{"id":297,"date":"2021-09-16T10:48:20","date_gmt":"2021-09-16T14:48:20","guid":{"rendered":"https:\/\/www.anthonyfontanez.com\/?p=297"},"modified":"2021-09-16T10:48:21","modified_gmt":"2021-09-16T14:48:21","slug":"windows-firewall-part-3-domain-ipsec-configuration","status":"publish","type":"post","link":"https:\/\/anthonyfontanez.com\/index.php\/2021\/09\/16\/windows-firewall-part-3-domain-ipsec-configuration\/","title":{"rendered":"Windows Firewall Part 3: Domain IPSec Configuration"},"content":{"rendered":"\n<p>Part 3 of this series will go over the preparation work required to utilize IPSec in the future. This work will allow for the creation of firewall rules that either require authentication, or require authentication and encryption, for greater access control and security. A new top-level GPO will define all of the specific parameters, for ease of changes later. This GPO will only set the domain baseline; the configuration can still be modified further on a case by case basis by using more policies applied closer to the specific endpoint if necessary.<\/p>\n\n\n\n<p><em>Note: This post assumes a basic knowledge of IPSec functionality, including how the various protocols work together, various algorithms used for encryption and hashing, etc. For more information, please see the following links:<\/em><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/www.rapid7.com\/blog\/post\/2017\/02\/13\/basics-of-ipsec\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.rapid7.com\/blog\/post\/2017\/02\/13\/basics-of-ipsec\/<\/a><\/li><li><a href=\"https:\/\/en.wikipedia.org\/wiki\/IPsec\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/en.wikipedia.org\/wiki\/IPsec<\/a><\/li><li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Internet_Key_Exchange\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/en.wikipedia.org\/wiki\/Internet_Key_Exchange<\/a><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">GPO Creation<\/h2>\n\n\n\n<p><\/p>\n\n\n\n<p>Start by creating a new GPO linked to the domain root named &#8220;Domain IPSec Configuration. In this policy, head to the Windows Firewall section, view the properties, and look at the IPSec Settings tab.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"400\" height=\"455\" src=\"https:\/\/www.anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-19.png\" alt=\"\" class=\"wp-image-273\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-19.png 400w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-19-264x300.png 264w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><figcaption>Windows Firewall Properties &#8211; IPSec Tab<\/figcaption><\/figure><\/div>\n\n\n\n<p>From here, customize the IPSec defaults by clicking Customize. This will lead to a new dialog, where the ideal default settings can be configured.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"380\" height=\"530\" src=\"https:\/\/www.anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-20.png\" alt=\"\" class=\"wp-image-274\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-20.png 380w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-20-215x300.png 215w\" sizes=\"auto, (max-width: 380px) 100vw, 380px\" \/><figcaption>Customize IPSec Defaults<\/figcaption><\/figure><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Key Exchange (Main Mode) Configuration<\/h2>\n\n\n\n<p><\/p>\n\n\n\n<p><em>Relevant MS Docs: <a href=\"https:\/\/docs.microsoft.com\/windows\/security\/threat-protection\/windows-firewall\/configure-key-exchange-main-mode-settings\" data-type=\"URL\" data-id=\"https:\/\/docs.microsoft.com\/windows\/security\/threat-protection\/windows-firewall\/configure-key-exchange-main-mode-settings\" target=\"_blank\" rel=\"noreferrer noopener\">Configure Key Exchange (Main Mode) Settings<\/a><\/em><\/p>\n\n\n\n<p>Under the Key Exchange (Main Mode) section, select Advanced, and click Customize. The following two screenshots show the default configuration, and the configuration I have decided to utilize in my lab environment. There&#8217;s a number of possible combinations than can be configured here; what I have configured is extremely secure for a modern environment. If you have older operating systems in your environment, you may need to include alternative combinations. <\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"537\" height=\"505\" src=\"https:\/\/www.anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-21.png\" alt=\"\" class=\"wp-image-275\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-21.png 537w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-21-300x282.png 300w\" sizes=\"auto, (max-width: 537px) 100vw, 537px\" \/><figcaption>Key Exchange &#8211; Default Configuration<\/figcaption><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"537\" height=\"505\" src=\"https:\/\/www.anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-22.png\" alt=\"\" class=\"wp-image-276\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-22.png 537w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-22-300x282.png 300w\" sizes=\"auto, (max-width: 537px) 100vw, 537px\" \/><figcaption>Key Exchange &#8211; New Configuration<\/figcaption><\/figure><\/div>\n\n\n\n<p>After configuring settings as desired, click OK here to save the Key Exchange configuration and return to the Customize IPSec Defaults dialog.