Information Technology Reference
In-Depth Information
Solution
Using a Graphical User Interface
1.
Open the Group Policy Management Console or the IP Security Policy Management
MMC snap-in.
2.
Navigate to Computer Configuration\Windows Settings\IP Security Settings.
3.
Right-click the policy for which you want to configure the authentication method and
select Properties.
4.
Select the rule that you want to modify and click Edit.
5.
On the Authentication Methods tab, click Add to configure a new authentication
method. You can select from one of the following:
Active Directory default (Kerberos v5 protocol):
This will use Kerberos authentica-
tion between IPSec hosts.
Use a certificate from this Certification Authority (CA):
This will use a public key
certificate. Click Browse to select the certificate that should be used.
■
Note
To prevent the name of the CA from being sent along with the certificate request, place a check
mark next to Exclude the CA Name from the Certificate Request. Place a check mark next to Certificate to
Account Mapping to enable account mapping for your certificates.
Use this string (pre-shared key):
This will allow you to specify a string to be used for
authentication.
■
Caution
Preshared keys are the weakest form of IPSec authentication because the master key is less
secure than when using other methods, and the key itself is stored in plain text. This method of authentication
should be used only when absolutely necessary.
Using a Command-Line Interface
The following command creates an IPSec rule for the Web Server policy, which blocks all traffic
defined by the Port 1433 filter list. It will use a preshared key for authentication.
> netsh ipsec static add rule name = "Block Port 1433"
policy = "Web Server" filterlist = "Port 1433" filteraction = "Blocker"
psk = 5243ab59c835d106583dfa358235
