New features for IPSec

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

New features for IPSec

Internet Protocol security (IPSec) provides the following new features for enhanced security, scalability, and availability, and ease of deployment and administration.

Note

  • Because several new IPSec features are available only in the Windows Server 2003 family, as a best practice, if you plan to apply the same IPSec policy to computers running the Windows Server 2003 family and to computers running Windows 2000 or Windows XP, test the policy thoroughly on all relevant operating systems before deployment. For additional best practices for using IPSec, see IPSec Best practices.

IP Security Monitor

In Windows 2000, IP Security Monitor was implemented as an executable program (IPSecmon.exe). In Windows XP and the Windows Server 2003 family, IP Security Monitor is implemented as a Microsoft Management Console (MMC) console and includes enhancements that allow you to:

  • Monitor IPSec information for your local computer and for remote computers.

  • View details about active IPSec policies, including the name, description, date last modified, store, path, organizational unit, and Group Policy object name.

  • View main mode and quick mode generic filters and specific filters.

  • View main mode and quick mode statistics. For information about the statistics displayed in IP Security Monitor, see Viewing main mode and quick mode statistics in IP Security Monitor.

  • View main mode and quick mode security associations.

  • Customize refresh rates, and use DNS name resolution for filter and security association output.

  • Search for specific main mode or quick mode filters that match any source or destination IP address, a source or destination IP address on your local computer, or a specific source or destination IP address.

For information about adding the IP Security Monitor snap-in, see Add the IP Security Monitor snap-in. For information about additional IPSec troubleshooting tools, see IPSec troubleshooting tools.

Stronger cryptographic master key (Diffie-Hellman)

For enhanced security, IPSec now supports the use of a 2048-bit Diffie-Hellman key exchange. With a stronger Diffie-Hellman group, the secret key that is derived from the Diffie-Hellman exchange has greater strength. Strong Diffie-Hellman groups combined with longer key lengths increase the computational difficulty of determining a secret key.

This feature is provided only with the Windows Server 2003 family.

For more information about Diffie-Hellman groups and key exchange, see Key exchange methods and Key management and protection.

Command-line management with Netsh

Using commands in the Netsh IPSec context, you can configure static or dynamic IPSec main mode settings, quick mode settings, rules, and configuration parameters. To enter the Netsh IPSec context, type netsh -c ipsec at a command prompt. The Netsh IPSec context replaces the Ipsecpol.exe tool, which is provided with the Windows 2000 Server Resource Kit. You can use this feature to script and automate IPSec configuration. For more information, see IPSec troubleshooting tools.

This feature is provided only with the Windows Server 2003 family.

For more information about Netsh commands for IPSec, see Netsh commands for Internet Protocol security.

Computer startup security

For enhanced security, IPSec now provides stateful filtering of network traffic during computer startup. With stateful filtering, only the following traffic is permitted during computer startup: the outbound traffic that the computer initiates during startup, the inbound traffic that is sent in response to the outbound traffic, and DHCP traffic. As an alternative to stateful filtering, you can specify that all inbound and outbound traffic be blocked until an IPSec policy is applied. If you use stateful filtering, or if you specify that traffic be blocked during computer startup, you can also specify the traffic types that you want to exempt from IPSec filtering during computer startup.

Note

  • You cannot configure this feature in the IP Security Policy Management console. To configure this feature, you must use the Netsh IPSec command-line tool.

Persistent policy for enhanced security

You can now create and assign a persistent IPSec policy to secure a computer if a local IPSec policy or an Active Directory-based IPSec policy cannot be applied. When you create and assign a persistent policy, it is applied before the local policy or the Active Directory-based policy is applied, and it remains in effect regardless of whether the local policy or the Active Directory-based policy is applied (for example, an IPSec policy will not be applied if it is corrupted).

Note

  • You cannot configure this feature in the IP Security Policy Management console. To configure this feature, you must use the Netsh commands for IPSec.

Removed default traffic exemptions

In Windows 2000 and Windows XP, by default, all broadcast, multicast, Internet Key Exchange (IKE), Kerberos, and Resource Reservation Protocol (RSVP) traffic is exempt from IPSec filtering. To significantly improve security, in the Windows Server 2003 family, only IKE traffic (which is required for establishing IPSec-secured communication) is exempt from IPSec filtering. All other traffic types are now matched against IPSec filters, and you can configure, block, or permit filter actions specifically for multicast and broadcast traffic (IPSec does not negotiate security associations for multicast and broadcast traffic). For more information, see Special IPSec considerations.

IPSec certificate to account mapping for network access control

With the Windows Server 2003 family, if you use either Kerberos V5 or certificate authentication, you can set restrictions on which computers are allowed to connect. This functionality allows you to use IPSec to allow or deny any of the following access to a server running Windows Server 2003 :

  • Computers that are members of a specific domain.

  • Computers that have a certificate from a specific issuing certification authority.

  • A specific group of computers.

  • A specific computer.

