?
Solved

Apply Security Policy using GPO

Posted on 2009-02-19
19
Medium Priority
?
903 Views
Last Modified: 2013-11-15
I would like to apply a "firewall" type filter to certain PC's in my network.

I think I found the trick going to --> Admin tools --> domain controller security policy --> IP Security Policies on Active Directory ---> Create new ip security policy --> and then apply the following ip filters

permit ip any source to subnet 10.80.254.0 0.0.0.255
permit ip any source to host 10.80.2.146
deny ip any 10.80.0.0 0.15.255.255
permit ip any any

Then I go to GPM and link the GPO to an OU.. then enforce and enable.

I've done this.. and my filter doesn't seem to be applied to PC in that OU. I can still access areas defined as needing to be un accessible. How can I check to see if the GPO has been applied to the user/group/ou and looking at my steps above did I follow the required steps to make this filter take place?

On the users PC (windows XP) I did indeed do a gpupdate /force and reboot..

Many thanks

0
Comment
Question by:gevansmdes
19 Comments
 
LVL 13

Expert Comment

by:dhoffman_98
ID: 23685405
Log into the workstation as the user in question and execute: gpresult -v
This will print out a verbose list of the groups that the machine and user are members of, as well as any policies that were applied and filtered.

If the policy you created is not in the list of GPOs that were applied, then there is a configuration problem somewhere else based on the security or WMI filters in your policy, the link that connects the policy to the OU, or a setting at the OU level that might prevent policies from being inherited.
0
 
LVL 18

Expert Comment

by:flyingsky
ID: 23685416
run gpresult /R from the workstation and check if the GPO applied to this machine or not.
0
 

Author Comment

by:gevansmdes
ID: 23685791
dhoffman_98:

I get the following output when I run gpresult -v

USER SETTINGS:

The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

        ACL for Public PCs
            Filtering:  Not Applied (Empty)

What does this mean... "empty"



I checked the health of the GPO on the server and it checked out OK with GPOTool.exe

0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 13

Expert Comment

by:dhoffman_98
ID: 23686246
It means that it doesn't see any settings in the policy that apply to the object. For example, you may very well have a policy called "ACL for Public PCs", but the "User Configuration" section of that GPO might have no settings in it... empty. The policy you are trying to set is a computer configuration, not a user configuration. You didn't show the computer configuration section of the gpresult.

Also, rather than going to Admin tools --> domain controller security policy --> IP Security Policies on Active Directory to create the policy, you should use GPMC to create the policy, and then link it only to the OU and machines to which you want it to apply.

Doing it the way you are is going to set the policy for domain controllers, but not necessarily by way of a group policy object that you can replicate to other machines.
0
 

Author Comment

by:gevansmdes
ID: 23686433
dhoffman_98

getting closer.. glad you saw my other post!!

"Also, rather than going to Admin tools --> domain controller security policy --> IP Security Policies on Active Directory to create the policy, you should use GPMC to create the policy, and then link it only to the OU and machines to which you want it to apply."

Okay I opened up GPMC via start --> control panel --> admin tools --> group policy manager

But I can see how to create a GPO for the purpose of creating a IP Security Policy.. toss me a bone? Please be specific fairly specific if  possible

"You didn't show the computer configuration section of the gpresult."

the computer configuration didn't list the GPO I create at all..

Many thanks



0
 

Author Comment

by:gevansmdes
ID: 23686564

How do I create a GPO for the IP Security Policy?
0
 

Author Comment

by:gevansmdes
ID: 23686962
I opnly ask how do I create because you're saying it's wrong however it appears to be golden according to the comparisons I'm making with other GPO and other guys around here looking at it.. I did rebuild it in GPMC though..

My standing issue is this error:        

ACL_Public_PC
            Filtering:  Not Applied (Empty)

** VERBOS BELOW ***

USER SETTINGS:

The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

        ACL_Public_PC
            Filtering:  Not Applied (Empty)
0
 
LVL 13

Expert Comment

by:dhoffman_98
ID: 23687252
Unfortunately, I've already left work for the day, otherwise, I'd even try to grab you a screen shot and can look at my policies better. If the question is still open in the morning, I'll get on and try to get you more explicit details then.

0
 
LVL 18

Expert Comment

by:Americom
ID: 23688560
I believe what you did original was that you went "Admin Tools->Domain Controller Security Policy", this only change for the domain controller. So, according to your original posted step, you didn't really show you have created a GPO, other than may be modify the GPO that was linked to your Domain Controllers.

To apply to PC, you need to do it from the PC like "Admin Tools->Local Security Polciy". But if you want to create GPO and apply to multiple PC, you need to use GPMC.

