Previous Page | Next Page

  1. Introduction
  2. Windows 2000 Professional
  3. Windows 2000 Server
  4. Windows 2000 Advanced Server
  5. Windows 2000 Datacenter Server
  6. Application Support
  7. System Operation
  8. Disks and Volumes
  9. Filesystems
  10. Configuration Files
  11. Security
  12. Network Support
  13. Access Management
  14. Processes
  15. AD Structure
  16. AD Objects
  17. AD Object Naming
  18. AD Schema
  19. AD Sites
  20. Domains
  21. AD Functions
  22. AD Replication
  23. DNS
  24. AD Security
  25. AD Installation
  26. AD Configuration
  27. AD Performance
  28. Installation
  29. Installation Options
  30. Unattended Installation
  31. Software Distribution
  32. Remote Installation Service
  33. Language
  34. Accessibility
  35. File Attributes
  36. Shares
  37. Distributed File System
  38. Control Panel
  39. Active Directory Tools
  40. Computer Management Console Tools
  41. MMC Tools
  42. Network Tools
  43. Network Monitor
  44. System Performance Monitoring
  45. Tools
  46. Managing Services
  47. Connections
  48. TCP/IP
  49. DHCP
  50. Printing
  51. Routing
  52. IPSec
  53. ICS
  54. Fault Tolerance
  55. Backup
  56. System Failure
  57. Services
  58. Remote Access
  59. WINS
  60. IIS
  61. Certificate Server
  62. Terminal Services
  63. Web Services
  64. Authentication
  65. Accounts
  66. Permissions
  67. Groups
  68. User Rights and Auditing
  69. Auditing
  70. User Profiles
  71. Policies
  72. Group Policies
  73. Miscellaneous
  74. Terms
  75. Credits

Windows 2000 IPSec

IPSec stands for Internet Protocol Security and it is used to encrypt TCP/IP data so the information cannot be captured and understood by outsiders. It is used both on internal networks and between two private networks over the internet to support virtual private networking (VPN). Terms:

  • Transport mode - The data portions of the packet are encrypted.
  • Tunnel mode - The data and address portions of the message are both encrypted and that packet is used in the data portion of a new packet of a new IP packet with a new address. It is used between two routers for VPN.

Security Methods

IPSec can use various security encryption algorithms and key lengths. These are the characteristics of IPSec connections (security methods):

  • A specified encryption algorithm.
  • A negotiated key length.
  • A negotiated key lifetime.

Supported Authentication Methods

  • A shared secret such as a key or phrase.
  • Kerberos
  • Certificates - The certificate can only be created using a private key and the certificate is verified using the public key. This way the certificate can be used for authentication.

Enabling

Enabling IPSec is enabled on individual computers by using the "Network and Dial-up Connections folder". The "Domain Security Policy" administrative tool is used to enable IPSec on all computers or domain controllers in a domain. "Active Directory Users and Computers" can be used to set up a group policy object which can enable IPSec on Windows 2000 computers in an organizational unit. IPSec can be managed by using the Microsoft Management Console (MMC) IP Cecurity Policy Snap-in.

When using group policy to set IPSec, the following options are available:

  • Client (Respond Only) - Only Uses IPSec to respond to requests for use of IPSec but outgoing requests are done with normal communications.
  • Server (Request Security) - Always uses IPSec for outgoing communications. Computers without IPSec enabled can still communicate with computers set in this mode.
  • Secure Server (Require Security) - Uses IPSec for all communications. Computers without IPSec enabled can not communicate with computers set in this mode.

One IPSec policy may be set for one computer which includes one or more rules which are applied from the most restrictive to the least restrictive. IPSec Rules:

  • IP Filter - Defines the type of traffic the rule applies to.
  • IP Filter Action - Determines how the type of traffic is handled such as requiring encryption, requesting encryption for outgoing traffic, or allowing traffic that is not encrypted.
  • Authentication Method - Three methods are Windows 2000 default, Keberos 5, or use an encryption key.
  • Tunnel Setting - Determines whether IPSec will work in transport ("This rule does not specify a tunnel") or tunnel mode ("The tunnel endpoint is specified by this IP address").
  • Connection Type - Determines if the rule applies to the local area network, all network connections or to remote access.

IPSec policy is set using "Active Directory Users and Computers".

The Security Monitor tool is used to monitor IPSec. Although it is a graphical tool, it is started from the command line by typing "Ipsecmon" followed by the name of the computer to be monitored.

IPSec Monitoring Tool

The IPSec monitoring tool can be used to provide a summary of the local computer IPSec connections. This tool can be started by clicking on "Start", "Run" and entering "ipsecmon.exe" and pressing the ENTER key.