What's New in Windows Server 2003 IPSec (Part 1)
In today's increasingly security-conscious business world, more and more organizations are concerned with protecting the confidentiality of their data as it travels over the network, and are implementing the industry standard IP Security protocol, IPSec, to do so. Beginning with Windows 2000, Microsoft's operating systems have included built-in support for IPSec communications, making it easy to implement on your network.
Back in February, I did an article that provides an overview of the history of IPSec, what it does, basic concepts behind it, and how it works in Windows. That article showed you how to configure a Windows 2000 computer to use IPSec. Now, with the release of Windows Server 2003, Microsoft has made improvements to a number of their operating system security features, including several new features for IPSec. In this two part article, we'll focus on what's new for IPSec in Windows Server 2003, and show you how to use its new features to make it even easier for you to ensure secure communications across your network. Part One covers the IP Security Monitor, which has a brand new look and added functionality.
The IP Security Monitor
Windows 2000 administrators are familiar with the IP Security Monitor tool, used to view and analyze IPSec, ISAKMP and Oakley statistics and help you confirm that your IPSec transmissions were successful. Although the monitor provided some useful information, it was limited in functionality. To invoke it, you used the ipsecmon.exe command (you could also use the command with a computer name to monitor a remote system), and the interface appeared as shown below in Figure A.
Windows Server 2003 has improved greatly on the IP Sec Monitor. First, they've changed the interface to the standard Microsoft Management Console (MMC), and they've added a number of enhanced features that increases the functionality.
To use the IPSec Monitor, you need to follow these steps:
Create an empty MMC by clicking Start | Run and typing mmc, then clicking OK.
On the File menu for the console, select Add/Remove snap-in, click Add, and select IP Security Monitor from the list of available snap-ins.
Click the Add button, then click Close, then click OK.
The console will open, as shown in Figure B.
As before, you can monitor IP Sec traffic on remote computers as well as the local one. To monitor a remote system, right click the IP Security Monitor node in the left console pane, and select Add Computer from the context menu. You can then type in or browse for the computer you wish to add to the console, and that computer will show up as another node in the console, as shown in Figure C.
You can view information about the active policies that includes such data as a description of the policy, the date the policy was last modified, the policy store where it is located, the LDAP path to the policy and the OU, and the name of the GPO to which the policy is applied, as shown in Figure D.
You can also now view information about main mode and quick mode generic and specific filters, as well as separate statistics for main mode and quick mode IPSec negotiations.
NOTE: Main mode negotiation is also called Phase I negotiation; this is the part of the process during which the two IPSec enabled computers establish an authenticated channel through the main mode Security Association (SA) that is provided by IKE. Phase II is called quick mode, wherein the IPSec driver's SAs are negotiated, is the stage at which the computers negotiate the primary protocols (AH and/or ESP), the hash algorithm and the encryption algorithm to use for data transfer. Main mode uses a single SA; quick mode uses two SAs, one for inbound and the other for outbound communication.
Even though there are actually two separate SAs established for quick mode, the Monitor only shows it as one. You can view the information about each SA that is established for either mode, including the IP addresses of both participating computers (notated as "Me" for the local computer and "Peer" for the computer with which it is communicating using IPSec), protocols, ports, the negotiation policy, and the algorithms used for AH and ESP Confidentiality and Integrity, as shown in Figure E.
You can select whether the Monitor should autorefresh the information, and configure the auto refresh interval (by default, refresh is enabled and the interval is every 45 seconds). Additionally, you can specify whether DNS name resolution should be used (by default, it is not; you'll see only the IP addresses to identify the computers). To configure these settings, right click the name of the computer in the left console pane of the IP Sec Monitor and select Properties. This will display the dialog box shown in Figure F.
With the IP Sec Monitor, you can search for specific main or quick mode filters by various criteria (source or destination IP addresses). To do this, double click either Main mode or Quick mode in the left console pane, depending on which type of filter you want to find. This will expand the node, and allow you to right click either Specific filters or Generic filters, depending again on the type you want to find. Then you can select Find matching filters to invoke the dialog box shown in Figure G.
As you can see, you can get pretty specific with your search criteria. You can name the source address to look for (any IP address, "me" (the computer you're monitoring), or a specific address you enter. You can do the same with the destination address.
You can specify which protocols to filter for, including EGP, GGP, HMP, ICMP, PUP, RDP, RVD, TCP, UDP, or XNS-IDP. You can also select "Any" to filter all protocols, or you can select "Other" and specify a number from 0 to 255.
You can specify a source and/or destination port, and choose whether to filter inbound traffic only, outbound traffic only, or both. Finally, you can direct that all matches be displayed, or only the best match.
Filters that match your criteria will be shown in the results field at the bottom of the dialog box.
The enhanced IP Security Monitor is one of the most useful and dramatic improvements to IP Sec in Windows Server 2003, but it's not the only one. In Part 2 of this article, we will discuss the new ipsec context for the command line netsh utility, stronger cryptography for Diffie-Hellman, the new startup security feature, and other security enhancements that make IP Sec better than ever.