June 07, 2011

1 articles on June 07, 2011

I was researching for a colleague of mine whether there is any documentation out there to secure 2 or more computers using IPSec(IP Security). Surprisingly, there isn’t any easy one. Those that are out there requires you to configure group policy at the domain level, and domain controller(from what I found). What if you are neither a Domain Admin or GP Admin?? Some forum even suggested that IPSec without group policy isn’t possible. This is true, but you can always configure the policy locally on each computer, without having to go through domain policy. If you are implementing IPSec on a large scale, of course, domain group policy would be the way to do it.

If you are not familiar with IPSec, this article from technet is probably the best one I can find.

So, just like the title of my blog, I’ll try to post things I can’t find Googling. Not only will I spell out the solution, I will explain what each of the step does so that you are not just clicking through dialog boxes. Bold fonts in a sentence indicate action you need to perform. Italic fonts indicate label.

Goal:

IPSec without Group Policy

IPSec without Domain Group Policy

You have a central server(web server, file server, database, etc) in your company, and you have a small number of workstation accessing the server(as pictured on the right). Let’s say you have 3 workstations, and you’d like to accomplish the following:

  • The traffic between the server and 3 stations needs to be secured.
  • ONLY those 3 stations  are able to access the server, all other stations are not permitted
  • In addition to limiting access only from specific stations, you’d also like to limit access to ONLY specific users
  • If domain user 1 uses computer W to access the protected server, the traffic will be denied because computer W is not on the ‘allowed computers list’
  • If domain user 4 uses computer X, Y or Z to access the protected server, the traffic will be denied because domain user 4 is not on the ‘allowed users list’
  • Domain user 2 can use computer X, Y, or Z to access the protected server.
  • Computer X, Y and Z can still be used to communicate with other servers as usual(can still be used for browsing and normal business tasks). This is optional. You will find this on step IV.17 below

If you are planning to deploy this solutions to hundreds of computers, of course Group Policy will make your life easier.

Short Solution and its shortcoming: Continue Reading →