Create Legacy IPsec Policy from CLI

The following commands can be used to script the creation of legacy IPsec policies. The example here creates an IPsec policy meant to secure all IP traffic between domain controllers in separate forests in order to secure AD forest trust traffic.
This example uses PSK for authentication, but you should use certificates if possible. Continue reading “Create Legacy IPsec Policy from CLI”

Disable SSLv2 on Windows Server 2008 Domain Controllers

Using LDAP over SSL is a good step towards security. Improve security just a little bit more by disabling SSLv2 and forcing your clients to use SSLv3

On each of your domain controllers create the following registry key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
\SCHANNEL\Protocols\SSL 2.0]

Then create the following DWORD

DWORD = "Enabled"
Value = 00000000

Finally, reboot the domain controller

To make this even easier you can deploy this registry key though a Group Policy Object linked to the Domain Controllers OU.

More information from Microsoft:
How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll