Configuring windows PCs to use IPSec

Using windows server 2008 and windows 7 / vista, it actually becomes quite easy to secure internal traffic using IPSec. This is quite a good security feature to implement, since it’s no longer the case that internal traffic can be sent in cleartext, considering most attacks happen on the inside due to disgruntled employees, browser attacks and so on. In this article, I’ll explain how to use Windows Firewall with Advanced Security (WFAS) to secure communication between two internal PCs (a client and webserver).

The easiest way I found of doing this is by using a Connection Security Rule enforcing an isolation policy. This means that only encrypted traffic will be allowed to reach the server. Any traffic that is not encrypted and authenticated will result in the client’s browser showing the “Internet Explorer cannot display this page”

I’m assuming you already have a webserver and a client PC joined to the domain. In my case the nodes have the IPs:

Web Server : 10.91.2.58

Windows 7 Client : 10.91.2.57

First step is to define this Connection Security Rule and push it out to all involved parties via GPO.

On the domain controller:

  • Open “Active Directory Users and Computers”. Here, you can create an Organizational Unit and move the webserver and client computer objects to this OU
  • Start > Run > gpmc.msc. Here. expand your domain and find the newly created OU. Right click and use the “Create a GPO in this domain, and link it here”
  • clip_image002