Creating, modifying, and assigning IPSec policies

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Creating, modifying, and assigning IPSec policies

IPSec policies can be applied to local computers, domains, sites, organizational units, or any Group Policy object in Active Directory. You can create, modify, and assign IPSec policies by using the IP Security Policy Management console that is available in Microsoft Management Console (MMC) or by using the Netsh commands for IPSec that are available at the command line.

Your organization's IPSec policies should be based on your written guidelines for secure operations. Policies can store multiple rules, so that one policy can be used to affect multiple types of traffic.

The Windows 2000, Windows XP, and Windows Server 2003 family include example IPSec policies. These examples are provided only to show how policies can be designed. They are not designed as default policies for securing a client or a server in a production environment. Instead, you should design and create custom IPSec policies that apply to the specific scenarios in your security plan.

Notes

IPSec driver modes

To understand how IPSec policies are processed and applied, it is important to understand the modes in which the IPSec driver operates. The IPSec driver operates in computer startup mode and operational mode and, optionally, in a diagnostics mode for troubleshooting.

Computer startup mode

During computer startup, the Windows operating system loads the IPSec driver to perform in computer startup mode. Computer startup mode is used until the IPSec Policy Agent sets the IPSec driver into an operational mode. The IPSec driver can perform in any one of the following computer startup modes:

  • Permit. When the IPSec driver operates in permit mode, it does not process any IP packets, and, therefore, no IPSec security is provided. If an IPSec policy has never been assigned to a computer, permit mode is the default mode for the IPSec driver.

  • Stateful. When the IPSec driver operates in stateful mode, it allows all outbound traffic, and it automatically creates inbound permit filters in response to the outbound traffic. All other inbound unicast, broadcast, and multicast packets are dropped. If an IPSec policy has been assigned to a computer, the IPSec Policy Agent sets the stateful mode for the IPSec driver by default.

  • Block. When the IPSec driver operates in block mode, it discards all inbound and outbound IP packets, except for those that match specific filters that you can configure to be used during block mode. By default, all inbound and outbound DHCP traffic is permitted so that an IP address can be obtained. You can configure filters for block mode by using the netsh ipsec dynamic set config bootexemptions command.

To change the default mode for the IPSec driver during computer startup, use the netsh ipsec static set config bootmode command.

Operational mode

After the IPSec service starts, the IPSec Policy Agent can set the IPSec driver to any one of the following operational modes. The operational mode that is chosen does not change the mode that the IPSec driver uses during computer startup.

  • Secure. When the IPSec driver operates in secure mode, IPSec policy filters are enforced for standard IPSec operation. The IPSec Policy Agent sets the driver into secure mode after it applies persistent policy (if a persistent policy has been configured) and before it applies the Active Directory-based policy or the local policy. If no persistent policy has been configured and assigned, secure mode does not provide IPSec protection until either the assigned Active Directory-based policy or the local policy is applied. When the Active Directory-based policy or the local policy changes, the IPSec Policy Agent updates the IPSec filter list in the IPSec driver. If no IPSec policy is assigned, the IPSec Policy Agent deletes the filters from the IPSec driver and no IPSec protection is provided in this mode.

  • Permit. When the IPSec driver operates in permit mode, it does not process any IP packets, and, therefore, no IPSec protection is provided. Permit mode is used when the IPSec service is manually stopped.

  • Block. When the IPSec driver operates in this mode, the exemptions that might apply during computer startup are not applied. Instead, all inbound and outbound traffic is blocked. This mode is used to enhance security, in the event that the IPSec Policy Agent fails to apply a persistent policy, if a persistent policy has been configured.

The operational mode can be configured only by the IPSec Policy Agent. You cannotuse the Netsh commands for IPSec to configure this mode.

Diagnostic mode

To record all inbound and outbound dropped packets and other packet processing errors in the Event Viewer System log for troubleshooting, you can enable IPSec driver event logging and specify the level of logging to provide. The types of packet processing errors that the IPSec driver records in the System log depend on the level of logging that is provided. IPSec driver logs can record inbound and outbound per-packet drop events during computer startup mode and operational mode.

IPSec driver event logging is disabled by default, and it should not be used for extended periods. Depending on the logging level that you set, many events might be generated that fill the System log very quickly. For more information, see the section "Using Netsh to change the IPSec configuration on computers running the Windows Server 2003 family" in IPSec troubleshooting tools.

Application methods for IPSec policy

IPSec policies are provided in six ways, in the order described in the following sections.

IPSec startup policy

When a computer loads the Windows operating system during startup, the IPSec driveris loaded at the same time as the TCP/IP driver. The following table describes thebehavior of the IPSec driver based on the startup type of the IPSec service.

IPSec service startup type IPSec driver behavior

Disabled

The IPSec driver loads in permit mode, meaning that no IPSec security is applied. In this mode, the IPSec driver does not filter any traffic.

Manual

The IPSec driver loads in permit mode, meaning that no IPSec security is applied. In this mode, the IPSec driver does not filter any traffic.

