Selecting a Method for Assigning IPSec Policies

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The next step is to decide how to distribute and assign IPSec policies. This might include storing and assigning IPSec policies from Active Directory as part of Group Policy, storing and assigning them from the local computer, or assigning them from a remote computer.

The primary method of building the IPSec policy is using the graphical user interface provided by the IP Security Policy Management snap-in. You can use the IP Security Policy Management snap-in to create, modify, and activate IPSec policies, and then assign them to an OU in Active Directory that contains the server using the Group Policy Object Editor snap-in. Use this for situations where larger numbers of computers need to be managed in a consistent fashion. A Group Policy–based management solution addresses this situation well.

If a computer is not a member of a Windows 2000 domain or a Windows Server 2003 domain, it cannot retrieve IPSec policy from Active Directory. The IPSec policy configuration for a server can be distributed two ways that do not use Active Directory:

  • As a Netsh IPSec script that is included as a startup script for the computer.

  • As an IPSec file that can be imported from another computer by using the IP Security Policy Management snap-in or Netsh if the computer is running Windows Server 2003. Use this method when computers need to secure their communications, but there are few enough of them that applying policies to OUs is inconvenient. After the policy is imported, you can use the IP Security Policy Management snap-in to assign the policy to the computer.

If you use either of these two methods, make sure you use strict version and change control processes to ensure that the policy file cannot be altered after it was created. If the policy is accessed by using Lightweight Directory Access Protocol (LDAP), the IPSec policy configuration data can be authenticated and encrypted.

Using explicit credentials for remote management and monitoring of IPSec is not supported. Instead, the IP Security Policy Management and IP Security Monitor snap-ins use the credentials that are provided during the desktop logon process to authenticate to a remote computer.