When you enable certificate to account mapping in IPSec, the IKE protocol associates (maps) a computer certificate to a computer account in an Active Directory domain or forest, and then retrieves an access token, which includes the list of the user rights that are assigned to the computer. You can restrict access by configuring Group Policy security settings and assigning either the Access this computer from the network user right or the Deny access to this computer from the network user right to individual or multiple computers, as needed.

For more information about certificate to account mapping for IPSec, see Authentication methods.

For information about configuring security settings in Group Policy, see Security settings overview.

Notes

  • Certificate to account mapping for IPSec is provided only with the Windows Server 2003 family.

  • Certificate mapping is not supported across forests.

Ability to exclude the name of the certification authority (CA) from certificate requests

For enhanced security, when you use certificate authentication to establish trust between IPSec peers, you can now exclude the name of the CA from the certificate request. When you exclude the name of the CA from the certificate request, you prevent the potential disclosure of sensitive information about the trust relationships of a computer, such as name of the company that owns the computer and the domain membership of the computer (if an internal public key infrastructure is being used), to an attacker.

IPSec policy filters allow logical addresses for local IP configuration

You can now use the IP Security Policy Management console to configure the source or the destination address fields that the local IPSec policy will interpret as the addresses for the DHCP server, the DNS servers, the WINS servers, and the default gateway. As a result, IPSec policies can now automatically accommodate changes in the IP configuration of the server, by using either DHCP or static IP configurations.

This feature is provided only with the Windows Server 2003 family.

IPSec functionality over network address translation (NAT)

IPSec Encapsulating Security Payload (ESP) packets can now pass through NATs that allow User Datagram Protocol (UDP) traffic. The IKE protocol automatically detects the presence of a NAT and uses UDP-ESP encapsulation to allow IPSec traffic to pass through the NAT. This functionality is an implementation of the Internet Engineering Task Force (IETF) IP Security Working Group standard for IPSec.

NATs are widely used for Internet Connection Sharing (ICS) and in locations that provide public Internet access (such as hotels and airports) and that are likely to be used by telecommuters. In addition, some Internet service providers (ISPs) use a centralized NAT to connect their clients to the Internet.

IPSec functionality over NAT enables IPSec-secured connections to be established in the following common deployment scenarios:

  • Layer Two Tunneling Protocol (L2TP)/IPSec virtual private network (VPN) clients that are behind NATs can establish IPSec-secured connections over the Internet to their corporate network, using IPSec ESP transport mode.

  • Servers running Routing and Remote Access can establish gateway-to-gateway IPSec tunnels when one of the servers running Routing and Remote Access is behind a NAT.

  • Clients and servers can send IPSec-secured TCP and UDP packets to other clients or servers using IPSec ESP transport mode, when one or both of the computers are behind a NAT. For example, a program running on a server on a perimeter network can be IPSec-secured when it is used to make connections to the corporate network.

Note

  • Internet Connection Sharing and Network Bridge are not included in Windows Server 2003, Web Edition; Windows Server 2003, Datacenter Edition; and the Itanium-based versions of the original release of the Windows Server 2003 operating systems.

For more information about VPNs and IPSec, see Virtual private networking with IPSec. For more information about IPSec transport mode and tunnel mode, see Transport mode and Tunnel mode.

Improved IPSec integration with Network Load Balancing

Improved IPSec integration with Network Load Balancing allows a Network Load Balancing group of servers to provide highly available IPSec-based VPN services. Network Load Balancing can accurately track IPSec-secured sessions, and the IPSec IKE protocol can detect when an IPSec-secured session is being established with a cluster server and quickly recover from a failover. Additionally, Network Load Balancing can now maintain IPSec-secured connections to the correct Network Load Balancing host, even when the number of hosts in the cluster (and the algorithm used to map clients to hosts) changes. Because the IKE protocol automatically detects the Network Load Balancing service, no additional configuration is required to use this feature.

This feature is provided only with Windows Server 2003, Enterprise Edition and Windows Server 2003, Datacenter Edition.

For more information about Network Load Balancing, see Introduction to Network Load Balancing and How Network Load Balancing works.

IPSec support for RSoP

To enhance IPSec deployment and troubleshooting, IPSec now provides an extension to the Resultant Set of Policy (RSoP) console. RSoP is an addition to Group Policy that you can use to view existing IPSec policy assignments for a computer or for members of a Group Policy container. To view IPSec policy assignments for a computer, run an RSoP logging mode query. To view IPSec policy assignments for members of a Group Policy container, run an RSoP planning mode query. For information about how to view IPSec policy assignments, see Use Resultant Set of Policy (RSoP) to View IPSec Policy Assignments.

After you run an RSoP logging mode query or an RSoP planning mode query, you can view detailed settings (the filter rules, filter actions, authentication methods, tunnel endpoints, and connection types that were specified when the IPSec policy was created) for the IPSec policy that is being applied.

For more information about using RSoP with IPSec, see Using Resultant Set of Policy to view IPSec policy assignments. For general information about RSoP, see RSoP overview.