Create Filter Actions on Earlier Versions of Windows

  • Article

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

IP Security rules for Windows 2000, Windows XP, and Windows Server 2003 are composed of filter lists, filter actions, and authentication methods. In this section, you create the filter actions that you later combine with filter lists and authentication method lists. Although you might not need all of these filter actions for your design immediately, creating them now allows you to adapt your design more easily in the future.

The filter actions you need for either a domain or server isolation scenario include:

  • Permit. This filter action permits any network traffic that matches the associated filter list. This filter action exists by default, but the procedure in this topic shows you how to re-create it, if necessary.

  • Request Authentication. This filter action causes the computer to request authentication when a computer on the network attempts to connect. If authentication fails, then the computer permits the connection without authentication. This filter action exists by default with the name Request security (optional), but the procedure in this topic shows you how to re-create it, if necessary. If you use the default Request Security (Optional) filter action, you must at least configure the list of integrity and encryption methods according to your design. Remove the combinations that you do not want to use on the network.

Important

We recommend that you do not use MD5 or DES in any combination. They are no longer considered to be secure, and are included for backward compatibility only. 

This filter action is primarily used by the boundary zone rules, but is also used in the primary domain isolation zone and server isolation zone rules during the testing and piloting phases. This filter action is also used with isolated server clients when an isolated domain is not used.

  • Require Authentication. This filter action causes the computer to require authentication when a computer on the network attempts to connect. If authentication fails, then the connection is refused. This filter action exists by default with the name Require security, but the procedure in this topic shows you how to re-create it, if necessary. If you use the default Require Security filter action, you must at least configure the list of integrity and encryption methods according to your design. Remove the combinations that you do not want to use on the network.

    This filter action is primarily used by the isolated domain after testing and piloting are complete. It can also be used by isolated servers if encryption is not required. It is not used with the isolated server clients.

  • Request Authentication and Encryption. This filter action causes the computer to request both authentication and encryption when a computer on the network tries to connect. If authentication fails or an encryption algorithm cannot be negotiated, then the connection is permitted to fall back to clear. This filter is used in the encryption zone of an isolated domain during testing. It can also optionally be used by servers in an isolated server zone during testing, and by the clients of an isolated server zone that requires encryption.

  • Require Authentication and Encryption. This filter action causes the computer to require both authentication and encryption when a computer on the network tries to connect. If authentication fails or an encryption algorithm cannot be negotiated, then the connection is refused. This filter is used in the encryption zone of an isolated domain. It can also be used by servers in an isolated server zone when encryption is required.

Administrative credentials

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.

To create the Permit filter action

  1. Open the Group Policy Management Console to IP Security Policies.

  2. In the navigation pane, right-click IP Security Policies on Active Directory (YourDomainName), and then click Manage IP filter lists and filter actions.

  3. Select the Manage Filter Actions tab.

  4. Click Add.

  5. On the Welcome page of the Filter Action Wizard, click Next.

  6. In the Name box, type Permit, in the description box, type Permit unsecured IP packets to pass through, and then click Next.

  7. On the Filter Action General Options page, click Permit, click Next, and then click Finish.

To create the Request Authentication filter action

  1. Open the Group Policy Management Console to IP Security Policies.

  2. In the navigation pane, right-click IP Security Policies on Active Directory (YourDomainName), and then click Manage IP filter lists and filter actions.

  3. Select the Manage Filter Actions tab.

  4. Click Add.

  5. On the Welcome page of the Filter Action Wizard, click Next.

  6. In the Name box, type Request Authentication (Optional), in the description box, type Requests authentication on both inbound and outbound connections, but allows fallback to clear if authentication fails, and then click Next.

  7. On the Filter Action General Options page, click Negotiate security, and then click Next.

  8. On the Communicating with computers that do not support IPsec page, click Allow unsecured communication if a secure connection cannot be established. This enables outbound fallback-to-clear behavior. In a later step, you will configure inbound fallback-to-clear behavior.

