IPSec Policy Agent security

In this article, I will show you how to prevent other users from disabling the IPSEC Policy Agent service.

In some previous articles, we showed you how to protect your computer with IPSEC mechanism ( you can review Web browser with IPSec, Ping traffic lock with IPSec, Block operation. Browse the web of a certain Windows 2000 / XP / 2003 computer to the Internet but still allow it to access sites on the intranet . In those articles, you already know how to block certain computers from accessing some websites or even browsing the entire Internet.

However, the problem arises in the fact that IPSec policy is triggered by a service called IPSec Policy Agent. This is the default service that is automatically loaded (Automatic) and used for IPSec Policy to run properly.

Users with administrator privileges can view the service status by running Services from the administrative tools and easily stop the service or even disable it, and that will affect the main running IPSec books. This is the problem that we need to prevent.

To do so, we need to configure Group Policy Object (GPO) in Active Directory. You can also configure internal settings, but to do so you need to run GPEDIT.MSC.

1. Open Active Directory Users & Computers . Right-click the domain (or an OU if you only want to configure a set of computers). Select Properties .

2. In the Properties window, click the Group Policy tab. Click New to configure a new GPO (if you haven't already). Name that GPO, for example, in the article we set as Secure Services .

Note : If you have a Windows Server 2003 DC computer installed with GPMC, then you can shorten this action by opening the Group Policy Management snap-in from Administrative Tools and selecting your desired GPO.

3. Click Edit to edit the GPO.

4. Navigate to Computer Settings> Windows Settings> Security Settings> System Services . Browse the IPSec Policy Agent service, then right-click it and select Security (or Properties in Windows Server 2003).

5. In the Security Policy Setting window, click Define this policy setting and select the service startup type Automatic .

In Windows 2003, click Edit Security.

6. A security window will open. Click Remove to remove the Everyone group. You can add yourself if you want, but for demonstration purposes, we will remove everyone including us. This will prevent anyone from viewing the status of the running service, preventing it from starting or stopping the service.

In Windows Server 2003, the Everyone group is not listed. Instead, you will see the Administrators, System, and Interactive groups. Remove them if you want.

7. Click OK to exit.

8. Note that the policy setting is shown in the GPO window.

9. Close the GPO window. You must refresh the policy. Run the following command:

In Windows XP and Windows Server 2003, you need to type

10. Return to the Services window. Click F5 to refresh the display. Although the state of the service is Started , there is no other information in this window.

Try to stop the service. You can not. Try to see its properties. Not possible. No user can change the settings of this policy unless they access the GPO you just created.