Create the SMS IPsec Policy
To help secure the SMS site systems, you must create an IPsec policy that encrypts all traffic between members of the SMS IPsec group. To create the IPsec policy, you must configure general settings, security settings, and rules.
General Settings
This section describes the general settings that are applied with the IPsec policy that is assigned to all members of the SMS IPsec group. Although there is only one rule applied in this policy, the general settings are also applied.
Configuring the SMS IPsec group policy name, description, and policy refresh interval
The following general settings are configured on the General tab of the properties for the IPsec policy that is assigned to all members of the SMS IPsec group:
Name: SMS IPsec Policy VersionOrDate-TimeLastModified.
Description: Secure all traffic between members of the SMS IPsec group. Permit unsecured traffic with computers that are not members of the SMS IPsec group. Require certifications for authentication.
Policy refresh interval (Check for policy changes every n minutes): 480 minutes (eight hours).
The policy refresh interval determines how often the IPsec Policy Agent queries Active Directory for changes in the assigned IPsec policy. For the initial deployment of IPsec policy, consider setting this value to a short amount of time, such as five minutes, to ensure that you can change policy settings quickly in the event of an error or unforeseen operational impact on communications. However, if there are many servers in the domain, a short polling interval might increase the load on domain controllers.
Configuring Policy Key Exchange Settings
The following general settings are configured in the Key Exchange Settings dialog box of the properties for the IPsec policy that is assigned to members of the SMS IPsec group:
Key lifetime (Authenticate and generate a new key after every n minutes): 480 minutes (eight hours)
Number of quick mode negotiations per main mode (Authenticate and generate a new key after every n sessions): 0 (An unlimited number of session keys can be created from the master key keying material.)
A key lifetime of eight hours ensures that the master key keying material (the Diffie-Hellman key) is regenerated after eight hours. Diffie-Hellman keys remain in memory during their lifetime; therefore, if many clients (several thousand) are connecting to the server for short periods of time, consider reducing their lifetime to reclaim memory. You might also consider reducing the key lifetime in hostile environments where a sophisticated attacker might attempt to intercept the communication. One disadvantage to reducing the key lifetime is that if clients must perform an additional main mode negotiation, this operation can be time-consuming and memory-intensive, and frequent Diffie-Hellman calculations increase the computational load placed on the server.
Configuring Policy Key Exchange Security Methods
The following general settings are configured in the Key Exchange Security Methods dialog box of the properties for the IPsec policy that is assigned to the members of the SMS IPsec group. These security methods are listed in order of preference, by encryption algorithm, integrity algorithm, and Diffie-Hellman group.
3DES/SHA1/Medium (Diffie-Hellman Group 2, 1024 bits)
3DES/MD5/Medium (Diffie-Hellman Group 2, 1024 bits)
Key exchange security method settings determine which security services, key settings, and algorithms are used to help protect identities during authentication and key exchange. As a best practice for security, it is recommended that you consider not using Diffie-Hellman Group 1, which provides 768 bits of keying strength. Group 1 does not provide a strong level of security (it is provided for interoperability). For enhanced security, Windows Server 2003 IPsec includes Diffie-Hellman Group 14, which provides 2048 bits of keying strength. However, Diffie-Hellman Group 14 is not currently supported in Windows 2000 or Windows XP for general IPsec policy use. For updated information about the availability of Diffie-Hellman Group 14 for Windows XP and Windows 2000, see article 818043, “L2TP/IPsec NAT-T Update for Windows XP and Windows 2000,” in the Microsoft Knowledge Base, at https://go.microsoft.com/fwlink/?LinkId=16462.
Note
To use 3DES on a computer running Windows 2000,you must installtheHigh Encryption Pack or Service Pack 2 (or later). If a computer running Windows 2000 is assigned a policy that uses 3DES encryption but does not have the High Encryption Pack or Service Pack 2 (or later) installed, the security method defaults to the weaker DES algorithm. For more information, see Windows 2000 High Encryption Pack, at https://go.microsoft.com/fwlink/?LinkId=7272.
SMS IPsec Policy Security Settings
The following settings are configured for the first rule that is associated with the IPsec policy assigned to members of the SMS IPsec group:
IP filter list settings
- Name: Me <-> SMS IPsec group members, all traffic
Filter 1 settings
Source address: My IP Address
Destination address: A specific IP address (where the IP address is that of the first member of the SMS IPsec group.)
Mirrored: Yes (This check box is selected.)
Protocol: Any
Description: Me <-> GroupMemberName1, all traffic (where GroupMemberName1 is the name of the first member of the SMS IPsec group.)
Note
Create one additional filter setting for each member of the SMS IPsec group that you identified in step 1.
Filter action settings
Name: ESP 3DES-SHA1 required
Action: Negotiate security
Accept unsecured traffic, but always respond using IPsec: No (This check box is cleared, therefore inbound pass-through is not allowed.)
Allow unsecured communication with non-IPsec aware computers: No (This check box is cleared, therefore fall back to clear is not allowed.)
Note
The members of the SMS IPsec group are not able to communicate with each other until they receive the SMS IPsec policy.
Perfect forward secrecy (PFS): No (This check box is cleared.)
Security method: Custom
Data and address integrity without encryption (AH): No (This check box is cleared.)
Data integrity and encryption (ESP): Yes (This check box is selected.)
Integrity algorithm: SHA1
Encryption algorithm: 3DES
Session key settings (key lifetimes): 100,000 KB (100 MB) / 3,600 seconds (one hour)
Authentication method, IPsec mode, and connection type
Authentication method: Certification authority (preferred) or Preshared key (with understanding of the risks and limitations described earlier in this document)
Tunnel setting (IPsec mode): This rule does not specify an IPsec tunnel (This option is selected, so transport mode is used.)
Connection type: All network connections