Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
If you are not using Kerberos V5 authentication and do not have access to a CA, a preshared key can be used. For example, a stand-alone computer on a network that does not connect to the Internet might need to use a preshared key, because neither Kerberos authentication through the computer’s domain account nor access to a CA on the Internet are available.
A preshared key is a shared secret key that has been agreed upon by administrators who wish to secure the computer’s communications by using IPSec. Administrators must manually configure their systems to use the same preshared key.
Microsoft does not recommend the use of preshared key authentication, because the authentication key is stored in plaintext format in the system registry and hex-encoded in Active Directory–based IPSec policy. Well-known methods can enable attackers with access to these data stores to discover weak preshared key values.
Use preshared key authentication only where no stronger method can be used. Using Kerberos or certificate-based authentication is recommended to avoid security risks associated with preshared key authentication.
If you must use preshared key authentication, use only local or persistent IPSec policy, a 25-character or longer random key value, and a different preshared key for each IP address pair. These practices result in different security rules for each destination, and ensure that a compromised preshared key compromises only those computers that share the key. For more information about local or persistent IPSec policies, see "Assigning IPSec Policies Locally" later in this chapter.