Assigning IPSec Policies Locally

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Each computer running Windows Server 2003 has one local GPO, which is also known as the local computer policy. When this local GPO is used, Group Policy settings can be stored on individual computers regardless of whether they are members of an Active Directory domain. The local GPO can be overridden by GPOs assigned to sites, domains, or OUs in an Active Directory environment that have higher precedence. On a network without an Active Directory domain (that is, a domain that does not have a domain controller running Windows 2000 or Windows Server 2003), the local GPO settings determine IPSec behavior because they are not overridden by other GPOs.

Local policy assignment is a way to enable IPSec for computers that are not members of a domain.

You can also create and assign persistent IPSec policy, which secures a computer even if a local IPSec policy or an Active Directory–based IPSec policy cannot be applied. This policy adds to or overrides the local or Active Directory policy, and remains in effect regardless of whether other policies are applied or not. Persistent IPSec policies enhance security by providing a secure transition from computer startup to IPsec policy enforcement. Persistent policy also provides backup security in the event of an IPSec policy corruption, or if errors occur during the application of local or domain-based IPSec policy. To configure persistent policies, you must use the netsh ipsec static set store location=persistent command.

When designing persistent IPSec policy, it is important to consider the potential impact of persistent policy on remote management. If local or domain-based IPSec policy is not applied and the persistent IPSec policy is the only policy that is applied, attempts to remotely diagnose an issue might be blocked by the persistent IPSec policy. To allow for remote management in case troubleshooting is required, it is recommended that you create appropriate permit filters when configuring persistent IPSec policy.

To enable remote management, add the following exemption by using the Netsh IPSec context command:

netsh ipsec dynamic set config bootexemptions tcp:0:3389:inbound UDP:0:68:inbound

This command specifies two things: that the destination port 3389 for inbound TCP connections is permitted, thereby enabling clients to use Remote Desktop Connection or Remote Assistance; and that destination port 68 for inbound UDP connections is permitted, thereby preserving DHCP functionality.

If an error occurs when persistent IPSec policy is applied, the IPSec driver will block all traffic except for that which matches any specific permit filters that you configure (by using the netsh ipsec dynamic set config bootexemptions command), and DHCP.

For more information about assigning local IPSec policies, see "Creating, modifying, and assigning IPSec policies" in Help and Support Center for Windows Server 2003.