With the conclusion of this brief overview of IPSec technology, let's investigate the most relevant improvements in its Windows 2003 implementation:

  • New and improved management tools
  • Increased security of the master key (during the IKE negotiation stage)
  • More-flexible authentication methods
  • The ability to operate in NAT-ed environments
  • Interaction with Network Load Balancing
New and Improved Management Tools

Windows 2003 provides four primary tools for managing IPSec:

  1. IP Security Monitor: Unlike its fairly limited Windows 2000 counterpart IPSECMON.EXE, this new version is implemented as an MMC snap-in and displays much more extensive information about IPSec-related settings. Its primary purpose is monitoring IPSec policies and security associations for local and remote computers. For each computer, the tree pane lists Active Policy, Main Mode, and Quick Mode top-level folders, displaying currently assigned IPSec policy and parameters of main and quick mode IKE negotiations, respectively.

  2. IPSec Context: NETSH is a rather cumbersome (due to lack of a friendly GUI interface) command line utility, introduced in Windows 2000, that can be used to modify and display a number of different network configuration settings. Its main benefits are speed, its capability to be executed in non-GUI scenarios (e.g., via Telnet), and scriptability. In Windows Server 2003, IPSec context enables administrators to take advantage of these features when managing IPSec settings. IPSec context also offers a number of additional configuration options not available from the IP Security Monitor, such as:

    • Configure bootmode property, which determines the type of traffic allowed during boot time prior to the initialization of IPSec Services. Choices include permit, block, or stateful (which limits inbound traffic to communication initiated locally) values. This can be set directly from the command prompt, by running

      netsh ipsec dynamic set config property=bootmode value=permit
    • Configure bootexemptions property, should you opt to block traffic. This is done by specifying exemptions in the form Protocol:SourcePort:DestinationPort:Direction, e.g. TCP:80:80:outbound, which requires executing the command of:

      netsh ipsec dynamic set config property=bootexemptions value="TCP:80:80:outbound"
    • Set IPSec and IKE diagnostics levels and logging intervals, by using ipsecdiagnostics (possible values range from 0 to 7), ikelogging (0 or 1), and ipsecloginterval (between 60 and 86400 seconds) properties.

    • Set persistent policy for enhanced security using the set store command with the persistent option. This way, selected IPSec policy gets assigned to the local system at startup, before the application of those assigned through local or Active Directory group policy setttings (and it remains assigned afterward).

  3. IP Security Policies: Although the interface remained relatively unchanged, there is no longer a limitation of two choices (My IP Address and Any IP address) when specifying the source and destination IP addresses of IP Filters for IPSec policies. In particular, it is possible to set base filters on a specific DNS name, an IP subnet, or even apply them to communication with source or destination being evaluated dynamically, by selecting such options as default gateway, DNS, WINS, or DHCP server.

  4. Group Policy Modeling and Group Policy Results: These include IPSec extensions, which simplifies both designing and troubleshooting of IPSec policies. For more information about Group Policy related Windows 2003 improvements, refer to the previous article in this series.

Page 3: More Secure Master Key