Within the Windows world, most companies have finally
upgraded to Windows 2000 Server or Windows Server 2003 on the server front and
Windows 2000 or Windows XP on the desktop. Those same companies have also undoubtedly
discovered that Group Policy Objects (GPOs) are much more useful and robust
than in previous versions.

If your company fits this description, then you may have
even experimented
with group policy and IPSec. When experimenting, it’s always a good
practice to develop policies first on a machine that you can use as a test
environment. If not configured properly, IPSec can effectively shut down all
communications from a machine to the network—thus, the importance of testing.

Once you’ve completed testing your new policy, you may have
wondered how to roll it out from your test machine into your production
environment. Follow these steps:

  1. Open the
    Microsoft Management Console (MMC) by going to Start | Run, entering MMC, and clicking OK.
  2. Go to
    File | Add/Remove Snap-in to add the IP Security Policy Management snap-in.
  3. Click Add,
    and find IP Security Policy Management in the list of available snap-ins.
  4. Select
    this snap-in, and click Add.
  5. Next,
    you should decide which computer this snap-in will manage. Since you’re
    exporting from a local machine, select Local Computer, and click Finish.
  6. Click
    Close, and click OK to return to the MMC.

Once you’re back to the MMC, you can easily export any
policies you’ve created. Follow these steps:

  1. Right-click
    IP Security Policies On Local Machine, and select All Tasks | Export
    Policies.
  2. Navigate
    to where you want to save the policy.
  3. Name
    the file, and click Save.

After you’ve exported the policy file to a location that’s
accessible by the computers you want to import it to, the last step is to
actually import the policy. Follow these steps:

  1. Repeat
    Steps 1 through 6 listed above on the machine that will import the policy.
  2. Right-click
    IP Security Policies On Local Machine, and select All Tasks | Import
    Policies.
  3. Navigate
    to the newly exported policy, select it, and click Open.

You’ve now imported the new policy. If you’re going to roll out
this policy to an organizational unit (OU), you can select that OU. This will
apply the policy to the computers in the selected OU.

Final thoughts

Using IPSec is an easy way to secure the network traffic on
your intranet. If you’ve performed a gap
analysis of your organization’s security, you’ve created an application
traceability matrix for your network, and you know which protocols and ports
are necessary for your network to operate. You can use this matrix to create
effective IPSec policies.

It’s a best practice to always export and import IPSec
policies. These are complicated policies, and they have several steps for
proper configuration. A misconfiguration will leave you with machines that can’t
communicate properly on the network.

Miss a column?

Check out the Security Solutions Archive,
and catch up on the most recent editions of Mike Mullins’ column.

Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security
Center.