Examples: IPSec in a Corporate Network

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The fictitious Contoso Corporation evaluated their security needs when considering whether to implement IPSec. Although there are many tools to counter threats in a computing environment, this example focuses on security concerns and solutions that relate to IPSec. To begin this process, administrators created a map of the hardware and software in their environment. Notable aspects of an environment include domain membership, operating system versions, computer roles, and the location of computers on the network.

Some computers have relatively low security needs or are very difficult to manage. Although it might be advantageous to secure all data, using IPSec demands administrative resources on both the client side and the server side of the communication. Accordingly, using ICF and anti-virus tools protects computers that are difficult to manage or that have relatively low security needs. Contoso relied on firewall functionality provided by a perimeter network, and a proxy server for Internet access from their internal network. Contoso specified a default client configuration consisting of computers running Windows 2000 and Windows XP. Client computers are configured as follows:

• The client computers and users have accounts in the corporate Active Directory security domain. An enterprise CA is installed on a server running Windows Server 2003, to provide automatic certificate enrollment for user and computers.

• An antivirus program is used to examine all incoming and outgoing files and e-mail.

• Encrypting File System (EFS) encrypts sensitive documents on the client computers’ hard disk.

• Services and applications use Kerberos authentication when it is available.

• All domain members are assigned Group Policy settings that do the following:

  • Automatically enroll with the CA to obtain a computer certificate. This certificate can be used to gain remote access to the corporate network when the computer is connected to the Internet for L2TP/IPsec client VPN connections. It is also used for IPSec when Kerberos authentication is not available.

  • ICF is enabled by default for all network connections on portable computers running Windows XP. However, domain administrators disable ICF on portable computers when those computers are connected to the corporate network. ICF is disabled so that users on can share files and allow inbound access to other applications on their desktop.

  • Enforce an IPSec policy to negotiate security with specific IPSec-protected servers and to block ports that are used by known viruses and prohibited applications.

Three examples of how Contoso used IPSec on their servers are as follows:

• The Contoso IT group used a set of servers to receive order information from customers, and decided that they needed to ensure that the orders were received only from their partners and were not modified in transit. Because data authenticity and integrity were important, but confidentiality was not, they required AH protection for customers to connect with these computers. IPSec ESP with null encryption was allowed for customers that must traverse a network address translator to make the IPSec-protected connection to Contoso. Contoso allowed customers to use certificates from a specific list of third-party PKI providers (public PKI root CAs).

• The Contoso Human Resources department stored information about employee salaries and medical claims. The department carefully controlled access with user security settings. But it was also necessary to meet health care regulations to maintain the privacy of this traffic as it flowed over the network. Further, Contoso wanted a defense-in-depth strategy to protect against attackers who might gain remote access to their servers over the network, through the use of compromised employee user IDs and passwords. IPSec allows Contoso to restrict client network access only to computers that are members of the domain. If necessary, access can be further restricted to a specific group of computers in the domain. Accordingly, to secure their servers, Contoso used an IPSec policy to require ESP encryption for domain members to connect.

Because Windows Server 2003 IPSec can detect the presence of network address translators and automatically use UDP headers to allow IPSec traffic to traverse the network address translators, Contoso was able to discontinue using PPTP for remote access VPN connections. For enhanced security, administrators switched all remote users to L2TP/IPSec VPN connections using L2TP/IPSec NAT-T-capable clients, newly available from Microsoft. For more information, see the Virtual Private Networks link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.Use the job aid "Designing an IPSec Policy" (DNSIPS_1.xls) on the Windows Server 2003 Deployment Kit companion CD (or see "Designing an IPSec Policy" on the Web at https://www.microsoft.com/reskit) to record information about your environment. Use a separate copy of the worksheet for each policy you create to meet the security needs of each group of servers.