GPO_DOMISO_IsolatedDomain_Clients_WinXP

Updated: January 27, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

This GPO is authored by using the Computer Configuration\Windows Settings\Security Settings\IP Security Policies section in the GPO editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to computers running Windows XP.

This GPO provides the following settings and rules:

The GPO is configured to use the following IPsec elements:

The GPO is configured to use the IP filter lists shown in the following table.

 

Name Mirrored Source <->Dest Ports Protocols

All IP Traffic

Yes

Any <-> Any

Any <-> Any

Any

ICMP Traffic

Yes

Any <-> Any

Any <-> Any

ICMP

Exemption List

Yes

Any <-> IP address list of all exempted hosts

Any <-> Any

Any

noteNote
You must set the source and destination addresses as shown in the previous table to ensure that Windows applies the filters correctly from most specific to most general.

The GPO is configured to use the IPsec filter actions shown in the following table.

 

Name Method Algorithms AH|ESP:{integrity/encryption} Key lifetime (KB/seconds)

Request Security

Negotiate

Selected

Selected

ESP:SHA1/none

ESP:SHA1/3DES

100,000/3600

Allow Traffic

Permit

Not applicable

Not applicable

n/a

Not applicable

Require Security

Negotiate

Cleared

Selected

ESP:SHA1/none

ESP:SHA1/3DES

100,000/3600

The Method column in the previous table includes the following three settings in the following order:

  • Permit / Block / Negotiate security options

  • Accept unsecured communication, but always respond using IPsec check box. This is the inbound fallback-to-clear option.

  • Allow fallback to unsecured communication if a secure connection cannot be established check box. This is the outbound fallback-to-clear option.

The GPO is configured to use an IPsec policy named "Isolated Domain" that contains the rules shown in the following table. The rules are composed of the filter lists and filter actions that were configured earlier in this topic.

 

IP Filter list Filter action Authentication

All IP traffic

Require Security (see Caution below)

Kerberos V5

Certificate from internal CA

ICMP traffic

Allow Traffic

Not applicable

Exemption List

Allow Traffic

Not applicable

CautionCaution
When the IPsec policy is first deployed, we strongly recommended that you first set the filter action to request security so that if any computers fail to receive the IPsec policy they can continue to communicate. After you confirm that all the computers are successfully communicating by using IPsec, change the filter action to require security.

The GPO is configured to use the registry settings shown in the following table. For more information, see the description of the registry settings in Isolated Domain.

 

Setting Value

Enable PMTU Discovery

1

IPsec Exemptions

1

Enable IPsec over NAT-T

0

Simplified IPsec Policy

0x14

noteNote
The simplified IPsec policy setting has no effect on computers that are running Windows 2000. The value is ignored.

Next:  GPO_DOMISO_IsolatedDomain_Servers_WS2003

Community Additions

ADD
Show: