Jim
Tue May 03 11:44:20 CDT 2005
IPsec should be managed centrally and not by local admin. IPSec should be
defined by the corporate security officer or other person who holds that
role. If you don't do it this way there is not much point in using IPSec.
--
Jim Vierra
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23%23tG2E9TFHA.3596@TK2MSFTNGP14.phx.gbl...
>I in general agree with the idea of using GPO for IPsec config,
> but I also find that this complicates somewhat delegating the
> management of (non-DC) servers to individual server admins.
> There is this tension between letting them manage day to day
> needs locally on their (domain-joined) server vs. making them
> need to use domain tools in order to do so (along with the
> corresponding delegation of rights to the GPO, which also then
> obviates the enforcement value of GPO settings providing to
> their servers settings that could not be changed).
>
> Also, for those that might pick up on this thread, at least
> initially (and the date of the download does not seem to
> be much newer now), the use of the IPsecpol download
> and of the UI in GP could result in conflict, and it was
> recommended that one or the other be used in W2k.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Jim Vierra" <jvierra@msn.com> wrote in message
> news:ekdXOOeTFHA.2336@TK2MSFTNGP12.phx.gbl...
>> Roger. It almost got me too. I set this up all of the time but
>> sometimes
>> the old brainpan just doesn't react.
>>
>> Many would get into trouble as the GP for the Domain gets modified quite
>> frequently these days. For small nets with one admin the question
>> usually
>> shows that the policy hasn't been implemented at the domain so your
>> answer
>> would be fine. I just wanted to post the info so that Robert, or other
>> readers, could make the decision without wasting time. I also believe
> that
>> IPSec policy should be implemented and defined through GP and not through
> a
>> script as it is much harder to manage and change. However, monitoring
> IPDex
>> via script IS a good idea in most cases.
>> --
>> Jim Vierra
>>
>> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> news:eRyxqJcTFHA.4056@TK2MSFTNGP15.phx.gbl...
>> > Thanks Jim, you're quite right, I was thinking locally.
>> >
>> > --
>> > Roger Abell
>> > Microsoft MVP (Windows Security)
>> > MCSE (W2k3,W2k,Nt4) MCDBA
>> > "Jim Vierra" <jvierra@msn.com> wrote in message
>> > news:OtkIX7TTFHA.548@tk2msftngp13.phx.gbl...
>> >> Group Policy at the Domain level will still over-write this. Only
> Local
>> >> Policy will reflect the change until the next time GP is applied.
>> >> If no IPSec GP is defined then it will work.
>> >>
>> >> --
>> >> Jim Vierra
>> >>
>> >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> >> news:OPm$RhRTFHA.3188@TK2MSFTNGP09.phx.gbl...
>> >> > While Torgeir is correct, there is however, depending on
>> >> > version of Windows, a way to alter the state of IPsec filters,
>> >> > and once done, at least for later Windows, this changed
>> >> > state is reflected in the GP view of things.
>> >> > For W2k3 look at the IPsec context in netsh,
>> >> > For XP IIRC the command was ipseccmd
>> >> > For W2k the is a ipsecpol downloadable tool
>> >> >
>> >
>
http://www.microsoft.com/downloads/details.aspx?FamilyID=7d40460c-a069-412e-a015-a2ab904b7361&DisplayLang=en
>> >> >
>> >> > --
>> >> > Roger Abell
>> >> > Microsoft MVP (Windows Security)
>> >> > MCSE (W2k3,W2k,Nt4) MCDBA
>> >> > "D.P. Roberts" <dproberts@pbride.com> wrote in message
>> >> > news:ut2nA25SFHA.3840@tk2msftngp13.phx.gbl...
>> >> >> In Group Policy Computer Configuration, you can right-click an IP
>> >> >> Security
>> >> >> Policy and either 'Assign' or 'Un-assign' it. Does anyone know if
>> >> >> these
>> >> >> 'Assign' and 'Un-assign' selections can be scripted?
>> >> >>
>> >> >> Thanks...
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>