Share via


How IPSec Policy Extension Works

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

How IP Security Policy Extension Works

In this section

  • IPSec Policy Extension Architecture

  • IPSec Policy Extension Processes and Interactions

  • Related Information

An Active Directory deployment is recommended for central management and distribution of Internet Protocol Security (IPSec) policies. Deployment of IPSec policy in an Active Directory environment requires Windows Server 2003, Windows 2000 Server, and Windows 2000 Professional or Windows XP Professional clients. The IP Security Policies extension of Group Policy Object Editor is used for managing IPSec in Active Directory environments. Policy based on Active Directory is not supported for computers running Windows XP Home Edition.

For computers that are not members of a domain, you can use the IP Security Policy Management snap-in to manage the local computer.

To successfully deploy IPSec, the following conditions must also be met:

  • Each computer that must establish IPSec-secured communications has an assigned IPSec policy. The assigned policy must be compatible with the IPSec policy that is assigned to other computers with which it must communicate.

  • Authentication is configured correctly and an appropriate authentication method is selected in the IPSec policy, so that mutual authentication can occur between IPSec peers.

  • Routers, firewalls, or other filtering devices are configured correctly on all parts of the corporate network to permit IPSec protocol traffic, if IPSec-secured traffic must pass through these devices.

  • IPSec policy compatibility issues must be considered if computers are running different versions of the Windows operating system (Windows Server 2003, Windows XP, and Windows 2000).

  • For client computers that need to establish IPSec-secured connections with servers, servers must be adequately sized to support those connections. If necessary, IPSec hardware offload network adapters can be used.

This section discusses how IPSec Policy Extensions work. It presents information about IPSec architecture and how IPSec policies are stored.

IPSec Policy Extension Architecture

The basic components of IPSec in Windows Server 2003 include the Policy Agent, the Internet Key Exchange (IKE) module, the IPSec driver, and the TCP/IP driver, as shown in the following figure.

IPSec Policy Extension Architecture

IPsec Policy Extension Architecture

The following table describes the IPSec policy-related components.

IPSec Policy-Related Components and Descriptions

Component Description

IP Security Policy Management Snap-in

This is the administrative tool for configuring IPSec policies in Active Directory or on the local computer. When the IP Security Policy Management snap-in loads as part of a GPO, it appears in the Computer Configuration\Security Settings node of Group Policy Object Editor(displayed as IP Security Policies). IP Security policies set from a GPO that is linked to a site, domain, organizational unit (OU), or local computer follow GPO inheritance and filtering rules.

Policy Agent

The Policy Agent controls the retrieval and distribution of IPSec policy and maintains the most current configured policy data for the IPSec Driver and IKE module. The Service Control Manager starts the Policy Agent, which runs in the context of the local security authority (LSA). The Policy Agent performs the following tasks when it is started (when the Local Security Authority is initialized):

  1. Starts the IKE module.

  2. Retrieves IPSec policies.

  3. Determines the filter list order.

  4. Delivers IP filters to the IPSec driver.

  5. Delivers both Phase 1 and Phase 2 settings to IKE.

  6. Polls for policy updates.

For more information about the Policy Agent tasks, see Process Flow, later in this section.

Internet Key Exchange (IKE) Module

The IKE module is used to establish a combination of mutually agreeable policy settings and keys that define the security services, protection mechanisms, and cryptographic keys between communicating peers. This combination is called a security association (SA). The IPSec driver in Windows 2000 and Windows Server 2003 uses the IKE module to protect all corresponding network traffic.

To create an SA between the two computers, the IETF has established a standard method of SA and key exchange resolution, which combines the Internet Security Association and Key Management Protocol (RFC 2408) and the Oakley Key Determination Protocol (RFC 2412). This standard method is IKE and is described in RFC 2409.

IPSec Driver

The IPSec driver receives the active IP filter list from the IPSec Policy Agent, and then attempts to match every inbound and outbound packet against the filters in the list. If a packet matches a filter, the IPSec driver applies the filter action. If a packet does not match any filters, the packet is passed back without modification to the TCP/IP driver to be received or transmitted.

If the filter action permits transmission, the packet is received or sent with no modifications. If the action blocks transmission, the packet is discarded. If the action requires the negotiation of security, main mode and quick mode SAs are negotiated.

TCP/IP Driver

The TCP/IP driver is the Windows 2000 implementation of the TCP/IP protocol. It starts the IPSec driver.

Policy Store

This maintains both IPSec policy descriptions and interfaces to applications and other tools that provide for policy data management. The policy store accesses IPSec policy data stored in either the local registry or Active Directory.

