Understanding IPSec Policy Precedence

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To know how to apply IPSec policy in a domain environment, you must understand IPSec policy precedence. Unlike most Group Policy settings, which are cumulative, only one IPSec policy can be assigned to a computer at a time. Therefore, if there are multiple IPSec policies assigned at different levels, the last one applied is the one that takes effect. IPSec policy uses the same precedence sequence as other Group Policy settings, which is from lowest to highest, as follows:

  • Local GPO. Each computer has one local GPO. For a computer that is not a member of a domain, this is the only place where IPSec policy can be assigned. Although you can assign an IPSec policy by editing the local GPO, you can also assign a local policy directly in the IP Security Policy Management snap-in, outside of the Group Policy context, or by using the Netsh IPSec context. When IPSec policy assignments are made outside of the GPO context, the GPO cannot display the local IPSec policy that is assigned.

  • Site. IPSec policies are not often assigned at the site level because all computers within a site must have the same security needs, which is unlikely. Furthermore, if the computer moves to another subnet — such as when a user travels to another location with a laptop that uses DHCP — different policies are applied, which results in different security behaviors.

  • Domain. Simple IPSec policies are often assigned at the domain level and then superseded by more specific IPSec policies, as required on various OUs.

  • OU. Specific IPSec policies are assigned to groups of computers. This is the last policy applied under normal conditions, and, therefore, the policy takes precedence. If an OU is nested within another OU, the IPSec policy assigned to the nested OU takes precedence.

Note that this is the default order in which policies of different types are applied. This order can be overridden by using a number of options, including Enforced, Block Policy Inheritance, and Loopback processing. For more information about the results of these options, see "Designing a Group Policy Infrastructure" in Designing a Managed Environment of this kit.

Note

  • If you create a persistent policy, this policy adds to or overrides the local or Active Directory policy and remains in effect regardless of whether other policies are applied. For more information about persistent IPSec policy, see "Assigning IPSec Policies Locally" later in this chapter.