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Data Protection (Quick Mode) Configuration<\/h2>\n\n\n\n<p><\/p>\n\n\n\n<p><em>Relevant MS Docs: <a href=\"https:\/\/docs.microsoft.com\/windows\/security\/threat-protection\/windows-firewall\/configure-data-protection-quick-mode-settings\" data-type=\"URL\" data-id=\"https:\/\/docs.microsoft.com\/windows\/security\/threat-protection\/windows-firewall\/configure-data-protection-quick-mode-settings\" target=\"_blank\" rel=\"noreferrer noopener\">Configure Data Protection (Quick Mode) Settings<\/a><\/em><\/p>\n\n\n\n<p>Under the Data Protection (Quick Mode) section, select Advanced, and click Customize. The following two screenshots show the default configuration, and the configuration I have decided to utilize in my lab environment. There&#8217;s a number of possible combinations than can be configured here; what I have configured is extremely secure for a modern environment. If you have older operating systems in your environment, you may need to include alternative combinations.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"735\" height=\"498\" src=\"https:\/\/www.anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-23.png\" alt=\"\" class=\"wp-image-277\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-23.png 735w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-23-300x203.png 300w\" sizes=\"auto, (max-width: 735px) 100vw, 735px\" \/><figcaption><br>Data Protection &#8211; Default Configuration<\/figcaption><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"735\" height=\"498\" src=\"https:\/\/www.anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-24.png\" alt=\"\" class=\"wp-image-278\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-24.png 735w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-24-300x203.png 300w\" sizes=\"auto, (max-width: 735px) 100vw, 735px\" \/><figcaption>Data Protection &#8211; New Configuration<\/figcaption><\/figure><\/div>\n\n\n\n<p>After configuring settings as desired, click OK here to save the Data Protection configuration and return to the Customize IPSec Defaults dialog. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Authentication Method<\/h2>\n\n\n\n<p><\/p>\n\n\n\n<p>Relevant MS Docs: <a rel=\"noreferrer noopener\" href=\"https:\/\/docs.microsoft.com\/windows\/security\/threat-protection\/windows-firewall\/configure-authentication-methods\" data-type=\"URL\" data-id=\"https:\/\/docs.microsoft.com\/windows\/security\/threat-protection\/windows-firewall\/configure-authentication-methods\" target=\"_blank\">Configure Authentication Methods<\/a><\/p>\n\n\n\n<p>Finally, configure the default Authentication Method by selecting Advanced and Customize. Here, the default configuration will appear empty, but for reference, the default configuration is to utilize Computer Kerberos and User Kerberos. In my configuration I&#8217;ll configure it to be the same as what the default configuration actually, but explicitly defined.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"733\" height=\"489\" src=\"https:\/\/www.anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-25.png\" alt=\"\" class=\"wp-image-279\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-25.png 733w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-25-300x200.png 300w\" sizes=\"auto, (max-width: 733px) 100vw, 733px\" \/><figcaption>Authentication Method Configuration<\/figcaption><\/figure><\/div>\n\n\n\n<p>Once configured, click OK to save the Authentication Method settings, return to the Customize IPSec Defaults dialog, and click OK here as well.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">IPSec Exemptions<\/h2>\n\n\n\n<p><\/p>\n\n\n\n<p>Now back in the Windows Firewall properties IPSec Settings tab, configure ICMP to be exempted from IPSec, as this will make simple troubleshooting such as using ping easier.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"400\" height=\"455\" src=\"https:\/\/www.anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-42.png\" alt=\"\" class=\"wp-image-298\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-42.png 400w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-42-264x300.png 264w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><figcaption>IPSec Exemptions<\/figcaption><\/figure><\/div>\n\n\n\n<p>After clicking OK here, the domain-wide IPSec configuration is complete, and it&#8217;s now ready to be utilized.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Summary<\/h2>\n\n\n\n<p><\/p>\n\n\n\n<p>At this point, a baseline IPSec configuration has been applied to all domain endpoints, but no changes ave been made as to how endpoints communicate with each other. This baseline will be used in conjunction with later created policies to secure communication between endpoints.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Part 3 of this series will go over the preparation work required to utilize IPSec in the future. This work will allow for the creation<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6,7],"tags":[2,3],"class_list":["post-297","post","type-post","status-publish","format-standard","hentry","category-active-directory","category-security","tag-active-directory","tag-security"],"jetpack_featured_media_url":"","jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/posts\/297","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/comments?post=297"}],"version-history":[{"count":10,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/posts\/297\/revisions"}],"predecessor-version":[{"id":397,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/posts\/297\/revisions\/397"}],"wp:attachment":[{"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/media?parent=297"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/categories?post=297"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/tags?post=297"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}