Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Security

Secure IPSec Policy Agent

How can I prevent other users from disabling the IPSEC Policy Agent service?

In previous articles I’ve showed you how to protect your computer with the IPSEC mechanism (see Block Ping Traffic with IPSec, Block Web Browsing but Allow Intranet Traffic with IPSec and Block Web Browsing with IPSec). These articles describe how an administrator can potentially block specific computers from accessing specific web sites or even from browsing the entire Internet.

So where’s the catch?

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

The problem lies in the fact that the IPSec policy is enabled by a service called IPSec Policy Agent. This service is loaded as Automatic (by default) and is supposed to be started in order for the IPSec Policy to run properly.

A user with administrative privileges can view the service status by running Services from the Administrative tools and easily stop the service and even disable it, thus preventing the IPSec policy from running. This is something we want to stop.

To do so we need to configure a Group Policy Object (GPO) in the Active Directory. You can also configure the setting locally, but for that you’ll need to run GPEDIT.MSC.

  1. Open Active Directory Users & Computers. Right-click the domain (or an OU if you want to only configure a specific set of computers). Choose Properties.

  1. In the Properties window click the Group Policy tab. Click New to configure a new GPO (if you don’t have one set for that OU already). Give it a descriptive name, such as Secure Services.

Note: If you’re configuring a Windows Server 2003 DC computer that has GPMC installed (read Download GPMC), you can shorten this action by simply opening the Group Policy Management snap-in from the Administrative Tools and selecting your desired GPO.

  1. Click Edit to edit the GPO.

  2. Navigate to Computer Settings > Windows Settings > Security Settings > System Services. Browse for the IPSec Policy Agent service and then right-click it and select Security (or Properties in Windows Server 2003).

  1. In the Security Policy Setting window click Define this policy setting and select Automatic for the service start type.

In Windows 2003 click Edit Security.

  1. A security window will open. Click Remove to remove the Everyone group. You can add yourself if you want, but for this demonstration I’ll remove everyone including myself. This will prevent anyone from viewing the running status of the service, and also prevent them from starting or stopping it.

In Windows Server 2003 the Everyone group is not listed, and instead you’ll see the Administrators, System and Interactive groups. Remove them if you want.

  1. Click Ok all the way out.

  1. Notice that the setting for the policy is shown in the GPO window.

  1. Close the GPO window. You must now refresh the policy. Run the following command:

​secedit /refreshpolicy machine_policy /enforce

In Windows XP and Windows Server 2003 you should type

​gpupdate /force
  1. Go back to the Services window. Click F5 to refresh the display. See that the status of the service is shown as Started, however no more info can be seen in the window.

Try to stop the service. You cannot. Try to see it’s properties. You cannot. No user can modify the setting of this policy unless the user has access to the GPO you’ve just created.

Related articles

You may find these related articles of interest to you:

Links

Securing Windows 2000 Communications with IP Security Filters

Description of the IPSec Policy Created for L2TP/IPSec – 248750

Step-by-Step Guide to Internet Protocol Security (IPSec)

Using IPSec to Lock Down a Server

How to Configure IPSec Tunneling in Windows 2000 – 252735

How to Enable IPSec Traffic Through a Firewall – 233256

How to Use Internet Protocol Security to Secure Network Traffic Between Two Hosts in Windows 2000 – 301284

Using the IP Security Monitor Tool to View IPSec Communications – 231587

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (1)

One response to “Secure IPSec Policy Agent”

Leave a Reply

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: