Whats hot...IPSec is hot.  I've been playing around over the past few days on scripts that setup IPSec rules to protect a Windows 2000 or XP system.  Now IPSec has two modes - AH and ESP.  AH provides authentication of packets while ESP provides encryption of packets.  You can use both at once but its a little different then the perfect security option you would think.

IPSec has performance concerns.  It causes an increase in bandwidth and CPU usage.  Not so big on a home network, but in a corporate environment it can be noticeable.

  I've extended this IPSec learning to enable IPSec security (AH+ESP) on my home network for all traffic.  I haven't noticed any performance issues.  I tend to do very little between my computers.

How to use IPSec on Windows XP SP2

1. Download the Windows XP SP Support Tools. (must be the SP2 version)
2. Install the Support Tools.  I choose the "complete" install option, but it may not matter.
3. Review how the ipseccmd.exe command works.  Note - I think the help offered by "/?" is inaccurate as the 1f option works, yet doesn't display at the command line.
4. Either build your own script or choose one of mine.  Only one can work at a time.
   1. Notes: 
      • You must run the same script on all XP computers you want to use that IPSec between.
      • All my scripts allow ICMP unhindered to facilitate troubleshooting.
      • Make sure you edit my script to customize the shared secret used from "PresharedKeyString" to something else.
      • Dynamic scripts will only work until the next reboot or IPSec service restart.  This allows you to make temporary changes to IPSec. Safer for testing out IPSec
      • Static scripts will stay running at all times.  The only way to disable it is to open the IPSec console (via MMC) and disable the policy.  True secure modes of IPSec.
   2. Optional IPSec scripts (don't force IPSec usage, just try to use it)
      1. Dynamic or static encryption. Related IPSec policy file for static.
      2. Dynamic or static authentication.  Related IPSec policy file for static.
   3. Required IPSec scripts (force IPSec usage, drop non-IPSec connections)
      1. Dynamic or static encryption.  Related IPSec policy file for static.
      2. Dynamic or static authentication.  Related IPSec policy file for static.

Recently a vulnerability was uncovered related to WMF files on Windows OS's.  This vulnerability has yet to have a functional workaround or patch from Microsoft.  The security community has taken it upon theeselves to issue a workaround that alleviates the issue.  This is a good sign that the community is willing to spend effort to protect Microsoft's customers at no value to themselves except credibility.

Various credible companies and groups have supported this code development level workaround.  This is better then Microsoft's response which has included a workaround which breaks functionality and a couple of useless blog postings. 

It seems that Microsoft has taken the CYA (cover your a--) path - contacting law enforcement and publishing a bulletin, but not actually protecting their users.  WTF?  Isn't that out of order in the list of priorities?

I have submitted a plea to Microsoft to work with the security community to provide and approve such workarounds.  Clearly they don't have the manpower or time to devote to this problem as lots of people are being attacked due to this vulnerability.  So the next best thing for Microsoft to do is accept the community based efforts and support them.

This clearly isn't about open source or providing free protection services, its all about protecting the customers.  Microsoft consistently has placed its company above the customer during these security issues.  It is a disgusting trend that has had impact on lots of their customers.  I hope their customers vote with their wallets.

That voice of the computer from Wargames...ahh brings back memories of 1984.  As for the actual reason I mentioned it, the lovely voices of the Microsoft Agent program.  I've been messing around ALL DAY with Microsoft Agent and scripting.  Its been somewhat fun, but fairly frustrating.  I've just built a script that acts as a simple helper running on your desktop.  Not really too helpful.

http://ydns.no-ip.com/msAgentHelper.vbs.txt

This script will expect you to setup a few things:

• Microsoft Agent (http://www.microsoft.com/msagent/default.asp)
• An agent for Microsoft Agent (the filename without extension)
• your email program path
• and your home page to open in IE.

1. right click this file (http://ydns.no-ip.com/msAgentHelper.vbs.txt) and do a "Save target as"
2. Rename the file to remove the ".txt" extension.
3. Choose a location to save the file that you can remember.  Click Save.
4. Open the folder where the file was saved.
5. Edit the file by right-clicking and choosing Edit.
6. Modify the top few entries to match your needs.
7. Save and close the file.
8. Right click the ".vbs" file, choose Properties and go to the Script tab.
9. uncheck "Display logo..."
10. Click OK.  Now you will have a file by the same name except a WSH extension in the same location as the vbs file. 
11. Double click the "wsh" file.  When you run it, it should play sound if Microsoft Agent is properly installed.

This was fun to write but has little value as it is.  Trying to think of ways to make it more useful.  Perhaps some type of table of things it can do for me.

I've just had my VNF4 Ultra based computer die a second time on me.  I get a BIOS post code 50 when I try to boot the box.  I bought this computer at the beginning of the year and a few months later, this problem cropped up and I had to RMA my mobo.  I got a replacement and it just happened again!

I think the issue is a heat issue, not a USB issue as they would have you believe.  I don't live in a very hot area and the mobo has averaged 110F.

Its absolutely ridiculous that this new computer can't handle staying on 24/7.  I am likely going to demand my money back.  I cannot handle this crap any more.