- IPSec: The Standard
- IPSec Policie s in Windows 2000
- Using Group d Policy to Apply IPSec Throughout an Active Directory Domain
IPSec Policies in Windows 2000
IPSec is implemented in Windows 2000 through the use of built-in IPSec drivers in the IP stack, customizable policies, and a policy agent that filters all IP packets against the policy. To take control of the where, when, and how, you define the particulars of negotiation. A wizard walks you through choosing the options defined previously. Once implemented, the IPSec policy is triggered either when packets that match those identified in your filters are required to be transmitted or received, or when the policy requires negotiation of authentication, integrity and encryption with another system. Figure 2 shows the internals of one of default polices that can be used to help you understand IPSec in W2K. You may customize them or develop your own.
Figure 2 Properties of the default Windows 2000 IPSec policy.
Three types of W2K IPSec policies exist:
BlockingPrevents packets that meet the criteria of protocol, port, source, or destination from leaving or entering the computer
AllowAllows packets that meet the criteria of protocol, port, source, or destination to leave or enter the computer
NegotiateNegotiates secure communication between two computers
Both blocking and allow IPSec policies can be applied to single computers. The policies either enable or disable communication facilities. For example, you may want to prevent Windows 2000 Professional systems from responding to HTTP requests. Although no Web services are installed on Professional by default, someone might do so. If your corporate policy forbids such action, it's still pretty tough to prevent all users from doing so. An IPSec blocking policy can prevent the server from answering requests on port 80. (No Code Red worm would infect such a system, even if Joe user installs IIS.)
Negotiate policies, on the other hand, require matching policies to exist on two machines. They are used to secure communications between the machines.