Local Registry

The local registry stores the locally configured IPSec policies, the local cache, and other IPSec settings.

Local Cache

The local cache stores IPSec policies after they are pulled from an Active Directory domain controller. The local cache is part of the registry.

Windows Management Instrumentation (WMI)

WMI is a component of the Microsoft Windows operating system and is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. WMI uses the Common Information Model (CIM) industry standard to represent systems, applications, networks, devices, and other managed components. You can use WMI to automate administrative tasks in an enterprise environment.

IP Security Container

Each domain OU has an internal system container in Active Directory. IPSec policies created with IP Security Policiesare stored in this location.

IPSec Policy Extension Processes and Interactions

This section discusses how IPSec Policies are processed, assigned, and stored.

The sequence of events is as follows:

  1. During computer startup, the TCP/IP driver starts the IPSec driver.

  2. The Service Control Manager starts the IPSec Policy Agent. The Policy Agent service performs the following tasks when it is initialized:

    • In preparation for loading the IPSec policy from either Active Directory or the local registry, the Policy Agent initializes the policy state and polling interval.

    • The policy agent loads the IPSec policy from the appropriate store. If boot time security is enabled, the IPSec driver mode is changed from the boot mode (block or stateful) to normal operational mode.

    • The policy agent retrieves the appropriate IPSec policy (if one has been assigned) from the Active Directory directory store or from the registry.

      To determine if IPSec policies exist, the Policy Agent checks the local registry and the Active Directory domain or OU to which the computer belongs. The Policy Agent checks the registry for the value that indicates the location of the computer’s IPSec policy in Active Directory. If the computer is a member of a domain and an IPSec policy exists, this value was set during computer initialization. The registry key checked is:

      HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\IPSec \GPTIPSECPolicy\DSIPSECPolicyPath.

      If the computer is not a member of a domain, or if there is no IPSec policy in Active Directory, a value does not exist.

      If IPSec policies are found in Active Directory, in a Group Policy object, the Policy Agent retrieves the policies and stores them in the local cache. Note that the local Active Directory cache is not used for locally assigned policies. If IPSec policies are defined both locally and in Active Directory, the policies based on Active Directory override the local policies.

      If there are no IPSec policies in Active Directory or the registry, or if the IPSec Policy Agent cannot connect to Active Directory, the IPSec Policy Agent waits for policy to be assigned or activated.

  3. The IKE module, which runs in the context of the local security authority (LSA) is started.

  4. After the policy load process is completed, the Policy Agent begins a service loop.

    In Windows Server 2003, if an unexpected event occurs, the IPSec driver is put into Block mode and all network traffic is blocked. This is the network security component failing to a secure mode. This applies only to Windows Server 2003; Windows 2000 and Windows XP do not block traffic.

For more information about Windows Server 2003 IPSec, see “What Is IPSec?” in the Networking Collection.

Assignment of IPSec Policy

You can assign IPSec policy to a local computer and to computers in Active Directory sites, domains or organizational units. For computers that are not members of a domain, you can assign local IPSec policy.

The main method for building an IPSec policy is to use the IP Security Policy Management snap-in to create, modify, and activate IPSec policies, and then assign them to computers in either Active Directory (for domain members) or to the local computer (for computers that are not members of a domain).

When you assign an IPSec policy in a GPO, a Lightweight Directory Access Protocol (LDAP) pointer to the IPSec policy is recorded in the IPSecOwnersReference attribute of the GPO. When the GPO is applied to the computer, the IP Security Policies extension of Group Policy Object Editor reads the LDAP pointer from the GPO and writes it to the registry. When the IPSec service starts on the computer, it reads the LDAP pointer and queries Active Directory to obtain the IPSec policy settings. The IPSec service maintains a current local cache of the IPSec Policy by periodically polling for changes. The polling frequency is based on a polling interval that is specified on the IPSec policy.

You can also create and assign persistent IPSec policy to secure a computer even if a local IPSec policy or an Active Directory IPSec policy cannot be applied. This policy adds to or overrides the local or Active Directory policy, and remains in effect regardless of whether other policies are applied. Persistent IPSec policies enhance security by providing a secure transition from computer startup to IPSec policy enforcement. Persistent policy also provides backup security in the event of an IPSec policy corruption, or if errors occur during the application of local or domain-based IPSec policy. To configure persistent policies, you must use the netsh ipsec static set store location=persistent command.

