Manage Learn to apply best practices and optimize your operations.

How should the ipseccmd.exe tool be used in Windows Vista?

Ipseccmd is a command-line tool for displaying and managing IPsec policy and filtering rules. Expert Michael Cobb explains how to get the scripting utility to work with Vista.

How should the ipseccmd.exe tool be used in Windows Vista?
Ipseccmd is a command-line tool for displaying and managing IPsec policy and filtering rules. If you type ipseccmd show all at a Windows XP command prompt, you will get a list of Internet Key Exchange Security Associations, IPsec filters and IPsec usage statistics. It is, however, a Windows XP tool, and it is not available in Windows Vista. This functionality has moved to Netsh, a command-line scripting utility.

Netsh uses various helper DLLs, which provide an extensive set of network configuration and monitoring settings. Each group of commands specific to a networking component is called a context. For example, dhcpmon.dll provides Netsh the context and set of commands necessary to configure and manage DHCP servers. The contexts that you can use depend on which networking components you have installed.

Netsh can run in either a wired or wireless context as well; when using the tool, the user must change to the context that contains the desired command. Both contexts allow viewing and configuring connectivity and security settings of both the local and multiple computers, but to view the applied wireless Group Policy settings, for example, the wireless context must be used. For those comfortable with command-line tools, Netsh is a good, lightweight alternative to Group Policy. The help documentation for each available command is reached by the '/?' or Help options.

Vista itself has two new Netsh contexts, which I'm sure you'll find useful:

  • ipsec - this context is most comparable to policy creation in XP.
  • advfirewall - this context maps to the Windows Firewall with Advanced Security snap-in.

One definite improvement in Vista is the integration of firewall-filtering functions and IPsec protection settings. The design makes it far less likely that new firewall filters will conflict with IPsec policies and prevent network traffic from flowing as intended. It is now possible to confirm, add, modify and delete firewall rules using Windows Firewall with Advanced Security. While most users will still configure their Windows Firewall using the Windows Firewall Control Panel tool, the snap-in allows users to easily perform advanced configuration. Windows Firewall with Advanced Security provides a GUI interface for configuring Windows Firewall on remote computers and via Group Policy.

I know that some administrators have had problems trying to get scripts that previously used ipseccmd functions to then work on Vista using Netsh. That aside, the new Vista tools do make it easier to control what enters and exits your network PCs, so give them a go.

More information:
  • Ed Skoudis explains how to use the command line to find malware on your Windows box.
  • Learn more about intrusion defense in the era of Windows Vista.
  • This was last published in February 2008

    Dig Deeper on Microsoft Windows security