Automatic

The IPSec driver loads in a startup mode configured by the IPSec Policy Agent. If no IPSec policy is assigned, by default the IPSec driver loads in permit mode. If IPSec policy is assigned, the IPSec Policy Agent configures the IPSec driver to load in stateful mode.

After the IPSec service starts, persistent policy (if it has been configured) is applied, and the IPSec driver is set to secure mode (normal operation).

When the IPSec driver is loaded, it reads the registry to determine the actions that it must perform during computer startup. These actions include:

  • Whether to apply stateful filtering, permit all traffic, or block all traffic.

  • Whether to exempt specific traffic types from filtering during computer startup.

  • Whether to enable IPSec diagnostic logging and, if so, which level of logging to provide.

  • Whether to modify the default IPSec traffic exemption. By default, in the Windows Server 2003 family, RSVP, Kerberos, multicast, and broadcast traffic are not exempt from IPSec filtering. Only IKE traffic is exempt.

The IPSec driver remains in a startup mode until the IPSec Policy Agent sets it to an operational mode. After the IPSec driver is set to secure operation mode, the startup stateful mode settings are discarded. You can use the Netsh commands for IPSec to configure IPSec driver settings. For more information, see the netsh ipsec dynamic set config section in Netsh commands for Internet Protocol security.

Persistent policy

In the Windows Server 2003 family, you can use the Netsh commands for IPSec to add, modify, and maintain IPSec policy settings permanently, after you run the appropriate commands. This type of policy is known as a persistent policy. You can configure persistent policies to extend existing Active Directory-based or local IPSec policies, override Active Directory-based or local IPSec policies, and enhance security during computer startup. Persistent policies enhance security by providing a secure transition from computer startup to Active Directory-based IPsec policy enforcement.

Persistent policies provide the following two key benefits:

  • You can configure a persistent policy as your most restrictive IPSec policy. For example, the persistent policy can block all inbound traffic to the Internet IP address of a computer, except for ICMP traffic and communication with a particular management station. To complement the persistent policy, you can design an Active Directory-based policy or a local policy with additional rules that include more specific filters to allow additional communication types.

  • You can selectively enforce security rules that are required only for specific servers, due to unique network adapter configurations or program needs. For example, you can enforce security rules specifying that:

    • A specific port always be blocked.

    • Traffic that uses a specific network adapter be permitted without IPSec security, or only with IPSec security.

    • Unsecured traffic to a specific monitoring station be permitted.

Persistent policies, if configured, are stored in the local registry. The persistent store is loaded by the IPSec Policy Agent during service startup. After a persistent policy is successfully applied, the IPSec Policy Agent sets the IPSec driver to secure mode. If an error occurs when a persistent policy is applied, the IPSec Policy Agent removes the persistent policy settings from the IPSec driver and sets the IPSec driver to block operation mode for security. You can update a persistent policy at any time, as long as the IPSec service is running. However, changes in persistent policy are not active immediately. You must restart the IPSec service to load the new persistent policy settings.

If you have configured Active Directory-based policies, you can use a persistent policy as a tool to require that traffic to Active Directory always be secured by IPSec, including the retrieval of Active Directory-based IPSec policies. When an Active Directory-based or local policy is applied, those policy settings are added to the persistent policy settings.

To configure persistent policies, you must use the netsh ipsec static set store location=persistent command. To view the IPSec policy that is currently being applied, you can use either IP Security Monitor or the netsh ipsec dynamic show commands. For information about how to use Netsh, see Netsh commands for Internet Protocol security.

Important

  • To provide maximum protection against attacks during computer startup, it is highly recommended that you configure and assign a persistent policy. If you do not configure a persistent policy, no policy can be enforced by the IPSec driver until the IPSec Policy Agent retrieves and applies the assigned Active Directory-based or local IPSec policy.

Active Directory-based policy

A Group Policy object defines access, configuration, and usage settings for accounts and resources. IPSec policies can be assigned to the Group Policy object of a site, domain, or organizational unit. When the IPSec policy is applied to one of the Group Policy objects for the Active Directory object, the IPSec policy is propagated to all of the computer accounts that are affected by that Group Policy object.

You can manage Active Directory-based policy by using the IP Security Policy Management console or by using the netsh ipsec static set store location=domain command. IPSec policies that are configured and assigned for the domain take precedence over the local, active IPSec policy on a computer, when that computer is a member of the domain. Active Directory-based policy overrides any local IPSec policy that is assigned, and it adds to the persistent IPSec policy that has already been applied by the IPSec Policy Agent, if a persistent policy has been configured.

Important

  • Several features in the Windows Server 2003 family implementation of IPSec are not provided in Windows 2000 or in Windows XP. To ensure that the same IPSec policy functions as expected on computers running the Windows Server 2003 family and on computers running Windows 2000 or Windows XP, test the policy thoroughly on all relevant operating systems before deployment. For more information about new features in IPSec, see New features for IPSec.

  • If you plan to apply IPSec policies that use the new features that are available only in the Windows Server 2003 family implementation of IPSec, do not use the Windows 2000 or the Windows XP version of the IP Security Policy Management console to manage these policies. The settings in the earlier versions of the IP Security Policy Management console will override the settings in the Windows Server 2003 family IPSec policy, and the new features will not be functional.

