Windows Server 2003 supports the use of Internet Protocol security (IPSec) to secure communications between computers. IPSec is a cross-platform protocol. Windows Server 2003-based computers use IPSec policies to control which communications must use IPSec. A computer may need for IPSec to secure all communications or only a subset of all communications. You use IPSec filters to control when IPSec is applied.
To test the IPSec policies, use IPSec Monitor. IPSec Monitor (Ipsecmon.exe) provides information about which IPSec policy is active and whether a secure channel between computers is established.
In Microsoft Windows XP and Windows Server 2003, the IP Security Monitor is implemented as a Microsoft Management Console (MMC) snap-in. To add the IP Security Monitor snap-in, follow these steps:
Click Start, click Run, type MMC, and then click OK.
In the MMC, click File, click Add/Remove Snap-in, and then click Add.
Click IP Security Monitor, and then click Add.
Click Close, and then click OK.
NOTE: To save the console settings, click Save on the File menu.
To add a computer to the IP Security Monitor snap-in, follow these steps:
Create a console that contains IP Security Monitor. Or, open a saved console file that contains IP Security Monitor.
In the console tree, right-click IP Security Monitor, and then click Add computer.
In the Add Computer dialog box:
For the local computer, click This computer.
For a remote computer, click The following computer, and then type the name of the remote computer. Or, click Browse to find it on the network.
To see how IPSec Monitor functions, you need two Windows Server 2003-based computers that are members of the same Windows Server 2003 domain. One computer is the IPSec client computer and the other computer is the IPSec server. The following two sections describe how to configure the IPSec client computer and IPSec server to test a security policy.
Click Start, point to Settings, and then click Control Panel.
Double-click Administrative Tools, and then double-click Local Security Policy.
Click the IP Security Settings on Local Computer node in the left pane, and then double-click the Secure Server (Require Security) policy in the right pane.
Click to clear the All IP Traffic and the Dynamic check boxes, and then click to select the All ICMP Traffic check box.
Double-click the All ICMP Traffic rule.
Click the Filter Action tab, and then click Require Security.
Click Apply, and then click OK.
On the IPSec client computer, start IPSec Monitor.
From a command prompt, type ping -t ipsec_server_ip_address.
For the first few seconds, a "Negotiating IPSec Policy" message is displayed, and then you receive Internet Control Message Protocol (ICMP) echo replies. When you bring IPSec Monitor to the foreground, you see that the IPSec security association is established and the filter name is listed as ICMP.
Close the command window to stop the ping command.
Note that the IPSec security association continues for a short time before timing out.
To restore the default IPSec policies on each computer:
Right-click the IP Security Policies node in the left pane, point to All Tasks, and then click Restore Default Policies.
Click Yes when you receive the "Are you sure?" message.
Click OK to confirm that the default policies have been returned to their default values.
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise Edition (32-bit x86), Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows Server 2003, 64-Bit Datacenter Edition, Microsoft Windows Server 2003, Enterprise x64 Edition