Default Settings for Windows Firewall with Advanced Security

Updated: January 20, 2009

Applies To: Windows 7, Windows Server 2008 R2

The tables in this topic list the default values for Internet Protocol security (IPsec) settings.

Key exchange

Settings Value

Key lifetimes

480 minutes/0 sessions*

Key exchange algorithm

Diffie-Hellman Group 2

Security methods (integrity)

SHA1

Security methods (encryption)

AES-128 (primary)/3-DES (secondary)

*A session limit of zero (0) causes rekeys to be determined only by the Key lifetime (minutes) setting.

Data integrity

Setting Value

Protocol

ESP (primary)/AH (secondary)

Data integrity

SHA1

Key lifetimes

60 minutes/100,000 kilobytes (KB)

Data encryption

Setting Value

Protocol

ESP

Data integrity

SHA1

Data encryption

AES-128 (primary)/3-DES (secondary)

Key lifetimes

60 minutes/100,000 KB

Authentication method

Computer Kerberos version 5 authentication is the default authentication method.

How default settings work with Group Policy

Policies created using the Windows Firewall with Advanced Security snap-in and distributed with Group Policy are applied in this order:

  1. Highest precedence Group Policy object (GPO).

  2. Locally defined policy settings.

  3. Service defaults, as shown in the tables in this topic.