+44 (0)1332 898 999
24 / 7 Emergency Support
+31 (0)85 8888 863
NL office phone
24 / 7 ticket support

Security Misadventure

This happened a couple of years ago just after I received a laptop as birthday gift. The laptop was preloaded with a Windows 7 installer that only needed to be configured in order to be ready for use.Before this time, I was a Windows XP user and I had an SP2 running in a tower-cased machine. I already knew about Windows 7 from the Internet and was only waiting for the opportunity to buy a copy of it.

Now, Windows 7 came as a gift!

I didn’t waste time configuring Windows 7 on my new toy. An hour or so later, my spanking new Windows 7 in my shiny brand new laptop was up and running.

Knowing that my version of Win7 was only “Home Premium”, I wondered how far I could go with MMS (Microsoft Management Console) and with snap-in’s. I decided to experiment. This was when my misadventure began.

MMC did come up as I expected, and I found a few snap-in’s listed — Computer Management, Local Users and Groups, Device Manager, etc. I added Computer Management into MMS because I was quite familiar with that. I also added a snap-in that I haven’t ever configured before: IP Security Policy Management. Why this? Well, simply out of curiosity and not really knowing how my experimentation with it would turn out.

I ran the snap-in, and the dialog window popped up. “IP Security Wizard,” it announced. Wizard, like Gandalf? Never mind. I read on: “This wizard helps you create an IP Security policy. Blah, blah, blah.”

The wizard asked for policy name and description which I could just make up. Piece of cake — next screen please.

The next screen described a default response rule, whatever that meant. I found a checkbox labeled “Activate the default response rule (earlier versions Windows only)”. I didn’t touch anything just to be safe but instead moved on to the next window.

Surprise! The next window said “You have successfully completed specifying the properties for your new IP Security policy. To edit your IP Security policy now, select the Edit properties check box, and then click Finish.” The checkbox was already checked (heheh), and below it was the message “To close this wizard, click Finish.” What else could I do but click the “Finish” button? If that was all, there was no challenge to it, I thought (erroneously, I must add).

A new window came up with two tabs: “Rules” and “General”. I read the Rules tab first. The security rules were presented in four columns:

Column 1: IP Filter List. Should I check the “” checkbox or not?

Column 2: Filter Action – Value: “Default response (earlier versions of Windows only)”. Stay with default to be safe, I told myself.

Column 3: Authentication Methods – Value: “Kerberos”. K…what?? Is this an English word?

Column 4 – Tunnel Endpoint – Value: “”. What tunnel? What endpoint?

Column 5 – Connection Type – Value: “All”. At this point I was sweating even if the room wasn’t hot.

Despite the nervousness that was intensifying, I still had enough guts to click the next tab: General. The new window showed another set of data fields.

Name – No problem. This was the policy name I entered earlier. Description – Same. Check for policy changes every: – Default value: “180 minute(s)”. What would happen if I changed it to every 1 minute? Or every 360 minutes? Perform key exchange using additional settings – “Settings…” button. I clicked the button blindly, and a new window titled “Key Exchange Settings” opened.

There was a checkbox for “Master key perfect forward secrecy (PFS)“; an input box for “Authenticate and generate a new key after every: 480 (default) minutes”; another input box for “Authenticate and generate a new key after every: zero (default) session(s); a “Methods…” button for “Protect identities with IKE security methods“. And finally two more buttons at the bottom: the all too familiar “OK” and “Cancel.”

I clicked “Cancel” with a big sigh. This security thing wasn’t for hobbyists and pseudo adventurers like me.

Fast forward to today…

The “misadventure” I just described refers to only a very tiny part of one security item, IP Security. And that’s only for a Windows laptop. How much more for a server? How many security policies are there to set up, and set up correctly?

Word of wisdom: Avoid a risky misadventure when you can contact a professional, especially one from Key4ce.

- Founder of Key4ce.
- More then 10 years of experience with Windows high availability and Microsoft Exchange.
- More then 10 years of experience with Linux and Unix.
- Open source enthusiast and a large contributor for multiple large Open Source projects.

My current main focus of attention is Geo-Clustering.

Leave a Reply