Dialog Box: Customize Data Protection Settings

Applies To: Windows 7, Windows Server 2008 R2

Use this dialog box to add, edit, change priority, or remove data integrity or data encryption algorithms. You can use more than one algorithm in each list and you can assign the order in which the algorithms are attempted. The first algorithm in the list that is compatible with both peers will be used.

You must specify algorithms that are also specified in the rules on the computers to which you want to communicate. For more information, see IPsec Algorithms and Protocols Supported by Windows (https://go.microsoft.com/fwlink/?linkid=129230).

Note

A best practice is to list the algorithms in order of greatest security at the top to least security at the bottom. This way, the most secure algorithm in common between the two negotiating computers is used. The less secure algorithms can be used for backward compatibility.

How to get to this dialog box

  1. On the Windows Firewall with Advanced Security MMC snap-in, in the navigation pane, click Windows Firewall with Advanced Security, and then in Overview, click Windows Firewall Properties.

  2. Click the IPsec Settings tab.

  3. Under IPsec defaults, click Customize.

  4. Under Data protection (Quick Mode), select Advanced, and then click Customize.

Performance considerations for encryption

The encryption algorithms that provide the best security for your data are those that make it computationally infeasible for the data to be decrypted without the key. The mathematical algorithms that perform the encryption are themselves mathematically intense and can degrade performance. As you switch to higher security algorithms, the computing power required to perform the calculations increases.

Windows supports the use of network adapters that have cryptographic processors that can perform most of the IPsec encryption calculations. This frees up your main processors to do other things and reduces the performance overhead of IPsec. For more information, see Improving Network Performance by Using IPsec Task Offload (https://go.microsoft.com/fwlink/?linkid=129229).

Require encryption for all connection security rules that use these settings

Select this check box to require all connection security rules to require encryption. If you select this check box, the Data integrity section is disabled, and you can only specify algorithm combinations in the Data integrity and encryption section.

Data integrity

This list shows the currently configured data integrity algorithms. When negotiating the details of the quick mode SA with another computer, the algorithms are proposed in the order shown. Use the up and down arrows to arrange the algorithms into the preferred order. You should place the algorithms with stronger protection at the top of the list, and those with weaker protection at the bottom of the list. Include weaker algorithms only if required to support computers that cannot use the stronger algorithms.

If you select Require encryption for all connection security rules that use these settings, then this section is disabled.

To add an algorithm to the list, click Add. To modify an algorithm that is already in the list, select the algorithm, and then click Edit. To remove an algorithm from the list, select the algorithm, and then click Remove.

Data integrity and encryption

This list shows the currently configured algorithm combinations that include both encryption and data integrity. When negotiating the details of the quick mode SA with another computer, the algorithm combinations are proposed in the order shown. Use the up and down arrows to arrange the algorithm combinations into the preferred order. You should place the algorithm combinations with stronger protection at the top of the list and those with weaker protection at the bottom of the list. Include weaker algorithm combinations only if required to support computers that cannot use the stronger algorithm combinations.

To add an algorithm combination to the list, click Add. To modify an algorithm combination that is already in the list, select the algorithm combination, and then click Edit. To remove an algorithm combination from the list, select the algorithm combination, and then click Remove. For more information, see Dialog Box: Add or Edit Integrity and Encryption Algorithms.

Additional references