Administering IPSec Policies with Group Policy Management Console

IPSec policies are stored separately from the GPOs that have policies applied; therefore, administrators need to be aware of the following differences. Domain-based IPSec policies are stored in the IP Security Policiescontainer in the System container.

Back-up and Restore of IPSec Policies

Group Policy Management Console (GPMC) provides back-up and restore operations for Group Policy objects (GPOs). These operations help administrators maintain their Group Policy deployment in the event of a disaster. It is a recommended practice to regularly back up all GPOs. To provide consistency, when you use these tools, make sure that you include IPSec policies. However; GPMC tools do not store the IPSec policies themselves; therefore, you cannot use GPMC tools to back up and restore the actual IPSec policies. You can only back-up and restore information about whether the IPSec policies are assigned to Group Policy objects and, if so, to which Group Policy objects.

The IPSec policy objects in the IP Security Policies container in Active Directory can be backed up and restored by using the Export Policies and Import Policies commands in the IP Security Policiesconsole. The Export Policies command exports all IPSec policy objects from the policy store into one .IPSec file. The Import Policies command imports all IPSec policy objects in the .IPSec file into the destination policy store.

Note

  • Importing IPSec policy into Active Directory overwrites existing IPSec policy objects.

For information about GPMC, see “What Is Group Policy Management Console?” in this collection.

Delegation of Rights to Manage IPSec Policies

GPMC delegation of rights and security filtering permissions only apply to the GPO; they do not apply to the IPSec policy that is assigned in the GPO. Thus, delegation of edit rights in GPMC only enables a user to assign or unassign an existing IPSec policy in the specific GPO, and only if the user also has read access rights to the IPSec policy. To delegate rights to create, edit, or delete IPSec policies, administrators must perform the delegation on the IPSec policies container.

Applied IPSec Policies

You can use the GPMC Group Policy Results wizard to show which GPOs are applied to a computer, including the IPSec policy assignments. Advanced View in the computer node shows which IPSec policy is assigned to a specific computer.

On computers running Windows XP, IPSec does not provide Resultant Set of Policy (RSoP) information. GPMC Group Policy Results only shows the GPO being processed, but does not show which IPSec policy is assigned. To view the assigned IPSec policy, you can use netdiag /test:ipsec.

For information about netdiag, see “IPSec Policy Extension Tools and Settings.”

IPSec Order of Precedence

Although most Group Policy settings are cumulative, you can assign only one IPSec policy to a computer at a time. If multiple IPSec policies have been assigned at different Active Directory levels, the last one applied is the one that takes effect. IPSec policy settings differ from other types of Group Policy settings in that IPSec policy settings from different OUs are not merged.

IPSec policy uses the same precedence sequence as other Group Policy settings, from lowest to highest. The following list outlines the default order in which policies are applied. You can override this order by using Group Policy options, including Enforced, Block Policy Inheritance, and the loopback policy processing option (the User Group Policy loopback processing mode policy setting):

  • Local GPO. Each computer has one local GPO. If a computer is not a member of a domain, this is the only place where you can assign IPSec policy. You can assign an IPSec policy by editing the local GPO, but you can also assign a local policy directly in the IP Security Policy Management snap-in, outside of the Group Policy context, or by using the Netsh IPSec context. When IPSec policy assignments are made outside of the GPO context, the GPO cannot display the local IPSec policy that is assigned.

  • Site. IPSec policies are infrequently assigned at the site level because this would require all computers within a site to have the same security needs, which is unlikely. Furthermore, if the computer moves to another subnet — such as when a user travels to another location with a laptop that uses DHCP — different policies might be in effect, resulting in different security behaviors.

  • Domain. Simple IPSec policies are often assigned at the domain level and then superseded by more specific IPSec policies, as required on various OUs.

  • OU. Specific IPSec policies are assigned to groups of computers. This is the last policy applied under normal conditions and, therefore, the policy takes precedence. If an OU is nested within another OU, the IPSec policy assigned to the nested OU takes precedence.

Persistence of IPSec Policy

An IPSec policy that has been assigned might remain active (persist) even after a GPO to which it is assigned has been deleted. When you assign an IPSec policy in a GPO, a Lightweight Directory Access Protocol (LDAP) pointer to the IPSec policy is recorded in the IPSecOwnersReference attribute of the GPO. The IP Security Policies extension reads the LDAP pointer from the GPO and writes it to the registry when the GPO is applied to the computer. This registry entry can persist if you delete a GPO that contains an assigned IPSec policy. Although the IPSecOwnersReference LDAP pointer is updated when the GPO is deleted, it points to an unreadable object (the location of the deleted objects container), which IPSec services cannot access. As a result, IPSec policy fails and an error is logged.

