Click here to get back home

W2K domain IPsec implementation
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
W2K domain IPsec implementation MWest 04-12-2006
Get Chitika Premium
Posted by MWest on April 12, 2006, 6:29 am
Please log in for more thread options
 Hi,

I'm working on the implementation of IPsec in a Windows 2000 enviroment.

The eviroment is highly secured, almost no rights in on the users' desktop.
IPsec is set up on the domain level GPO but when signing on to the
machine with a domain user account and checking the status in the
ipsecmon.exe tool it tells you IPsec is not enabled on the machine.

When I add the domain user to the local Administrators group it will
work, and ipsecmon.exe will tell you IPsec is enabled.
But when the domain user is in the Power User group it won't be active.
Since this is an highly secure enviroment we cannot leave the domain user in
the Administrator group.

Look's to me this has to do with the right on the machine?
But I cannot figure out where these rights are really applied or needed when
it comes to IPsec policies.

If anyone can help me or give me some suggestions to make this work, please
do so.

Thanks


Posted by Roger Abell [MVP] on April 12, 2006, 7:12 am
Please log in for more thread options
 Are you saying that when logged in without admin privs you
are unable to determine that IPsec is active ??
Did you try getting at the machine in a way the IPsec disallows
while a limited user is logged in ?
Notice that IPsec is set up as computer policy, not user policy.
If it is effective it is so without regard to what account is logged
into the machine, if any.
I believe you are dealing with the fact that some tools do not
work except for admins, and that some remote ways of assessing
IPsec status of machines are broken / brain-dead particularly in
a purely W2k environment.

> Hi,
>
> I'm working on the implementation of IPsec in a Windows 2000 enviroment.
>
> The eviroment is highly secured, almost no rights in on the users'
> desktop.
> IPsec is set up on the domain level GPO but when signing on to the
> machine with a domain user account and checking the status in the
> ipsecmon.exe tool it tells you IPsec is not enabled on the machine.
>
> When I add the domain user to the local Administrators group it will
> work, and ipsecmon.exe will tell you IPsec is enabled.
> But when the domain user is in the Power User group it won't be active.
> Since this is an highly secure enviroment we cannot leave the domain user
> in
> the Administrator group.
>
> Look's to me this has to do with the right on the machine?
> But I cannot figure out where these rights are really applied or needed
> when
> it comes to IPsec policies.
>
> If anyone can help me or give me some suggestions to make this work,
> please
> do so.
>
> Thanks
>



Posted by MWest on April 12, 2006, 8:21 am
Please log in for more thread options
No, I can check in any case the status of IPsec using the ipsecmon.exe.
But the GPO IPsec policy will only be active when you have administrative
rights on the local machine.

I do know that this is an machine related GPO setting. An I'm sure this is
set correctly.

But I would like the IPsec domain policy to be enforced even if you're
logged in as a regular user.

"Roger Abell [MVP]" wrote:

> Are you saying that when logged in without admin privs you
> are unable to determine that IPsec is active ??
> Did you try getting at the machine in a way the IPsec disallows
> while a limited user is logged in ?
> Notice that IPsec is set up as computer policy, not user policy.
> If it is effective it is so without regard to what account is logged
> into the machine, if any.
> I believe you are dealing with the fact that some tools do not
> work except for admins, and that some remote ways of assessing
> IPsec status of machines are broken / brain-dead particularly in
> a purely W2k environment.
>
> > Hi,
> >
> > I'm working on the implementation of IPsec in a Windows 2000 enviroment.
> >
> > The eviroment is highly secured, almost no rights in on the users'
> > desktop.
> > IPsec is set up on the domain level GPO but when signing on to the
> > machine with a domain user account and checking the status in the
> > ipsecmon.exe tool it tells you IPsec is not enabled on the machine.
> >
> > When I add the domain user to the local Administrators group it will
> > work, and ipsecmon.exe will tell you IPsec is enabled.
> > But when the domain user is in the Power User group it won't be active.
> > Since this is an highly secure enviroment we cannot leave the domain user
> > in
> > the Administrator group.
> >
> > Look's to me this has to do with the right on the machine?
> > But I cannot figure out where these rights are really applied or needed
> > when
> > it comes to IPsec policies.
> >
> > If anyone can help me or give me some suggestions to make this work,
> > please
> > do so.
> >
> > Thanks
> >
>
>
>

Posted by Roger Abell [MVP] on April 12, 2006, 10:48 am
Please log in for more thread options
Do you know, other than the possibly misleading info from ipsecmon,
that it is not active when a non-admin is logged in?
IPsec implementation (not just policies used for it) is blind to
what user is logged in (at least until Vista releases).

