Windows Server 2003 : Monitoring Network Protocol Security (part 5) - Create a Negotiation Policy

3/24/2011 6:31:32 PM

Exercise 2: Create a Negotiation Policy

A blocking policy requires that a rule be created on only one computer. A blocking rule keeps data from entering a computer. However, securing communications between two computers is a more complex task. In this exercise, you first create a more detailed policy, and then you ensure that a policy is present on each computer.

▸ To create a policy to encrypt data between two computers

A negotiation policy must find a match. For computers to communicate, the policy on each computer must have almost identical settings. The following policy needs to be exported and then imported on Computer1, and assigned on both computers before encrypted data can pass between them. In a Windows domain environment, if large numbers of computers can use the same policy, it can be created as part of a GPO.

1.	Open the Security Configuration Management .
2.	Right-click IP Security Policies On Local Computer and select Create IP Security Policy. The IP Security Policy Wizard appears.
3.	Click Next on the welcome page.
4.	In the name text box, type encrypt telnet traffic. Type a description, and click Next.
5.	Clear the Activate The Default Response Rule check box, click Next, and then click Finish.
6.	In the policy properties dialog box, click the General tab (shown in Figure 21), and then click Settings to locate and adjust the key exchange settings. Figure 21. Locating the key exchange settings
7.	In the Key Exchange Settings dialog box, shown in Figure 22, click Methods. Figure 22. Inspecting security methods The Key Exchange Settings dialog box is the location for changing master key generation particulars. Table 11-6 defines the parameters. Although frequent rekeying creates a more secure transport, it might also affect performance.
8.	In the Key Exchange Security Methods dialog box, select the fourth (last) default security method and click the Remove button. Then select the third security method and remove it as well. Two methods remain (Figure 23). Figure 23. Reducing the number of security methods Removing two of the security methods and changing the Diffie-Hellman group of the remaining security methods increases the security of the master key but might affect performance. A computer that attempts to negotiate a connection must be able to use at least one of the two remaining methods, or no connection will be made.
9.	Select one of the security methods remaining and click Edit.
10.	In the IKE Security Algorithms dialog box, in the Diffie-Hellman Group dropdown list, select High (2048), as shown in Figure 24. Then click OK. Repeat this process for the second security method. Figure 24. Changing the Diffie-Hellmann group Changing the Diffie-Hellman group to high increases security in two ways. First, larger prime numbers are used in the calculation of the master key; second, communications can occur only with other computers running Windows Server 2003, because only they can use this parameter. Selecting the highest Diffie-Hellman group can cause problems because legitimate users might attempt connections using downlevel machines. It can also potentially affect performance, and the result is a larger key, and thus a longer time for encryption.
11.	Click OK twice to return to the General tab. Then select the Rules tab.
12.	Ensure that the Use Add Wizard box is selected and click Add to add a rule. The Create IP Security Rule Wizard launches.
13.	Click Next on the Welcome page.
14.	Click Next on the Tunnel Endpoint page. This policy will not use a tunnel.
15.	On the Network type page, click Next to accept the default, All Network Connections. This policy remains effective no matter where the connection is coming from.
16.	On the IP Filter List page, click Add to add a filter list.
17.	In the Name text box, type negotiate. In the Description text box, type a description.
18.	Select the Use Add Wizard check box and click Add to add a filter. The IP Filter Wizard launches.
19.	On the IP Filter Wizard welcome page, click Next.
20.	In the Description text box, type a description for the filter and click Next.
21.	For the IP traffic source, as shown in Figure 25, in the Source Address dropdown list, select A Specific IP Address. Figure 25. Entering a specific traffic source
22.	In the IP Address text box, type the IP address of Computer1. Then click Next.
23.	On the IP Traffic Destination page, in the Destination Address drop-down list, select A Specific IP Address and type the IP address for Computer2. Then click Next.
24.	On the IP Protocol Type page, select TCP. Then click Next.
25.	Click To This Port, type 23, click Next, and then click Finish.
26.	Click OK to return to the IP Filter List page in the Security Rule Wizard.
27.	Click Negotiate, and then click Next.
28.	Click Require Security, and then click Next.
29.	Select Kerberos for the authentication method, click Next, and then click Finish.
30.	Click OK to complete the rule; then click OK again to finish the procedure.

▸ To import and then export the policy to another computer

Before activating a negotiation policy, you should make sure the other computer or computers have the same policy configuration. One way to perform this task is to create the policy by hand on the other computer. Another way is to export the policy and import it on the other computer, which you do in this exercise.

1.	Open the IP Security Management console on Computer 2.
2.	Right-click IP Security Policies On Local Computer, select All Tasks, and then click Export Policies. The trouble with exporting policy files is that you get all of the policies created on this computer. That result might not be what you want.
3.	Browse to a shared folder on Computer1, type a name, and click Save.
4.	On Computer1, create an IP Security Management console.
5.	Right-click IP Security Policies On Local Computer, select All Tasks, and click Import Policies.
6.	Select the policy file, and click Open. The security policy has been successfully copied between computers. Close all consoles and log off both systems.