Once you start GPMC, you can create a new GPO name it something you know what it is for. Then right click on the GPO and select Edit, then the configuration opened: Here you need to browse to Computer Configuration | Windows Settings | Security Settings | IP Security Policies.
This is where you create the IP Security policy. It is a computer policy and when done, you should like to the OU where your PC is in. (according to your info above "user/group/ou", i'm not sure if your PC object is here, looks like user or group object).

0
 

Author Comment

by:gevansmdes
ID: 23691904
Americom: - I did exactly what you spoke of.. See attached screen shot. dhoffman already sent me down that path but thank you for your input.

It seems like my IP security policy is correct but perhaps I'm just missing one option..

Please attached JPG for more info


scrnshot.JPG
0
 
LVL 13

Expert Comment

by:dhoffman_98
ID: 23693650
OK, we need to start clean here, and I'll apologize for not getting back to you until this morning.

I think we both got ourselves a little confused about what you want to do and how you started to do it. What you want to do is configure firewall settings based on IP Addresses and Port numbers, however what you are actually doing in your examples is configuring IPSEC policies, which are policies that are used for establishing secure tunneling. These are two totally different things, and IP Firewall is actually configured in a different place than IPSec.

I'd like to help further, but need a better understanding of what you are trying to accomplish. Are you trying to prevent traffic from getting TO some of your client machines, or are you trying to prevent traffic from leaving those machines to certain addresses?

Also, you wrote an explanation of your filters as such:
   permit ip any source to subnet 10.80.254.0 0.0.0.255
   permit ip any source to host 10.80.2.146
   deny ip any 10.80.0.0 0.15.255.255
   permit ip any any

This doesn't make much sense to me. The subnet masks are upside down. The first line should probably read:
   permit ip any source to subnet 10.80.254.0 255.0.0.0
Or could also be shown as:
   permit ip any source to subnet 10.80.254.0/8
Either of those would identify all machines on the 10.x.x.x subnet. But the way you wrote it doesn't make sense.

Then if these filters are supposed to be applied in order, you show that traffic to that subnet should be permitted, then traffic to one address (10.80.2.146) should be permitted (but would be permitted by the first rule anyway).
Then your third rule is upside down again, and I'm not sure what your subnet really should look like, unless you meant to write 10.80.0.0 255.255.15.0, but then the 15 doesn't really make sense. Perhaps you meant 255.240.0.0? It looks like this was built to deny traffic to a portion of your subnet. What did you mean here?
Then your fourth rule allows all other traffic.

Why are you doing a permit, permit, deny, and then permit again?
I would think you should simplify that to two lines:
   deny ip any 10.80.0.0 255.240.0.0
   permit ip any any

----

Now as for where you should be configuring this... instead of IPSEC policies, you want to configure the firewall.
There are settings for that in a different location:
-> Computer Configuration
   -> Administrative Templates
      -> Network
         -> Network Connections
            -> Windows Firewall
               -> Domain Profile

However, it seems that the settings here are for application and port specific settings.
There may also be other ways to configure and deploy a firewall policy though... including some tips for managing firewall rules via GPO. Check out this page:
http://technet.microsoft.com/en-us/library/cc737845.aspx
0
 

Author Comment

by:gevansmdes
ID: 23693757
dhoffman_98 I appreciate your response.

1) In order to apply IP based filters I have to use the IPSEC module in windows.. IPSEC Security is not designed only for IPSEC tunnels but for also for IP filtering - http://www.petri.co.il/block_internet_but_allow_intranet_with_ipsec.htm

2)  the ACL you see are not backwards - I was using wildcard maks instead of subnet mask in this post however in the ACL filter created in the GPO I used subnet mask.. so it looks more like this

   permit ip any source to subnet 10.80.254.0 255.255.255.0
   permit ip any source to host 10.80.2.146
   deny ip any 10.80.0.0 255.240.0.0
   permit ip any any

sorry for the confusion

What this ACL does is allow access to particular subnet and host then denies access to the rest of my network.. then allows the user access out of my network so they can get to the web ftp sites etc
0
 
LVL 13

Expert Comment

by:dhoffman_98
ID: 23693806
OK, well now the subnet information looks correct to me...

I do see the line in that article that says "Besides encryption, IPSec will also let you protect and configure your server/workstation with a firewall-like mechanism." But I would think this could be done at a less complicated level... not to mention that most environments handle this at the network firewall level, not at each individual workstation.

