Tag Archives: IPsec

Windows Defender Firewall with Advanced Security – what is that Advanced Security part? Let’s remove the dust … (Part 3 – Allow the connection if it is secure rules and Connection security rules (IPSec))

Leave a reply

That advanced security part in Windows Defender with Advanced Security is the part that covers creation of “special” rules that are similar to Allow rules but only if it is secure and work in conjunction with Connection security rules (that should be configured separately).

Let say that you would like to implement PAW or Jump Box or just limit admins to (even mistakenly) connect to some machines – well Allow the connection if it is secure kind of rules can help you out.

In my example I decided to have two admins: Bill and John they are using same PAW or Jump box called C2 from where they connect to web interface for management of server called SRV2 (it is an empty IIS website – but just to get the idea …).

By following previous tutorials I needed to create firewall rule to allow port 80 to be accessible as local rules are not processed (and we know that in Windows Server, when you install a Role or Feature, firewall rules are automatically created…).

When I do so I am able to access website on http://srv2 from machine C2 if John or Bill are logged in. But what if only Bill is the admin that should access http://srv2 web interface – can we somehow limit that feature for John? The answer is YES!

So first of all we need to create a new Group Policy Object where we will make a Block rule on port 80 – so nobody in the company will be able to access web service on SRV2 any more. After that we will create a new rule where we will chose the option: Allow the connection if it is secure – and as requirement for a successful connection will be that user on the machine should be Bill and machine where Bill is connecting from our PAW or Jump Box called C2. No other combination will fulfill the criteria. So if John is connected to C2 it is a wrong user. If Bill is connected to C1 and would like to do a connection a wrong computer is in use… So only valid combination of valid user and valid computer can fulfill the criteria and allow the connection. Just imagine how granularly you can configure which admin can do or access RDP / Powershell remoting, connect via MMC and other consoles… First of all we reduce potential mistakes that can be done but we are making it also difficult for potential hacker to get all the prerequisites to establish a successful connection …
After that we need to create another Group Policy object where we will define Connection security rules – basically we will make PAW or Jump box in our case called C2 establish IPSec connection to SRV2 when user will try to open webpage (on TCP port 80).

Here is the video of such scenario:

Enable IPSec between Windows 10 client and Windows server 2016 – simple video tutorial

1 Reply

Today I tried to implement IPsec for certain protocols (in my example for TCP port 80 from Windows 10 client to Windows server 2016 running IIS and ICMP just to show it is possible to enable IPSec on per-protocol basis).

In my environment I have setup a simple domain with 2 servers, 1 DC and 1 member server with IIS, 1 Windows 10 domain joined client and one Windows 10 with Wireshark just to sniff the traffic (by using Hyper-V port mirroring).

You can check a 6 minutes video tutorial here.

ipsec

So steps to enable IPSec by using Windows Firewall with Advanced Security (introduced in Windows Vista) are the following:

1. First thing you need to do is to create a security group where you put servers and clients you want to have IPSec policies enabled.

2. Then you need to create a group policy object on top of computers / servers OU (in my case I have created GPO on a domain level – in a production environment I suggest that you put it somewhere lower on top of your computers and servers OUs.
Remove authenticated users from GPO security filtering and insert your IPSec security group

3. Then you need to edit the GPO on the location: Computer configuration / Policies / Windows settings / Security settings / Windows Firewall with Advanced Security / Windows Firewall with Advanced Security / Connection Security Rules
Here you create a new rule:
– I choose Custom rule option
– I left Any IP address selected on both Endpoints (so it will work for all IP addresses)
– I configured the second option on next screen so – Require auth for inbound (so all inbound connections will require authentication – Warning! No access from workgroup or not domain joined computers) and reqeust authentication for outbound (www.google.com does not care about your IPSec policy :))
– On the next screen I used Computer (Kerberos V5) authentication method
– On protocols and ports – in my first example I used TCP 80 on Endpoint1 (so “server side” will require authentication for everyone who would like to access web server on port 80)
– I applied policy on all profiles and I gave a name to my policy.
After creation of the policy you should run: gpupdate /force on both – server and client – I did a reboot just to be sure it will do it – but most of the time gpupdate /force will be enough. You can see your policy on server and client if you open Windows Firewall with Advanced Security and you click on Connection Security Rules

I used another Windows 10 machine with Wireshark software just to monitor the functioning of IPSec – I used Hyper-V port mirroring to send copy of all traffic from my domain joined Windows 10 so you can see from captured traffic that policy was applied correctly and that traffic (opening the http://srv1 and later on pinging srv1) is encrypted.

 

The Greenbow IPSec VPN client

Leave a reply

I was searching Google for an “universal” IPSec VPN client for Windows and I passed by website http://www.thegreenbow.com. I decided to give a try to their product called TheGreenBow IPSec VPN Client. I saw that they have also a mobile version but I need VPN client for my laptop so I decided to try this first.

I was impressed by simple installation and ease of use… I decided to write a short article and to attach some screenshots for you to see how simple it is to create / configure VPN tunnels with The Greenbow VPN Client.

Another great thing is that they have configuration examples for gateways on their website. If you are using let say Zyxel routers/firewalls/VPN gateways or let say m0n0wall VPN gateway just follow the examples on http://www.thegreenbow.com/vpn_gateway.html

Check my overview:
The Greenbow VPN client overview.docx
The Greenbow VPN client overview.pdf