Information Technology Reference
In-Depth Information
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
KeyPath = "SYSTEM\CurrentControlSet\Services\IPSec"
ValueName = "OperationMode"
dwValue = bootMode
oReg.SetDWORDValue HKEY_LOCAL_MACHINE,KeyPath,ValueName,dwValue
How It Works
To understand the importance of configuring startup protection, it's necessary to understand
the behavior of IPSec when a Windows Server 2003 computer boots up. This behavior can be
broken down into two separate stages:
When the computer first powers on, network access will be unavailable until both
the TCP/IP driver and the IPSec driver are started and operational. This is a security
enhancement in Windows Server 2003 since no network communication can take place
until IPSec is “armed and ready.”
After the IPSec driver has started, the IPSec Policy Agent (listed as IPSec Services in
the Services applet) will start and apply any local or GPO-enabled IPSec policies that
have been configured for the local computer. However, TCP/IP traffic can be sent and
received during the time period, however short, between the IPSec driver starting and
the IPSec Policy Agent enabling an IPSec policy.
You set the IPSec startup mode
to configure IPSec to protect the local computer until
the IPSec Policy Agent is able to both start and successfully apply an IPSec policy. You can
configure the IPSec Policy Agent in one of three startup modes:
Block:
Drops all incoming packets until a local or domain-based IPSec policy is applied.
This mode cannot be configured via the graphical user interface. You must use
netsh
or
edit the Registry to set block mode.
Permit:
Does not perform any IPSec filtering, and allows all traffic to pass unimpeded until
an IPSec policy is applied. This behavior is configured by setting the IPSec Services startup
mode to Disabled or Manual.
Stateful:
Allows incoming traffic in response to any outgoing traffic initiated by the client.
This behavior occurs when you assign an IPSec policy to the local computer and set the
IPSec Services startup mode to Automatic.
■
Note
If no IPSec policy is configured for the local computer, the IPSec Policy Agent will load in permit
mode, even if the service is set to Automatic startup.
IPSec will remain in startup mode until the IPSec Policy Agent is successfully loaded, at
which point it enters
operational mode
. At this point, any configurations that apply to startup
mode will be discarded. IPSec will then assume whatever configuration has been set through a