I saw you already posted another new question about why the policies are not populating. Do you want to close this one?
0
 
LVL 13

Expert Comment

by:dhoffman_98
ID: 23693828
Also, the instructions in that article are for blocking a single computer... which is what you tried to do initially. If you want to do this for a group of computers, by using a GPO, check out this link:
http://www.petri.co.il/configuring_ipsec_policies_through_gpo.htm
0
 

Author Comment

by:gevansmdes
ID: 23694450
http://www.petri.co.il/configuring_ipsec_policies_through_gpo.htm

This is the article I followed and I'm getting the error. I also am using a book that says the same thing as the article. Cant use a firewall wall because of LAN subnets and ACL only needs to be applied based on the username (group and OU) of the client.

I'm not closing ticket (or at least assigning full points) until someone helps me figure out the error. If this doesn't get resolved I'll assign you points because you have put so much time and effort into my issue.
0
 
LVL 13

Expert Comment

by:dhoffman_98
ID: 23697791
I got it! Just at the end of the day, I was able to implement a test GPO that was able to implement a firewall filter, and it did get applied.

I'll try to help out with more information in the morning.

As for the other ticket you opened, it is still related to this, so perhaps I post the solution in that one and you'll be able to close them both... up to you, let me know.
0
 

Author Comment

by:gevansmdes
ID: 23711287
dhoffman_98:

Post the answer here please.. we'll get you pts on both questions. What did you do to get it to work? Please post a screen shot or detailed answer. Many many thanks
0
 
LVL 13

Accepted Solution

by:
dhoffman_98 earned 2000 total points
ID: 23711750
OK, so I created a test GPO and used the IPSec Policy to create a firewall filter that allowed me to connect to some subnets, but deny me to others. And it worked for me.

Under Computer configuration -> Windows settings -> Security Settings -> IP Security Policies...
I created a new policy called "TEST" and created two new IP Filters called "TEST_Allow" and "TEST_Deny", and then enabled those filters for the policy. You have to remember to turn on the checkboxes in the Policy Properties to get those filters to apply.

Then in the IP Security Policies view, you have to ASSIGN the policy to that GPO. It looks like in your example, you do have the YES under the assign column, so that doesn't seem to be a problem. But perhaps you might not have created your filters or you may not have turned them on for that policy.

In short, I was able to create a policy that would allow me to access the entire subnet on the 3rd and 5th floors of my building, but deny access to the 4th floor, and then tested that policy against one machine... and it just worked. I'm thinking the same could be done for what you want to do.

However... I think you are overcomplicating it by allowing access to a subnet and then access to a host, and then denying, and then allowing again. So you may not get the results you want.

Unfortunately, I can't see a way to indicate a particular order that the rules are supposed to apply, so if you have allow and deny rules in place, then how do you know which overwrites the other?

In your example, you wrote that you want the following policies:
   permit ip any source to subnet 10.80.254.0 255.255.255.0
   permit ip any source to host 10.80.2.146
   deny ip any 10.80.0.0 255.240.0.0
   permit ip any any

If you do this, then when does the last line get applied? If it gets applied after the deny, then does that not contradict the deny? Your deny statement says to BLOCK traffic going to the entire subnet consisting of 10.80.0.0-10.95.255.255. But you also have a permit statement that says to allow traffic to the 10.80.254.0-10.80.254.255 subnet as well as another permit statement that says to allow traffic to 10.80.2.146.

So... to test this theory, I made some changes to my policy.
I want to allow all traffic from my test machine to two entire subnets, plus ONE host on a third subnet, but deny traffic to the rest of that third subnet.

Allow traffic to 10.1.3.0/24 -- Third Floor Subnet
Allow traffic to 10.1.5.0/24 -- Fifth Floor Subnet
Allow traffic to 10.1.4.34/32 -- One host on Fourth Floor
Deny traffic to 10.1.4.0/24 -- Fourth Floor Subnet

I created two filter lists... TEST_Allow that has all three allow statements, and TEST_Deny that has the deny statement. I created a new Filter Action called "DENY" that uses a BLOCK setting. (There was no block by default).

Then in the properties for the new policy, I turned on the check boxes for both of my new rules, and opened the edit properties screen for each rule. The properties for each rule have tabs for "Filter List" and "Filter Action". You have to select which Filter List you want the rule to use, and which Filter Action you want to take effect. So for my Allow filter, I selected the Test_Allow filter list, and the default "Permit" filter action. Then for my Deny filter, I selected the Test_Deny filter list, and the new DENY filter action that I created.

Applied it to a machine, and tested... and got the results I wanted.
0
 

Author Closing Comment

by:gevansmdes
ID: 31548937
This is what I did.. and it doesn't work due to errors with our system.. not errors with the process as you described it. I'll continue my hunt in the other post for a resolution to my issue.
Thanks
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question