IPSec, new to Windows 2000, allows encryption for TCP/IP traffic. IPSec was developed by the IETF and is an open standard for a variety of encryption technologies. IPSec can be configured to provide security between any two Windows 2000 Server computers. IPSec is supported in Windows 2000 by the following components:
- IPSec Policy Agent
This is a service that runs under Windows 2000 and manages IPSec policies. The policies are stored in the Active Directory or in the local computer’s registry.
- ISAKMP/Oakley Key Management Service
This combines two protocols: ISAKMP, a key management protocol, and the Oakley protocol, which generates keys for data encryption. The IPSec Policy Agent automatically starts and manages this service.
- IP Security Driver
This driver (IPSEC.SYS) acts as a filter for all IP communication, determining whether security is required for each packet. Secured packets are encrypted using the key provided by the Key Management Service.
You can configure IPSec by setting security policies, which can be set either for the Active Directory or for individual computers. To manage a computer’s security policies, select Administrative Tools → Local Security Policy from the Start menu.
From the Local Security Settings snap-in, double-click the entry for IP Security Policies on local machine. The following default policies are available from this window:
- Client (Respond Only)
Allows the computer to act as a client when a server requests or requires a secure connection.
- Secure Server (Require Security)
When the computer is accessed as a server, clients are required to use a secure connection.
- Server (Request Security)
When the computer is accessed as a server, clients are requested to use a secure connection. If the client does not support this, a standard non-secure connection is used.
Right-click one of these options and select Assign to assign the policy to the local computer. You can also right-click in the window and select Create IP Security Policy to create a new policy.
To modify a default or new security policy, right-click its entry and select Properties. Each policy consists of basic settings and one or more rules for securing data. To add a rule, click Add. If the Use Add Wizard box is checked, a wizard prompts you for settings; otherwise, the Rule Properties dialog is displayed. The Rule Properties dialog is divided into a number of pages, described in the following sections.
This page allows you to select the methods used to authenticate between the client and the server before initiating secure communications. The following authentication methods are available:
- Windows 2000 default (Kerberos)
The default setting, this uses the Kerberos v5 protocol to authenticate the connection.
- Use a certificate from this certificate authority
If Certificate Server is in use and a valid certificate authority (CA) is configured, this option can be selected to use certificate-based encryption.
- Use this string to protect the key exchange
If selected, a particular string can be used to specify a pre-shared key used for authentication. This key must be entered on both computers that will support the secure connection. (The key is used only during authentication, not for the actual data encryption.)
If the rule is used for IP tunneling, specify the endpoint IP address of the tunnel. This option is disabled by default. To use tunneling, you must configure each endpoint of the tunnel with the IP address of the other endpoint.
Choose which types of connections to include in the encryption rule: all network connections, the local area network, or remote access (RAS) connections. Each rule can apply to only one of these connection choices.
This property page displays a list of filter rules that can be applied to IP data. These rules are used to determine whether each packet will be encrypted and sent, sent in its unencrypted state, or blocked. Each entry in this list represents a list of filters; only one entry can be selected.
Click Add to add a filter list or Edit to modify an existing list. Each list can include one or more filters. Click Add to add a filter. Each filter includes the following properties, which you can add either using a wizard or through the Properties dialog:
- Addressing
Specify the source and destination IP addresses that will be matched by the filter. Each can be set to the local IP address, any address, or a specific address, range of addresses, or DNS name. Choose the Mirrored option to also match packets from the destination to the source address.
- Protocol
Select Any to match all TCP/IP protocols, or you can choose a specific protocol. For TCP and UDP, you can also specify source and destination port addresses to match.
- Description
Enter a description of the filter rule, if desired. This will be displayed in the Description column of the Filter List dialog.
The Filter Action property page allows you to choose the action that will be performed for packets matching the specified filter rule list. Default actions allow you to permit the packet communication, request security, or require security.
To add an action to the list, click Add. As with other Add options, you can choose whether to use a wizard or the standard property dialog. This dialog includes the following property pages: