your entire network. This is not what is required on the servers.
C. This is the incorrect IPSec policy to assign to the servers in this case.
D. There is no need to create and assign a new IPSec policy on all the servers. It is not going to ensure
the confidentiality of transmitted data in this case as there are the TSS computers also to take into
account.
F. Internet Connection Firewall on all TSS computers is not going to ensure the confidentiality of
transmitted data between TSS clients and the servers.