So what about IPSec is hot, other then the fact you can script it?  Well in a enterprise environment you can deploy it in Group Policy.  Now that is a pretty cool way to protect your network.  So you can use IPSec to protect traffic between trusted hosts.  The easiest scenario is to setup IPSec between domain computers.  Once Group Policy refreshes on a client computer they implement whatever IPSec policy is deployed to it.  In a workgroup environment you can still use IPSec for protecting your network, but it is more manual effort.

Not only can you deploy IPSec policies to computers using Group Policy, you can also deploy dynamic IPSec policies to the same computer at the same time.  Now dynamic IPSec policies are the same thing only they don't stick after a reboot or IPSec is restarted.  This makes them handy for testing a setting, you can just reboot (or restart IPSec) to undo it. 

So deploy a baseline IPSec policy to everyone, then use script to deploy dynamic IPSec policies at startup.  That way you can quickly deploy IPSec protection without a way to back out.

The key thing to remember about applying an IPSec policy using Group Policy is that you can only have one policy - the last one that applies.  Similiar to a specific Group Policy setting.  The IPSec Policies don't merge into one big policy as Group Policy is enforced onto a computer.

Microsoft IPSec FAQ

Important things to consider regarding IPSec and tradeoffs.

Microsoft article on how to assign Domain based IPSec policy

Microsoft article providing an outline of reasons to use IPSec.

Example scripts and reasons to use IPSec to protect your systems

Example scripts for protecting against a specific security concern (WINS exploit)

Go read my other article on IPSec (sample scripts and IPSec policy files)

Microsoft needs to provide free builtin 0-day protection to their OS's.

So as many have probably heard, this Microsoft Windows WMF vulnerability was getting massive amounts of security community attention including a well dissected hotfix from a well known developer.  So I myself sent two critical emails to Microsoft trying to encourage them to work with this community effort for a quick hotfix.  They were both essentially dismissed via replies, but I'm sure that my emails along with the hundreds of others they probably received made the points of concern clear.

   This wasn't about profit, "open source" or even "free 0-day protection", but about protecting Microsoft customers.  This is a key part of their Trustworthy Computing initiative.  There were numerous people working to identify the security vulnerability, test it and discuss it.  When everyone complained to Microsoft about the situation, clearly Microsoft noticed that the customer wasn't satisfied by waiting 10 days for a hotfix.  If a non-Microsoft developer could build a "patch" to protect users, get it tested and deployed in 4 days, then Microsoft should be able to do that or better.

As it turned out Microsoft addressed the same exact piece of code that was a concern.  So the "unofficial" patch was correct and protected users.

Now the big point is, why can't Microsoft do something like this quick hotfix?  Well, sounds like Microsoft doesn't think they impacted their customers enough by costing them untold millions in lost productivity and revenue with all of the vulnerabilities over the years.  Apparently Trustworthy Computing means "Trust Microsoft, and only Microsoft".  This is an unacceptable stance in the realm of information security.

Microsoft could easily build a framework to deploy quick hotfixes that merely block vulnerable code.  They don't need to fix the code immediately, just offer something that block access to the bad code.  This is why the unofficial hotfix was so perfect.  It didn't ask users to replace a file provided by Microsoft, just put one in the middle and intercept the vulnerable code.

All in all, I really think that Microsoft is afraid of too many things, not unable to solve the problem. I'm sure there are IP questions about 3rd party hotfixes. I'm sure there are patch availability, reliability and trustworthiness concerns. But I'm also sure Microsoft can do a whole lot more to protect its users than it is doing today.

So, go demand that Microsoft build a 0-day protection framework that protects their customers.

Whats hot...IPSec is hot.  I've been playing around over the past few days on scripts that setup IPSec rules to protect a Windows 2000 or XP system.  Now IPSec has two modes - AH and ESP.  AH provides authentication of packets while ESP provides encryption of packets.  You can use both at once but its a little different then the perfect security option you would think.

IPSec has performance concerns.  It causes an increase in bandwidth and CPU usage.  Not so big on a home network, but in a corporate environment it can be noticeable.