  9. On the IP Traffic Security page, click Integrity only, and then click Next. This is equivalent to selecting ESP using SHA1 integrity and no encryption.

    You can add only one integrity and encryption algorithm combination at this time. You add the others (if required) in a later step.

  10. On the Completing page, select Edit properties, and then click Finish.

    The Properties page for the filter action appears.

  11. Select Accept unsecured communication, but always respond using IPsec to enable inbound fallback-to-clear behavior. The Allows fallback to unsecured communication if a secure connection cannot be established option is already selected because you enabled outbound fallback-to-clear behavior in an earlier step.

  12. If you are deploying an isolated domain that includes an encryption zone or an isolated server zone that requires encryption of all network traffic inbound to those servers, then you must add one or more quick mode algorithm combinations that enable encryption so that client computers using this rule can connect to the protected servers. On the Security Methods tab, click Add.

  13. You can select Integrity and encryption if your design specifies using ESP with SHA1 as the integrity algorithm and 3DES as the encryption algorithm. If you require a different combination, then click Custom, click Data integrity and encryption (ESP), and then select the integrity and encryption algorithms required by your design.

Warning

We recommend that you do not use MD5 or DES in any combination. They are no longer considered to be secure, and are included for backward compatibility only.

  1. If your design requires it, specify a custom session key lifetime by selecting either or both of the Generate a new key boxes, and then entering the appropriate size (in kilobytes) or time (in seconds).

  2. Click OK to save the combination.

  3. Click OK to add your completed combination to the list in the filter action.

  4. When you have added security method combinations, click OK to save your filter action.

To create the Require Authentication filter action

  1. Open the Group Policy Management Console to IP Security Policies.

  2. In the navigation pane, right-click IP Security Policies on Active Directory (YourDomainName), and then click Manage IP filter lists and filter actions.

  3. Select the Manage Filter Actions tab.

  4. Click Add.

  5. On the Welcome page of the Filter Action Wizard, click Next.

  6. In the Name box, type Require Authentication, in the description box, type Requires authentication for all inbound connection attempts, but can fallback to clear when connecting outbound to a host that does not support IPsec, and then click Next.

  7. On the Filter Action General Options page, click Negotiate security, and then click Next.

  8. On the Communicating with computers that do not support IPsec page, select Allow unsecured communication if a secure connection cannot be established. This option enables outbound fallback-to-clear behavior.

  9. On the IP Traffic Security page, click Integrity only, and then click Next. This is equivalent to selecting ESP using SHA1 with null encryption.

    You can add only one integrity and encryption algorithm combination at this time. You add the others (if required) in a later step.

Important

Configure the same security method combinations in the same order, as you did for the Request Security filter action.

  1. On the Completing page, check Edit properties, and then click Finish.

    The Properties page for the filter action appears.

  2. Make sure that the Accept unsecured communication, but always respond using IPsec option is not selected to disable inbound fallback-to-clear behavior. The Allows fallback to unsecured communication if a secure connection cannot be established option is selected because you enabled outbound fallback-to-clear behavior in an earlier step.

  3. If you are deploying an isolated domain that includes an encryption zone or an isolated server zone that requires encryption of all network traffic inbound to those servers, then you must add one or more quick mode algorithm combinations that enable encryption so that client computers using this rule can connect to the protected servers. On the Security Methods tab, click Add.

  4. You can select Integrity and encryption if your design specifies using ESP with SHA1 as the integrity algorithm and 3DES as the encryption algorithm. If you require a different combination, then click Custom, click Data integrity and encryption (ESP), and select the integrity and encryption algorithms required by your design.

Warning

We recommend that you do not use MD5 or DES in any combination. They are no longer considered to be secure, and are included for backward compatibility only.

  1. If your design requires it, specify a custom session key lifetime by selecting either or both of the Generate a new key boxes, and then entering the appropriate size (in kilobytes) or time (in seconds).

  2. Click OK to save the combination.

  3. Click OK to add your completed combination to the list in the filter action.

  4. When you have added security method combinations, click OK to save your filter action.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.

To create the Request Authentication and Encryption filter action

  1. Open the Group Policy Management Console to IP Security Policies.

  2. In the navigation pane, right-click IP Security Policies on Active Directory (YourDomainName), and then click Manage IP filter lists and filter actions.

  3. Select the Manage Filter Actions tab.

  4. Click Add.

  5. On the Welcome page of the Filter Action Wizard, click Next.

  6. In the Name box, type Request Authentication and Encryption, in the description box, type Requests both authentication and encryption for connection attempts, but can fallback to clear when connecting outbound to a host that does not support IPsec., and then click Next.

  7. On the Filter Action General Options page, click Negotiate security, and then click Next.

  8. On the Communicating with computers that do not support IPsec page, select Do not allow unsecured communication if a secure connection cannot be established. This option enables outbound fallback-to-clear behavior.

  9. On the IP Traffic Security page, click Integrity and encryption, and then click Next. This is equivalent to selecting ESP using SHA1 with 3DES encryption.

Warning

We recommend that you do not use MD5 or DES in any combination. They are no longer considered to be secure, and are included for backward compatibility only.

  1. On the Completing page, select Edit properties, and then click Finish.

    The Properties page for the filter action appears.

  2. Select the Accept unsecured communication, but always respond using IPsec option to enable inbound fallback-to-clear behavior. The Allows fallback to unsecured communication if a secure connection cannot be established option is selected because you enabled outbound fallback-to-clear behavior in an earlier step.

  3. If your design requires it, specify a custom session key lifetime by selecting the security method in the list, and then clicking Edit. Change the security method to Custom, click Settings, select either or both of the Generate a new key boxes, and then enter the appropriate size (in kilobytes) or time (in seconds). Click OK.

  4. When you have configured security method combinations, click OK to save your filter action.

  5. When you have created and configured filter actions, click Close.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.

To create the Require Authentication and Encryption filter action

  1. Open the Group Policy Management Console to IP Security Policies.

  2. In the navigation pane, right-click IP Security Policies on Active Directory (YourDomainName), and then click Manage IP filter lists and filter actions.

  3. Select the Manage Filter Actions tab.

  4. Click Add.

  5. On the Welcome page of the Filter Action Wizard, click Next.

  6. In the Name box, type Require Authentication and Encryption, in the description box, type Requires both authentication and encryption for all inbound connection attempts, but can fallback to clear when connecting outbound to a host that does not support IPsec, and then click Next.

  7. On the Filter Action General Options page, click Negotiate security, and then click Next.

  8. On the Communicating with computers that do not support IPsec page, select Do not allow unsecured communication if a secure connection cannot be established. This option enables outbound fallback-to-clear behavior.

  9. On the IP Traffic Security page, click Integrity and encryption, and then click Next. This is equivalent to selecting ESP using SHA1 with 3DES encryption.

Warning

We recommend that you do not use MD5 or DES in any combination. They are no longer considered to be secure, and are included for backward compatibility only.

  1. On the Completing page, select Edit properties, and then click Finish.

    The Properties page for the filter action appears.

  2. Make sure that the Accept unsecured communication, but always respond using IPsec option is not selected to disable inbound fallback-to-clear behavior. The Allows fallback to unsecured communication if a secure connection cannot be established option is selected because you enabled outbound fallback-to-clear behavior in an earlier step.

  3. If your design requires it, specify a custom session key lifetime by selecting the security method in the list, and then clicking Edit. Change the security method to Custom, click Settings, select either or both of the Generate a new key boxes, and then enter the appropriate size (in kilobytes) or time (in seconds). Click OK when finished.

  4. When you have configured security method combinations, click OK to save your filter action.

  5. When you have created and configured filter actions, click Close.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.