Secure IPSec Policy Agent

How can I prevent other users from disabling the IPSEC Policy Agent service?

In previous articles I’ve showed you how to protect your computer with the IPSEC mechanism (see Block Ping Traffic with IPSec, Block Web Browsing but Allow Intranet Traffic with IPSec and Block Web Browsing with IPSec). These articles describe how an administrator can potentially block specific computers from accessing specific web sites or even from browsing the entire Internet.

So where’s the catch?

The problem lies in the fact that the IPSec policy is enabled by a service called IPSec Policy Agent. This service is loaded as Automatic (by default) and is supposed to be started in order for the IPSec Policy to run properly.

A user with administrative privileges can view the service status by running Services from the Administrative tools and easily stop the service and even disable it, thus preventing the IPSec policy from running. This is something we want to stop.

ipsec agent small

To do so we need to configure a Group Policy Object (GPO) in the Active Directory. You can also configure the setting locally, but for that you’ll need to run GPEDIT.MSC.

  1. Open Active Directory Users & Computers. Right-click the domain (or an OU if you want to only configure a specific set of computers). Choose Properties.

ipsec agent1 small

  1. In the Properties window click the Group Policy tab. Click New to configure a new GPO (if you don’t have one set for that OU already). Give it a descriptive name, such as Secure Services.

Note: If you’re configuring a Windows Server 2003 DC computer that has GPMC installed (read Download GPMC), you can shorten this action by simply opening the Group Policy Management snap-in from the Administrative Tools and selecting your desired GPO.

  1. Click Edit to edit the GPO.

  2. Navigate to Computer Settings > Windows Settings > Security Settings > System Services. Browse for the IPSec Policy Agent service and then right-click it and select Security (or Properties in Windows Server 2003).

ipsec agent2 small

  1. In the Security Policy Setting window click Define this policy setting and select Automatic for the service start type.

ipsec agent3 small

In Windows 2003 click Edit Security.

  1. A security window will open. Click Remove to remove the Everyone group. You can add yourself if you want, but for this demonstration I’ll remove everyone including myself. This will prevent anyone from viewing the running status of the service, and also prevent them from starting or stopping it.

ipsec agent4 small

In Windows Server 2003 the Everyone group is not listed, and instead you’ll see the Administrators, System and Interactive groups. Remove them if you want.

  1. Click Ok all the way out.

  1. Notice that the setting for the policy is shown in the GPO window.

ipsec agent5 small

  1. Close the GPO window. You must now refresh the policy. Run the following command:

​secedit /refreshpolicy machine_policy /enforce

In Windows XP and Windows Server 2003 you should type

​gpupdate /force
  1. Go back to the Services window. Click F5 to refresh the display. See that the status of the service is shown as Started, however no more info can be seen in the window.

ipsec agent6 small

Try to stop the service. You cannot. Try to see it’s properties. You cannot. No user can modify the setting of this policy unless the user has access to the GPO you’ve just created.

Related articles

You may find these related articles of interest to you:


Securing Windows 2000 Communications with IP Security Filterslink out ico

Description of the IPSec Policy Created for L2TP/IPSec – 248750link out ico

Step-by-Step Guide to Internet Protocol Security (IPSec)link out ico

Using IPSec to Lock Down a Serverlink out ico

How to Configure IPSec Tunneling in Windows 2000 – 252735link out ico

How to Enable IPSec Traffic Through a Firewall – 233256link out ico

How to Use Internet Protocol Security to Secure Network Traffic Between Two Hosts in Windows 2000 – 301284link out ico

Using the IP Security Monitor Tool to View IPSec Communications – 231587link out ico