Designing IPSec Policies

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can use IPSec policies to filter, authenticate, or encrypt network traffic. An IPSec policy consists of a set of security rules. Each security rule consists of an IP filter with a filter action to permit or block traffic or to negotiate security. If you define a filter action to negotiate security and encrypt a specific type of traffic, you must configure additional settings, such as an authentication method for establishing trust between IPSec peers. IPSec can be configured in many different ways; therefore, you must understand IPSec in detail and test your policy configurations in lab environments before you attempt to use policies in a production environment.

For example, an IPSec policy that secures end-to-end traffic cannot be assigned to a single computer; however, an IPSec policy that only uses permit or block filtering can be assigned to a single computer. You must fully understand IPSec before you assign an IPSec policy. If an IPSec policy is not correctly configured and assigned, it might inadvertently block all communication to a computer.

For more information about IPSec policy, see "Deploying IPSec" in Deploying Network Services of this kit, and the Networking Collection of theWindows Server 2003 Technical Reference (or see the Networking Collection on the Web at https://www.microsoft.com/reskit). For more information about how to use IPSec and Group Policy, see "Assign or unassign IPSec policy in Group Policy" and "Creating, modifying, and assigning IPSec policies" in Help and Support Center for Windows Server 2003.

Assigning an IPSec policy to a GPO records a pointer to the IPSec policy that is inside the GPO attribute ipsecOwnersReference. The GPO itself contains only a Lightweight Directory Access Protocol (LDAP) distinguished name (also known as DN) reference to the IPSec policy. Group Policy is used only to deliver the policy assignment to the computer’s IPSec service. The computer’s IPSec service then retrieves the IPSec policy from Active Directory, maintains a current cache of the policy locally, and keeps it current by using a polling interval that is specified in the IPSec policy itself. Because the IPSec policy itself is not stored inside the GPO, its settings can be assigned to and shared by many GPOs. Consider the following characteristics when you plan for the behavior and management of Group Policy for IPSec.

Plan IPSec Policy to Fit Your Active Directory Structure

By default, in Windows Server 2003, Active Directory restricts Read permissions on the IP Security Policies container to a greater degree than in Windows 2000. If you are deploying a new installation of Windows Server 2003 Active Directory, be aware that IPSec policies cannot be read by computers in child domains, even though the GPO can be read by computers in the child domain. The domain administrator must explicitly allow permissions for computers in child domains to read the IPSec policy from the parent domain.

For clean Windows Server 2003 installations of Active Directory, the Group Policy Creator Owners administrative group does not have permission by default to create or modify IPSec policies. By default, only members of the Domain Admins group have this permission, and the Group Policy Creator Owners group has read-only permission. Upgrades of Windows 2000 Active Directory domains to Windows Server 2003 domains do not change permissions on existing IPSec policy objects.

Domain-based IPSec policy objects are stored in the IP Security Policies container in Active Directory, which is separate from the GPOs to which IPSec policies are applied. The domain administrator must grant permissions to the IP Security Policies container for other delegated administrators to administer IPSec policies. Standard delegation tools cannot be used to delegate permissions to administer IPSec policies. Instead, domain administrators must use Active Directory Service Interfaces (ADSI) Edit tool for this purpose.

ADSIEdit is a Microsoft Management Console (MMC) snap-in that domain administrators can use to edit objects in the Active Directory database. When domain administrators delegate permissions to others to administer IPSec policies, the delegated administrators must have Full Control permissions to all IPSec policy objects in the IP Security Policies container.

After an IPSec administrator creates an IPSec policy, a member of the Group Policy Creator Owners group or other delegated owner of the GPO can assign the IPSec policy to the appropriate GPOs.

ADSIEdit is one of the Windows Support tools included on the Windows 2000 and Windows Server 2003 operating system CDs. You can install these tools by running the Support Tools Setup program, Suptools.msi, from the \Support\Tools folder.

For more information about permissions for the IP Security Policies container, see article 329194, "IPSec Policy Permissions in Windows 2000 and Windows Server 2003" in the Microsoft Knowledge Base at https://go.microsoft.com/fwlink/?LinkID=106552.

Unlike most Group Policy settings, multiple IPSec policies that are assigned in different GPOs are not merged. The last GPO in the Active Directory directory tree (closest to the computer object) that contains an IPSec policy assignment is the one that takes effect. Because the actual IPSec policy that is applied on the computer depends on the network adapter configuration of that computer, using the IP Security Monitor snap-in or Netsh IPSec context (the netsh ipsec static show and netsh ipsec dynamic show commands) is the only way to view the detailed IPSec policy settings as they are applied on the computer.

Group Policy inheritance in Active Directory cannot be blocked for a specific GPO without affecting other settings in the GPO. If you must control IPSec policy inheritance, create a new GPO that is dedicated exclusively to deploying and assigning IPSec policy.

For recommendations on the uses of IPSec, see "Special IPSec considerations" in Help and Support Center for Windows Server 2003.

Ensure That Your New IPSec Policies Are Applied

When you deploy an IPSec policy by using Group Policy, Group Policy (Winlogon) polling detects changes in policy assignments within the GPOs. Additionally, during the Group Policy poll, IPSec checks whether its policy has changed regardless of whether the GPO has changed. By using the gpupdate /target:computer command, it detects that an IPSec policy is newly assigned in a GPO and causes the IPSec service to apply that policy. Additionally, it causes IPSec to detect if the IPSec policy has changed even though the GPO may not have changed. If an assigned IPSec policy has not changed, then no IPSec policy changes are applied to the computer. Using the gpupdate /target:computer/force command causes the IPSec policy agent to reload the assigned IPSec policy regardless of whether the GPO or the IPSec policy has changed.

IPSec also uses its own polling mechanism to detect a change in an IPSec policy that is already assigned (for example, a filter list change). This polling mechanism provides compatibility with previous versions of Windows, but it is no longer necessary because IPSec detects changes to IPSec policies during the Group Policy interval. However, it might be necessary to configure the IPSec polling interval to be shorter than the Group Policy polling interval during IPSec policy change rollout. Configuring the IPSec polling interval permits you to remove any changes that might have been made if problems occur or if you are using an IPSec domain policy to respond to security incidents. For more information, see article 813878, "How to Block Specific Network Protocols and Ports by Using IPSec," in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.

To completely delete and reload all existing IPSec policy configurations that affect communication, you must stop and then restart the IPSec service by using the net stop policyagent and net start policyagent commands. If your remote access service is configured to use Layer Two Tunneling Protocol (L2TP)/IPSec, you must restart the Routing and Remote Access service after the newly restarted IPSec service is running. Also, if an L2TP/IPSec virtual private network (VPN) client connection is connected when the IPSec service is restarted, the VPN connection is interrupted and must be reconnected.

IPSec policies cannot be applied by using security templates, and they cannot be analyzed by the Security Configuration Manager.

IPSec Differences When Using the Group Policy Management Console (GPMC)

Because the IPSec policy itself is not stored inside the GPO, note the following differences when using GPMC to manage GPOs that have IPSec policies applied:

• You can use the GPMC Backup and Restore capabilities to store information about which IPSec policies are assigned to specific Group Policy objects. However, because the IPSec policies themselves aren’t stored in GPOs, you must use the Export Policies and Import Policies commands of IP Security Policy Management snap-in to back up and restore the IPSec policies themselves.

• GPMC Delegation of rights and Security Filtering permissions only apply to the GPO, not to the IPSec policy that is assigned in the GPO. Thus delegation of edit rights within GPMC only allows a user to assign or unassign an existing IPSec policy in the specific GPO, but only if the user also has read access rights to the IPSec policy. Delegation of rights to create, edit, or delete IPSec policies must be done on the IPSec policies container.

• GPMC Import Settings can only import an IPSec policy assignment and cannot be used to import IPSec policies into a GPO. The IP Security Policy Management snap-in provides export and import capabilities for the IPSec policy store. When using GPMC to import or copy a GPO into another domain or forest, the IPSec policy assignment is invalidated for the new GPO. The administrator must assign an IPSec policy in that domain or forest to the GPO.

• The GPMC Group Policy Results wizard is used to show which GPOs are applied to a computer, which includes the IPSec policy assignments. To find out which IPSec policy is assigned to a specific computer, after running the wizard, right-click the computer node, and then select Advanced View.

Additionally, on computers running Windows XP, IPSec does not provide Resultant Set of Policy (RSoP) information. GPMC Group Policy Results shows the GPO being processed, but does not show which IPSec policy is assigned. Use netdiag /test:ipsec to view the assigned IPSec policy.