To prevent an IPSec policy from persisting, you must unassign the IPSec policy in the GPO beforeyou delete the GPO. Unassigning the IPSec policy deletes the LDAP pointer from the GPO.

Storage of IPSec Policy Settings

Domain-based IPSec policy objects are stored in the IP Security Policies container in Active Directory, which is separate from the GPOs to which the IPSec policies are applied. The domain administrator must grant permissions to the IP Security Policies container for other delegated administrators to administer IPSec policies. Standard delegation tools cannot be used to delegate permissions to administer IPSec policies. Instead, domain administrators must use Active Directory Service Interfaces (ADSI) Edit for this purpose.

ADSIEdit is a Microsoft Management Console (MMC) snap-in that domain administrators can use to edit objects in the Active Directory database. When domain administrators delegate permissions to others to administer IPSec policies, the delegated administrators must have Full Control permissions to all IPSec policy objects in the IP Security Policies container. After an IPSec administrator creates an IPSec policy, a member of the Group Policy Creator Owners group or other delegated owner of the GPO can assign the IPSec policy to the appropriate GPOs.

Note

  • To modify ACLs on the IP Security Policies container, domain administrators should use the tools that are provided with the Windows 2000 or Windows Server 2003 operating system CD. When domain administrators modify ACLs on the IP Security Policies container, they must specify that all modifications are also propagated to all child objects. Incorrect modification of the ACLs on the IP Security Policies container, failure to propagate modifications to the child objects of this container, or both, can result in the failure of IPSec policy settings to be properly applied.

On standalone computers, IPSec policy is stored in the local registry.

ADSIEdit is one of the Windows Server 2003 Support Tools which are included on the Windows Server 2003 operating system CD. You install these tools separately by running the Support Tools Setup program, Suptools.msi, from the \Support\Tools folder.

For more information about permissions for the IPSec Policies container, see article 329194, “Permissions on the IPSec Policy Store” in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Baselink on the Web Resources page.

IP Security Container Default Permissions

In Windows Server 2003, the default discretionary access control lists (DACLs) for the IP Security container are described in the following tables. The IPSec container owner is the Domain Admin, and group membership is Domain Admin.

The following table lists access rights related to the IPSec container and describes their values.

IPSec Container Access Rights Values and Descriptions

Access Right Value Description

ADS_RIGHT_DS_READ_PROP

The right to read properties of the object. The ObjectType member of an access control entry (ACE) can contain a GUID that identifies a property set or property. If ObjectType does not contain a GUID, the ACE controls the right to read all of the object properties.

ADS_RIGHT_DS_WRITE_PROP

The right to write properties of the object. The ObjectType member of an ACE can contain a GUID that identifies a property set or property. If ObjectType does not contain a GUID, the ACE controls the right to write all of the object properties.

ADS_RIGHT_DS_CONTROL_ACCESS

The right to perform an operation controlled by an extended access right. The ObjectType member of an ACE can contain a GUID that identifies the extended right. If ObjectType does not contain a GUID, the ACE controls the right to perform all extended right operations associated with the object.

ADS_RIGHT_DS_LIST

The right to list a particular object. If the user is not granted such a right, and the user does not have ADS_RIGHT_ACTRL_DS_LIST set on the object parent, the object is hidden from the user. This right is ignored if the third character of the dSHeuristics property is '0' or not set.

ADS_RIGHT_DS_LIST_OBJECT

The right to list a particular object. If the user is not granted such a right, and the user does not have ADS_RIGHT_ACTRL_DS_LIST set on the object parent, the object is hidden from the user. This right is ignored if the third character of the dSHeuristics property is '0' or not set.

ADS_RIGHT_DS_CREATE_CHILD

The right to create children of the object. The ObjectType member of an ACE can contain a GUID that identifies the type of child object whose creation is controlled. If ObjectType does not contain a GUID, the ACE controls the creation of all child object types.

ADS_RIGHT_DS_DELETE_CHILD

The right to delete children of the object. The ObjectType member of an ACE can contain a GUID that identifies a type of child object whose deletion is controlled. If ObjectType does not contain a GUID, the ACE controls the deletion of all child object types.

ADS_RIGHT_READ_CONTROL

The right to read data from the security descriptor of the object, not including the data in the SACL.

ADS_RIGHT_WRITE_DAC

The right to modify the discretionary access-control list (DACL) in the object security descriptor.

