IPSec and Authentication Guard Administrative Ports

Rule 1. Click Next on the wizard's first three screens. On the Authentication Method screen, select the Use this string to protect the key exchange (preshared key) option, then enter a long key made up of random characters, such as the preshared key that Figure 2 shows. Microsoft recommends a key of at least 20 characters, but you can enter more than 1000 characters. The length of your key doesn't affect performance. (At this point, copy this key into a text file you create on a disk. You'll need the disk to configure the same key on all other computers that will be communicating with your server.) Click Next. On the IP Filter List screen, select the All IP Traffic option as the filter list. All IP Traffic is a prebuilt filter list that's applied to all traffic not filtered by more specific filters. Click Next. On the Filter Action screen, select the Require Security option as the filter action. This prebuilt filter action requires that a secure connection be negotiated with the client computer. Click Edit to view the security methods used in the negotiation, which Figure 3, page 12, shows. In Figure 3, you can see that the filter action list begins with the most secure filter action, Triple DES (3DES) encryption and Secure Hash Algorithm (SHA) for integrity-checking, and ends with the least secure filter action, single DES encryption and Message Digest (MD)—in particular, MD5.

Usually, another Win2K computer configured with the default response rule will use the strongest method, but to ensure that the computers use the strongest method, you could create a custom filter action to require the desired security method. Click OK to return to the Security Rule Wizard. Click Next, then click Finish. The New IP Security Policy Properties dialog box now shows the new All IP Traffic rule, as Web Figure 1 shows. (You can access Web Figure 1 at http://www.windowswebsolutions.com, InstantDoc ID 24481.)

Rule 2. Now you need to create the second rule, which will let the general public bypass IPSec and connect to your site by using HTTP and HTTPS. In the New IP Security Policy dialog box, click Add, then click Next four times. The authentication method you choose doesn't matter because this rule will simply permit traffic. However, if your server isn't a member of a domain, don't use Kerberos. (Kerberos would evoke an error message.)

When the wizard asks you to select a filter list, click Add to open the IP Filter List dialog box. You'll need to create a new filter list that looks for traffic on TCP port 80 and port 443.

In the IP Filter List window, enter

Incoming HTTP and HTTPS connections

in the Name field. You'll need to create two filters—one for port 80 and one for port 443. Click Add to open the IP Filter Wizard, then click Next. On the IP Traffic Source screen, select Any IP Address from the Source address drop-down list, then click Next. On the IP Traffic Destination screen, select My IP Address from the Destination address drop-down list, then click Next. On the IP Protocol Type screen, select TCP, then click Next. On the IP Protocol Port screen, select the To this port option, enter

80

in the corresponding field, then click Next. On the wizard's last screen, select the Edit properties check box, then click Finish.

When the Filter Properties dialog box appears, click the Description tab, enter

Incoming HTTP connections

in the Description field, then click OK. The new port 80 rule appears on the IP Filter List screen. Now, add another rule just like the first rule, but when you select the To this port option, enter

443

in the corresponding field and enter

Incoming HTTPS connections

in the Description field. Figure 4 shows the updated IP Filter List dialog box. Click Close to return to the Security Rule Wizard.

On the wizard's IP Filter List screen, select your new filter list, then click Next. Select the filter action Permit, click Next, then click Finish. You should now have a policy that resembles the policy that Figure 5 shows. Click OK.

Put Your Policies into Effect
You must now use the same preshared secret key that you used to create the first rule to configure any other computers or workstations that will communicate with your server through ports other than with a Web browser. (The rule for Incoming HTTP and HTTPS connections will govern Web browser traffic.) On such computers, open the Control Panel Administrative Tools applet, then double-click Local Security Settings. Create a policy that uses the same preshared secret key as the one you configured on the server. Simply use the prebuilt Dynamic Default Response rule that Web Figure 2 shows. Close the Secure Communication with Web Server Properties dialog box. Then, right-click the new policy and select Assign. Type

secedit /refreshpolicy machine_policy

at a command prompt to refresh Group Policy and thus start using this new rule.

Finally, return to your Web server and assign the policy, which will refresh Group Policy and put the new rule into effect. You should now be able to connect to Terminal Services, FTP, and other services on your Web server from computers on which you've entered the preshared key but not from computers on which you haven't yet entered the preshared key. You should still be able to access the Web server with your browser from any computer.

Administrative Doors: Closed
IPSec will now protect your Web server from attacks that occur at any of its administrative doorways. Because IPSec requires strong authentication and is immune to IP spoofing, this approach is much stronger than blocking access to certain ports by IP address. However, intruders can still attack your Web server through the front door—HTTP. In a future issue, I'll discuss how to protect your Web server against intruders who use this route.