  I've extended this IPSec learning to enable IPSec security (AH+ESP) on my home network for all traffic.  I haven't noticed any performance issues.  I tend to do very little between my computers.

How to use IPSec on Windows XP SP2

1. Download the Windows XP SP Support Tools. (must be the SP2 version)
2. Install the Support Tools.  I choose the "complete" install option, but it may not matter.
3. Review how the ipseccmd.exe command works.  Note - I think the help offered by "/?" is inaccurate as the 1f option works, yet doesn't display at the command line.
4. Either build your own script or choose one of mine.  Only one can work at a time.
   1. Notes: 
      • You must run the same script on all XP computers you want to use that IPSec between.
      • All my scripts allow ICMP unhindered to facilitate troubleshooting.
      • Make sure you edit my script to customize the shared secret used from "PresharedKeyString" to something else.
      • Dynamic scripts will only work until the next reboot or IPSec service restart.  This allows you to make temporary changes to IPSec. Safer for testing out IPSec
      • Static scripts will stay running at all times.  The only way to disable it is to open the IPSec console (via MMC) and disable the policy.  True secure modes of IPSec.
   2. Optional IPSec scripts (don't force IPSec usage, just try to use it)
      1. Dynamic or static encryption. Related IPSec policy file for static.
      2. Dynamic or static authentication.  Related IPSec policy file for static.
   3. Required IPSec scripts (force IPSec usage, drop non-IPSec connections)
      1. Dynamic or static encryption.  Related IPSec policy file for static.
      2. Dynamic or static authentication.  Related IPSec policy file for static.

Recently a vulnerability was uncovered related to WMF files on Windows OS's.  This vulnerability has yet to have a functional workaround or patch from Microsoft.  The security community has taken it upon theeselves to issue a workaround that alleviates the issue.  This is a good sign that the community is willing to spend effort to protect Microsoft's customers at no value to themselves except credibility.

Various credible companies and groups have supported this code development level workaround.  This is better then Microsoft's response which has included a workaround which breaks functionality and a couple of useless blog postings. 

It seems that Microsoft has taken the CYA (cover your a--) path - contacting law enforcement and publishing a bulletin, but not actually protecting their users.  WTF?  Isn't that out of order in the list of priorities?

I have submitted a plea to Microsoft to work with the security community to provide and approve such workarounds.  Clearly they don't have the manpower or time to devote to this problem as lots of people are being attacked due to this vulnerability.  So the next best thing for Microsoft to do is accept the community based efforts and support them.

This clearly isn't about open source or providing free protection services, its all about protecting the customers.  Microsoft consistently has placed its company above the customer during these security issues.  It is a disgusting trend that has had impact on lots of their customers.  I hope their customers vote with their wallets.

That voice of the computer from Wargames...ahh brings back memories of 1984.  As for the actual reason I mentioned it, the lovely voices of the Microsoft Agent program.  I've been messing around ALL DAY with Microsoft Agent and scripting.  Its been somewhat fun, but fairly frustrating.  I've just built a script that acts as a simple helper running on your desktop.  Not really too helpful.

http://ydns.no-ip.com/msAgentHelper.vbs.txt

This script will expect you to setup a few things:

• Microsoft Agent (http://www.microsoft.com/msagent/default.asp)
• An agent for Microsoft Agent (the filename without extension)
• your email program path
• and your home page to open in IE.

1. right click this file (http://ydns.no-ip.com/msAgentHelper.vbs.txt) and do a "Save target as"
2. Rename the file to remove the ".txt" extension.
3. Choose a location to save the file that you can remember.  Click Save.
4. Open the folder where the file was saved.
5. Edit the file by right-clicking and choosing Edit.
6. Modify the top few entries to match your needs.
7. Save and close the file.
8. Right click the ".vbs" file, choose Properties and go to the Script tab.
9. uncheck "Display logo..."
10. Click OK.  Now you will have a file by the same name except a WSH extension in the same location as the vbs file. 
11. Double click the "wsh" file.  When you run it, it should play sound if Microsoft Agent is properly installed.

This was fun to write but has little value as it is.  Trying to think of ways to make it more useful.  Perhaps some type of table of things it can do for me.