Information Technology Reference
In-Depth Information
How It Works
When IPSec was first introduced in Windows 2000, it was not designed as a full-featured host-
based firewall. Rather, it was intended to provide basic filtering functionality using source and
host addresses, protocol information, and port information. IPSec in Windows 2000 created a
number of traffic exemptions to enable Kerberos and quality of service (QoS) traffic, as well as
exempting broadcast and multicast traffic from IPSec processing. Because some administrators
were not aware of these exemptions, they often created policies that did not provide protection
against attacks that use the default exemptions.
Because of this, Microsoft has removed most of these default exemptions for Windows
Server 2003. You can now configure four levels of exemptions that correspond to the numeric
value used in the Registry key and
netsh
command included in this recipe. If you need to
configure your IPSec policies to coexist with ones created for Windows 2000, you may need to
alter the default exemption behavior of Windows Server 2003. You can use the following four
exemption configuration levels:
0
:
This exemption level specifies that multicast, broadcast, RSVP, Kerberos, and ISAKMP
traffic are exempt from IPSec filtering. This setting was the default filtering behavior for
Windows 2000 and Windows XP, and should be used only if you need to provide compati-
bility for computers running either of these operating systems.
1
:
This exemption level specifies that Kerberos and RSVP traffic are not exempt from IPSec
filtering, but that multicast, broadcast, and ISAKMP traffic
are
exempt.
2
:
This exemption level specifies that multicast and broadcast traffic are not exempt from
IPSec filtering, but RSVP, Kerberos, and ISAKMP traffic are not processed by IPSec.
3
:
This exemption level specifies that only ISAKMP traffic—the protocol necessary to
initially negotiate an IPSec connection—will be exempt from IPSec filtering. This is the
default setting for Windows Server 2003.
See Also
Microsoft KB 810207: “IPSec Default Exemptions Are Removed in Windows Server 2003”
Microsoft KB 811832: “IPSec Default Exemptions Can Be Used to Bypass IPSec
Protection in Some Scenarios”
Microsoft KB 253169: “Traffic That Can—and Cannot—Be Secured by IPSec”
7-15. Configuring Startup Protection
Problem
You want to configure startup protection for a Windows Server 2003 computer to protect
network communications after the computer boots but before the IPSec Policy Agent starts.