When assigning an IPSec policy in Active Directory, consider the following:

  • The list of all IPSec policies is available to assign at any level in the Active Directory hierarchy. However, only a single IPSec policy can be assigned at a specific level in Active Directory.

  • An IPSec policy that is assigned to an organizational unit in Active Directory takes precedence over a domain-level policy for members of that organizational unit.

  • An IPSec policy that is assigned to the lowest-level organizational unit in the domain hierarchy overrides an IPSec policy that is assigned to a higher-level organizational unit, for member computers of that organizational unit.

  • An organizational unit inherits the policy of its parent organizational unit unless either policy inheritance is explicitly blocked or policy is explicitly assigned.

  • IPSec policies from different organizational units are never merged.

  • The highest possible level of the Active Directory hierarchy should be used to assign policies to reduce the amount of configuration and administration required.

  • An IPSec policy might remain active even after the Group Policy object to which it is assigned has been deleted. Because of this, you should unassign the IPSec policy before you delete the policy object. To prevent problems, use the following procedure:

    1. Unassign the IPSec policy in the Group Policy object.

    2. Wait 24 hours to ensure that the change is propagated.

    3. Delete the Group Policy object.

      If you delete the Group Policy object without following this procedure, computers in the Active Directory container to which the IPSec policy is assigned treat the IPSec policy as if it cannot be located and continue to use a cached copy.

  • You can use Group Policy backup and restore tools to store information about which policy is assigned to a Group Policy object. To ensure consistency, when you use these tools, make sure that you include IPSec policies. Because these tools do not store the IPSec policies themselves, however, you cannot use them to back up and restore the IPSec policies themselves. You can only back up and restore information about whether the IPSec policies are assigned to Group Policy objects and, if so, to which Group Policy objects. To back up and restore all of the IPSec policies in the IPSec container in Active Directory, use the Export Policies and Import Policies commands in the IP Security Policy Management console. For more information, see Export IPSec policies and Import IPSec policies.

  • Before assigning an IPSec policy to a Group Policy object, verify the Group Policy settings that are required for the IPSec policy. For example, if an IPSec policy requires certificate authentication, assign the Group Policy settings that allow computers to enroll for certificates (usually one or two days before you assign the IPSec policy that requires use of the computer certificate). In addition, you should test the certificate enrollment process and resolve any errors before assigning the IPSec policy.

The IPSec Policy Agent on a computer running Windows XP Professional or a Windows Server 2003 operating system polls Active Directory for updates to the assigned IPSec policy. This polling does not detect a change in domain or organizational unit membership or the assigning or unassigning of a new IPSec policy. These events are detected when the Winlogon service polls for changes in Group Policy, which occurs by default every 90 minutes. The Winlogon service discovers these changes, notifies the IPSec Policy Agent, and the IPSec policy changes are applied.

For more information about Group Policy, see Group Policy overview.

Notes

  • The integration of IPSec policies with Active Directory described here does not apply to computers running Windows XP Home Edition because you cannot administer Active Directory-based IPSec policy from a computer running Windows XP Home Edition.

  • Careful planning is required when you design Active Directory-based IPSec policies for computers that are used the internal network and on other public or partner networks.

  • By default, IPSec policies are read from Active Directory when the connection to Active Directory is interpreted by Group Policy to be a slow link.

Directory cache policy

If you assign an Active Directory-based IPSec policy, a copy of the current policy is maintained in a cache in the local registry. If the computer to which the policy is assigned cannot connect to the domain, the cached copy of the Active Directory-based policy is applied. This cached policy adds to the settings of the persistent policy, if a persistent policy has been configured. Note that you cannot configure or manage the cached copy of an Active Directory-based IPsec policy.

Local computer policy

Each computer running Windows XP or a Windows Server 2003 operating system has exactly one local Group Policy object, often called the local computer policy. In using this local Group Policy object, Group Policy settings can be stored on individual computers regardless of whether they are members of an Active Directory domain. The local Group Policy object can be overwritten by Group Policy objects associated with sites, domains, or organizational units in an Active Directory environment. On a network without an Active Directory domain (a network that lacks a Windows 2000 or a Windows Server 2003 domain controller), the local Group Policy object settings determine IPSec behavior because they are not overwritten by other Group Policy objects.

You can manage local IPSec policies by using the IP Security Policy Management console or by using the netsh ipsec static set store location=local command. The settings of a local IPSec policy are added to the persistent policy, if a persistent policy has been configured. If an Active Directory-based IPSec policy is assigned, and if the computer is connected to an Active Directory domain, the settings of the Active Directory-based policy are applied instead.

For information about how to assign IPSec policy locally, see Assign or unassign IPSec policy on a computer.

Netsh dynamic mode policy

You can use the netsh ipsec dynamic commands to create, modify, and assign IPSec rules that take effect immediately and are not stored. If the IPSec service is stopped, either administratively or when the computer is restarted, these rules are lost. However, if you use the netsh ipsec dynamic set config commands to change the IPSec configuration, those settings are not lost.