ADS_RIGHT_WRITE_OWNER

The right to assume ownership of the object. The user must be an object trustee. The user cannot transfer the ownership to other users.

ADS_RIGHT_DELETE

The right to delete the object.

ADS_RIGHT_DS_DELETE_TREE

The right to delete all children of this object, regardless of the permissions of the children.

ADS_RIGHT_DS_SELF

The right to perform an operation controlled by a validated write access right. The ObjectType member of an ACE can contain a GUID that identifies the validated write. If ObjectType does not contain a GUID, the ACE controls the rights to perform all valid write operations associated with the object.

The following table lists the access control rights for the IPSec container.

DACLs for IPSec Container

DACLs Access Rights

Allow domain computers

ADS_RIGHT_DS_READ_PROP

ADS_RIGHT_DS_LIST

ADS_RIGHT_DS_LIST_OBJECT

ADS_RIGHT_READ_CONTROL

Allow Group Policy Creator Owner

ADS_RIGHT_DS_READ_PROP

ADS_RIGHT_DS_LIST

ADS_RIGHT_DS_LIST_OBJECT

ADS_RIGHT_READ_CONTROL

Allow Domain Admin

ADS_RIGHT_DS_READ_PROP

ADS_RIGHT_DS_WRITE_PROP

ADS_RIGHT_DS_CONTROL_ACCESS

ADS_RIGHT_DS_LIST

ADS_RIGHT_DS_LIST_OBJECT

ADS_RIGHT_DS_CREATE_CHILD

ADS_RIGHT_DS_DELETE_CHILD

ADS_RIGHT_READ_CONTROL

ADS_RIGHT_WRITE_DAC

ADS_RIGHT_WRITE_OWNER

ADS_RIGHT_DS_SELF

Allow Local SYSTEM

ADS_RIGHT_DS_READ_PROP

ADS_RIGHT_DS_WRITE_PROP

ADS_RIGHT_DS_CONTROL_ACCESS

ADS_RIGHT_DS_LIST

ADS_RIGHT_DS_LIST_OBJECT

ADS_RIGHT_DS_CREATE_CHILD

ADS_RIGHT_DS_DELETE_CHILD

ADS_RIGHT_READ_CONTROL

ADS_RIGHT_WRITE_DAC

ADS_RIGHT_WRITE_OWNER

ADS_RIGHT_DELETE

ADS_RIGHT_DS_DELETE_TREE

ADS_RIGHT_DS_SELF

The following changes are implemented in Windows Server 2003, and they apply to both new and upgrade installations of Windows Server 2003:

  • An inheritable DACL is included with the IP Security container.

  • An empty DACL is included with the built-in IPSec policies. Because the DACL is empty, objects can inherit permissions from the IP Security container and other parent containers in Active Directory.

  • The default DACL for all IPSec objects is changed so that all new objects that you create have an empty DACL and can inherit permissions. As a result, IPSec policies that are created from Windows 2000, Windows XP or Windows Server 2003 management clients have the new permissions.

To view these ACLs, you can use the ADSIEdit.exe tool (described earlier in Storage of IPSec Policy Settings) or Ldp.exe. The Ldp.exe tool provides an interface to perform Lightweight Directory Access Protocol (LDAP) operations against Active Directory. Ldp.exe and ADSIEdit.exe are two of the Windows Server 2003 Support Tools, which are included in the Windows Server 2003 operating system CD. You can install these tools by running the Support Tools Setup program, Suptools.msi, from the Support\Tools folder.

For more information about delegating IPSec permissions, see “Delegating Permissions to Modify Active Directory Based IPSec Policy” in the Using Microsoft Windows IPSec to Help Secure an Internal Corporate Network Server article available at the Microsoft Download Center.

For more information about control access rights, search for “Control Access Rights” in the Directory Services SDK Documentation in the Microsoft Platform SDK on MSDN.

IPSec Policy Polling Interval

The general IPSec policy settings include a polling interval, Policy change poll interval, which specifies the number of minutes between consecutive polls for changes in IPSec policies based on Active Directory. The default value for the Policy change poll interval is 180 minutes. This polling does not detect a change in domain or organizational unit membership, or the assigning or unassigning of a new policy; these events are detected when the Winlogon service polls for changes in Group Policy, which occurs every 90 minutes by default.

To generate an immediate update of changes in IPSec policy settings, instead of waiting for the next polling period, you can use the Gpupdate command, by typing the following at the command prompt: gpupdate /target:computer.

The following resources contain additional information that is relevant to this section.