IPSec Policy Structure

IPSec policies can be applied to computers, sites, domains, or any organizational units (OUs) you create in the Active Directory.

Your IPSec policies should be based on your organization's written (and unwritten) guidelines for secure operations. Through the use of security actions, called rules , one policy can be applied to heterogeneous security groups of computers or organizational units. For more information about choosing guidelines for secure operations, see "Best Practices" later in this chapter.

There are two storage locations for IPSec policies:

  1. Active Directory

  2. Locally defined in the registry for stand-alone computers and computers which are not joined to the domain (when the computer is temporarily not joined to a trusted Windows 2000 domain, the policy information is cached in the local registry). For more information, see the section titled "Policy Agent" previously in this chapter.

Each policy you create should apply to a scenario you listed when you established a security plan. Special configuration settings might apply if you are assigning policies to a DHCP server, Domain Name System (DNS), Windows Internet Name Service (WINS), Simple Network Management Protocol (SNMP), or remote access server. For more information, see "Special IPSec Considerations" later in this chapter.