Roll out IPSec policies on your Windows machines

When working with group policy and IPSec, it's always a good practice to develop policies first on a machine that you can use as a test environment. But after you've tested your new policy, how do you roll it out to your production environment? Mike Mullins tells you how.

Within the Windows world, most companies have finally upgraded to Windows 2000 Server or Windows Server 2003 on the server front and Windows 2000 or Windows XP on the desktop. Those same companies have also undoubtedly discovered that Group Policy Objects (GPOs) are much more useful and robust than in previous versions.

If your company fits this description, then you may have even experimented with group policy and IPSec. When experimenting, it's always a good practice to develop policies first on a machine that you can use as a test environment. If not configured properly, IPSec can effectively shut down all communications from a machine to the network—thus, the importance of testing.

Once you've completed testing your new policy, you may have wondered how to roll it out from your test machine into your production environment. Follow these steps:

  1. Open the Microsoft Management Console (MMC) by going to Start | Run, entering MMC, and clicking OK.
  2. Go to File | Add/Remove Snap-in to add the IP Security Policy Management snap-in.
  3. Click Add, and find IP Security Policy Management in the list of available snap-ins.
  4. Select this snap-in, and click Add.
  5. Next, you should decide which computer this snap-in will manage. Since you're exporting from a local machine, select Local Computer, and click Finish.
  6. Click Close, and click OK to return to the MMC.

Once you're back to the MMC, you can easily export any policies you've created. Follow these steps:

  1. Right-click IP Security Policies On Local Machine, and select All Tasks | Export Policies.
  2. Navigate to where you want to save the policy.
  3. Name the file, and click Save.

After you've exported the policy file to a location that's accessible by the computers you want to import it to, the last step is to actually import the policy. Follow these steps:

  1. Repeat Steps 1 through 6 listed above on the machine that will import the policy.
  2. Right-click IP Security Policies On Local Machine, and select All Tasks | Import Policies.
  3. Navigate to the newly exported policy, select it, and click Open.

You've now imported the new policy. If you're going to roll out this policy to an organizational unit (OU), you can select that OU. This will apply the policy to the computers in the selected OU.

Final thoughts

Using IPSec is an easy way to secure the network traffic on your intranet. If you've performed a gap analysis of your organization's security, you've created an application traceability matrix for your network, and you know which protocols and ports are necessary for your network to operate. You can use this matrix to create effective IPSec policies.

It's a best practice to always export and import IPSec policies. These are complicated policies, and they have several steps for proper configuration. A misconfiguration will leave you with machines that can't communicate properly on the network.

Miss a column?

Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Editor's Picks

Free Newsletters, In your Inbox