The SP2 support tools contain ipseccmd.exe, which is a command line based
ipsec policy configuration tool that will run on both XP and Win2k3. That
will do just what you want it to do...
Check out this KB for detailed instructions:
http://support.microsoft.com/default.aspx?scid=kb;en-us;813878
IPSecCmd is basically an updated version of the older ipsecpol resource kit
tool for Win2k. And though an older article (specific to Win2k), this
technet piece by Steve Riley provides a more detailed overview of the IPSec
gui with further references to ipsecpol syntax-- ipsecpol's syntax won't
work with XP's ipseccmd, but I think the article's content would be of value
to you as it provides theory and best practices context.
http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.mspx
hth
T
------
*Secure your infrastructure*
Microsoft Ninjitsu: Securely Deploying MS Technologies
security training delivered by Timothy Mullen.
Registration now open Blackhat Vegas 2005:
http://www.blackhat.com
----- Original Message -----
From: "Rasmus Rønlev" <rr.its@cbs.dk>
To: "'Security Focus Microsoft Mailinglist'" <focus-ms@securityfocus.com>
Sent: Friday, May 27, 2005 10:08 AM
Subject: RE: Scripted IPSec policies on Windows XP (without AD/GPOs)
Hey,
Thanks for the responses.
First, it seems netsh ipsec (even in WinXP SP2) commands are only supported
with Windows 2003 Server products. I did originally hope for being able to
use netsh for scripting my way out of it - but this doesn't seem to be
possible - at least it hasn't been on the Windows XP boxes I've checked.
Secondly, I'm looking at the 'DCOM IPSec Mitigation Tools' that K Levinson
suggested. I actually was made aware of ipseccmd earlier today (my email was
sent last night my local time ;) - and have been toying around with it along
with the IP Security Policy snap-in. I'm thinking this is the viable
solution when combined with the information coming in the toolpack :)
So thanks to both of you. If anyone else knows of other methods please
enlighten me, as they might be better or easier to use!
Regards,
r@smus
-----Original Message-----
From: Brian A. Reiter [mailto:breiter@wolfereiter.com]
Sent: 27. maj 2005 18:58
To: 'Rasmus Rønlev'; 'Security Focus Microsoft Mailinglist'
Subject: RE: Scripted IPSec policies on Windows XP (without AD/GPOs)
You should look into netsh.exe. Netsh is the command-line management tool
for all network configuration settings in Windows XP and Windows Server
2003.
1.) Is it possible either through the 'local' mmc based "IP
Security Policy"
or using another tool to export the given IPSec policy (for
importing elsewhere and/or using in a script)
You can certainly import and export a policy with the MMC snap-in to a
"policy file". I believe you can also import and export a policy using
netsh.
2.) Does anyone know of a way to script applying this IPSec
policy onto other/client PC's (They're all Windows XP SP2 boxes).
You can use netsh to script changes to IPSec. Adding a rule using netsh
would look something like this.
netsh ipsec static add filter filterlist="Outbound Filter" srcaddr=me
dstaddr=any description="HTTP out" protocol TCP srcport=0 dstport=80
A source port of 0 maps to any.
See this article in Technet for a more complete reference of netsh.
http://tinyurl.com/amku6
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
