How can I prevent other users from disabling the IPSEC Policy Agent service?
In previous articles I’ve showed you how to protect your computer with the IPSEC mechanism (see Block Ping Traffic with IPSec, Block Web Browsing but Allow Intranet Traffic with IPSec and Block Web Browsing with IPSec). These articles describe how an administrator can potentially block specific computers from accessing specific web sites or even from browsing the entire Internet.
So where’s the catch?
The problem lies in the fact that the IPSec policy is enabled by a service called IPSec Policy Agent. This service is loaded as Automatic (by default) and is supposed to be started in order for the IPSec Policy to run properly.
A user with administrative privileges can view the service status by running Services from the Administrative tools and easily stop the service and even disable it, thus preventing the IPSec policy from running. This is something we want to stop.
To do so we need to configure a Group Policy Object (GPO) in the Active Directory. You can also configure the setting locally, but for that you’ll need to run GPEDIT.MSC.
Open Active Directory Users & Computers. Right-click the domain (or an OU if you want to only configure a specific set of computers). Choose Properties.
In the Properties window click the Group Policy tab. Click New to configure a new GPO (if you don’t have one set for that OU already). Give it a descriptive name, such as Secure Services.
Note: If you’re configuring a Windows Server 2003 DC computer that has GPMC installed (read Download GPMC), you can shorten this action by simply opening the Group Policy Management snap-in from the Administrative Tools and selecting your desired GPO.
Click Edit to edit the GPO.
Navigate to Computer Settings > Windows Settings > Security Settings > System Services. Browse for the IPSec Policy Agent service and then right-click it and select Security (or Properties in Windows Server 2003).
In the Security Policy Setting window click Define this policy setting and select Automatic for the service start type.
In Windows 2003 click Edit Security.
A security window will open. Click Remove to remove the Everyone group. You can add yourself if you want, but for this demonstration I’ll remove everyone including myself. This will prevent anyone from viewing the running status of the service, and also prevent them from starting or stopping it.
In Windows Server 2003 the Everyone group is not listed, and instead you’ll see the Administrators, System and Interactive groups. Remove them if you want.
Click Ok all the way out.
Notice that the setting for the policy is shown in the GPO window.
Close the GPO window. You must now refresh the policy. Run the following command:
secedit /refreshpolicy machine_policy /enforce
In Windows XP and Windows Server 2003 you should type
gpupdate /force
Go back to the Services window. Click F5 to refresh the display. See that the status of the service is shown as Started, however no more info can be seen in the window.
Try to stop the service. You cannot. Try to see it’s properties. You cannot. No user can modify the setting of this policy unless the user has access to the GPO you’ve just created.
You may find these related articles of interest to you:
Securing Windows 2000 Communications with IP Security Filters
Description of the IPSec Policy Created for L2TP/IPSec – 248750
Step-by-Step Guide to Internet Protocol Security (IPSec)
Using IPSec to Lock Down a Server
How to Configure IPSec Tunneling in Windows 2000 – 252735
How to Enable IPSec Traffic Through a Firewall – 233256
Using the IP Security Monitor Tool to View IPSec Communications – 231587