Using IPSec to Prevent Workstation-to-Workstation Communication

You can use IP Security (IPSec) in Authenticated Header (AH) mode to prevent workstation-to-workstation communication and help slow the spread of worms such as CodeRed and Nimda. As I explain in the main article, you need to take a few preliminary steps, then open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. Open the Workstations organizational unit's (OU's) Properties dialog box, and go to the Group Policy tab. Click New, name the new GPO Workstations IPSEC, then click Edit to open the Group Policy console. In the left-hand pane, select Computer ConfigurationWindows SettingSecurity SettingsIP Security Policies on Active Directory. Right click anywhere in the details pane, then select Create IP Security Policy from the context menu to launch the IP Security Policy Wizard. Click Next, enter Limit Communication to AH Mode, then click Next. (You can enter the more descriptive text Limit communication to AH mode with all servers except Internet web servers in the Description box if you like.) Clear the Activate the default response rule check box, click Next, then click Finish to close the wizard and display the new policy's Properties dialog box.

On the Limit Communication to AH Mode Properties dialog box's Rules tab, click Add to start the Security Rule Wizard. Click Next until you reach the Authentication Method screen. Let’s use the string k7wVOP@10dkdiw#(# as our preshared key. Select the Use this string to protect the key exchange (preshared key) option, then enter the key string. Click Next to advance to the wizard's IP Filter List screen. Filter lists specify criteria that define which packets this rule should apply to. Select All IP Traffic in the IP filter lists window, then click Next to advance to the Filter Action screen.

Filter actions tells Win2K what to do with packets that the specified filter catches. The existing actions—Request Security (Optional) and Require Security—try to use Encapsulating Security Payload (ESP) mode before dropping down to AH mode. Because you want to use only AH mode, you need to create a third action. Click Add to start the Filter Action Wizard. Click Next, enter Require AH Mode in the Name box, then click Next (accepting each screen's defaults) until you reach the IP Traffic Security screen. Select the Medium (Authenticated Header) option, click Next, then click Finish to close the wizard and return to the Security Rule Wizard's Filter Action screen. Select the new Require AH Mode action, click Next, clear the Edit properties check box, then click Finish.

Now, you need to add a second rule to this policy to permit the workstations to communicate with Web servers. On the Limit communication to AH mode with servers except Internet web servers Properties dialog box's Rules tab, click Add to start the Security Rule Wizard. Click Next (accepting the defaults) until you reach the IP Filter List screen, then click Add to open the IP Filter List dialog box. You need to add two filters: one for port 80 and one for port 443. Enter Outgoing port 80 and 443 in the Name text box. Click Add to start the IP Filter Wizard, then click Next until you reach the IP Protocol Type screen. Select TCP in the Select a protocol type drop-down list, click Next, select the To this port option, and enter 80. Click Next, then click Finish. In the IP Filter List dialog box, click Add again and repeat the IP Filter Wizard process to create another TCP filter for port 443. In the updated IP Filter List dialog box, which Figure A shows, click Close to return to the Security Rule Wizard's IP Filter List screen, select Outgoing port 80 and 443, click Next, then select Permit in the Filter Actions window. Click Next, clear the Edit properties check box, then click Finish. Click Close to close the Limit Communication to AH Mode Properties dialog box, close the Group Policy console, and close the Workstations OU's Properties dialog box.

To create the second GPO, open the Servers OU's Properties dialog box in the Active Directory Users and Computers console and go to the Group Policy tab. Repeat the GPO-creation process that I described for the Workstations OU; name this new GPO IPSEC Servers, then launch the IP Security Policy Wizard as I described earlier. Name the new policy Respond to AH mode requests from workstations. This time, select the Activate the default response rule check box. Click Next, select Use this string to protect the key exchange (preshared key), then enter the designated key string

k7wVOP@10dkdiw#(#

Click Next, clear the Edit properties check box, then click Finish. Click OK to close the Respond to AH mode requests from workstations Properties dialog box.

You now need to assign (i.e., activate) the two IPSec policies you created. In the Group Policy console, right-click each policy (under Computer ConfigurationWindows SettingSecurity SettingsIP Security Policies on Active Directory), then select Assign from the context menu. Now, systems in the Workstations OU will reject traffic that doesn’t come from computers in the Servers OU.