> No, I can check in any case the status of IPsec using the ipsecmon.exe.
> But the GPO IPsec policy will only be active when you have administrative
> rights on the local machine.
>
> I do know that this is an machine related GPO setting. An I'm sure this is
> set correctly.
>
> But I would like the IPsec domain policy to be enforced even if you're
> logged in as a regular user.
>
> "Roger Abell [MVP]" wrote:
>
>> Are you saying that when logged in without admin privs you
>> are unable to determine that IPsec is active ??
>> Did you try getting at the machine in a way the IPsec disallows
>> while a limited user is logged in ?
>> Notice that IPsec is set up as computer policy, not user policy.
>> If it is effective it is so without regard to what account is logged
>> into the machine, if any.
>> I believe you are dealing with the fact that some tools do not
>> work except for admins, and that some remote ways of assessing
>> IPsec status of machines are broken / brain-dead particularly in
>> a purely W2k environment.
>>
>> > Hi,
>> >
>> > I'm working on the implementation of IPsec in a Windows 2000
>> > enviroment.
>> >
>> > The eviroment is highly secured, almost no rights in on the users'
>> > desktop.
>> > IPsec is set up on the domain level GPO but when signing on to the
>> > machine with a domain user account and checking the status in the
>> > ipsecmon.exe tool it tells you IPsec is not enabled on the machine.
>> >
>> > When I add the domain user to the local Administrators group it will
>> > work, and ipsecmon.exe will tell you IPsec is enabled.
>> > But when the domain user is in the Power User group it won't be active.
>> > Since this is an highly secure enviroment we cannot leave the domain
>> > user
>> > in
>> > the Administrator group.
>> >
>> > Look's to me this has to do with the right on the machine?
>> > But I cannot figure out where these rights are really applied or needed
>> > when
>> > it comes to IPsec policies.
>> >
>> > If anyone can help me or give me some suggestions to make this work,
>> > please
>> > do so.
>> >
>> > Thanks
>> >
>>
>>
>>



Posted by Steven L Umbach on April 12, 2006, 12:04 pm
Please log in for more thread options
I agree with Roger 100 percent and some utilities do not work correctly when
the user is not a local administrator. Try using netdiag also when logged on
as a regular user though you will have to install the support tools. You can
run the whole command to check the health of networking and domain
membership or use netdiag /test:ipsec for just the ipsec test that will show
if the ipsec policy is active. Also if you monitor traffic that should be
secured with ipsec with a packet sniffer such as netmon that is included in
server operating systems it will be very obvious if ipsec is being used or
not and if the designation/server computer has a "require" ipsec policy the
client computer would not be able to access it if ipsec was not enabled with
a compliant policy on it. --- Steve


> No, I can check in any case the status of IPsec using the ipsecmon.exe.
> But the GPO IPsec policy will only be active when you have administrative
> rights on the local machine.
>
> I do know that this is an machine related GPO setting. An I'm sure this is
> set correctly.
>
> But I would like the IPsec domain policy to be enforced even if you're
> logged in as a regular user.
>
> "Roger Abell [MVP]" wrote:
>
>> Are you saying that when logged in without admin privs you
>> are unable to determine that IPsec is active ??
>> Did you try getting at the machine in a way the IPsec disallows
>> while a limited user is logged in ?
>> Notice that IPsec is set up as computer policy, not user policy.
>> If it is effective it is so without regard to what account is logged
>> into the machine, if any.
>> I believe you are dealing with the fact that some tools do not
>> work except for admins, and that some remote ways of assessing
>> IPsec status of machines are broken / brain-dead particularly in
>> a purely W2k environment.
>>
>> > Hi,
>> >
>> > I'm working on the implementation of IPsec in a Windows 2000
>> > enviroment.
>> >
>> > The eviroment is highly secured, almost no rights in on the users'
>> > desktop.
>> > IPsec is set up on the domain level GPO but when signing on to the
>> > machine with a domain user account and checking the status in the
>> > ipsecmon.exe tool it tells you IPsec is not enabled on the machine.
>> >
>> > When I add the domain user to the local Administrators group it will
>> > work, and ipsecmon.exe will tell you IPsec is enabled.
>> > But when the domain user is in the Power User group it won't be active.
>> > Since this is an highly secure enviroment we cannot leave the domain
>> > user
>> > in
>> > the Administrator group.
>> >
>> > Look's to me this has to do with the right on the machine?
>> > But I cannot figure out where these rights are really applied or needed
>> > when
>> > it comes to IPsec policies.
>> >
>> > If anyone can help me or give me some suggestions to make this work,
>> > please
>> > do so.
>> >
>> > Thanks
>> >
>>
>>
>>



Similar ThreadsPosted
IPsec Implementation March 29, 2007, 12:25 pm
IPSec / domain isolation: confusing MS documents July 20, 2006, 10:56 am
getting IPSec Certificates for VPN access for non domain members January 5, 2007, 11:03 am
How does domain isolation with Windows 2003 IPsec happen? October 29, 2008, 1:06 am
ipsec October 29, 2005, 4:21 am
OSX and Ipsec September 17, 2006, 11:14 pm
IPSec September 12, 2007, 6:33 pm
IPSec blocked my BDC July 6, 2005, 12:37 pm
IPSec Replication August 15, 2005, 4:55 am
two CA certificates for IPSec or something... September 17, 2005, 3:58 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap