Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
To achieve secure communications with a low cost of ownership, Microsoft® Windows® XP and the Windows Server 2003 family simplify the deployment of IPSec with the following features:
Integration with the security framework in Windows 2000 and the Windows Server 2003 family.
IPSec uses the secure domain in Windows 2000 and the Windows Server 2003 family as a trust model. By default, IPSec policies use the Active Directory® default authentication method (Kerberos V5 authentication) to identify and trust communicating computers. Computers that are members of a Windows 2000 or a Windows Server 2003 domain and are in trusted domains can easily establish IPSec-secured communications.
Centralized IPSec policy administration through Active Directory
IPSec policies can be assigned through Group Policy configuration of Active Directory domains and organizational units. This allows the IPSec policy to be assigned at the domain, site, or organizational unit level, eliminating the administrative overhead of configuring each computer separately.
Transparency of IPSec to users and applications
Integration at the IP layer (layer 3) provides security for any protocol in the TCP/IP suite of protocols. You do not need separate security for each protocol in the TCP/IP suite of protocols, because applications using TCP/IP pass the data to the IP protocol layer, where it is secured.
Flexible security configuration
The security services within each policy can be customized to meet the majority of security requirements for the network and data traffic.
Automatic key management
Internet Key Exchange (IKE) services dynamically exchange and manage cryptographic keys between communicating computers.
Automatic security negotiation
Internet Key Exchange (IKE) services dynamically negotiate a common set of security settings between communicating computers, eliminating the need for both computers to have identically configured policies.
Public key infrastructure support
Using public key certificates for authentication is supported. This allows trust and secure communication for computers that do not belong to a trusted Windows 2000 or Windows Server 2003 domain, non-Microsoft operating systems, computers that have membership in untrusted domains, and instances in which computer access must be restricted to a smaller group than domain authentication allows.
Preshared key support
If authentication using the Kerberos V5 protocol or public key certificates is not possible, a preshared authentication key can be configured.
The use of preshared key authentication is not recommended because it is a relatively weak authentication method. Preshared key authentication creates a master key that is less secure (that might produce a weaker form of encryption) than certificates or the Kerberos V5 protocol. In addition, preshared keys are stored in plaintext. Preshared key authentication is provided for interoperability purposes and to adhere to IPSec standards. It is recommended that you use preshared keys only for testing and that you use certificates or Kerberos V5 instead in a production environment.
The integration with the security framework in Windows 2000 or the Windows Server 2003 family, centralized IPSec policy administration through Active Directory, and the use of the Kerberos V5 protocol as described here do not apply to computers running Windows XP Home Edition. You cannot administer Active Directory-based IPSec policy from computers running Windows XP Home Edition because these computers cannot join Active Directory domains.