SUMMARY
The Internet Protocol Security (IPsec) feature in Windows
Server 2003 was not designed as a full-featured host-based firewall. It was
designed to provide basic permit and block filtering using address, protocol
and port information in network packets. IPsec was also designed as an
administrative tool to enhance the security of communications in a way that is
transparent to the programs. Because of this, it provides traffic filtering
that is necessary to negotiate security for IPsec transport mode or IPsec
tunnel mode, primarily for intranet environments where machine trust was
available from the Kerberos service or for specific paths across the Internet
where public key infrastructure (PKI) digital certificates can be
used.
The default exemptions to IPsec policy filters are documented in
the Microsoft Windows 2000 and Microsoft Windows XP Help. These filters make it
possible for Internet Key Exchange (IKE) and Kerberos to function. The filters
also make it possible for the network Quality of Service(QoS) to be signaled
(RSVP) when the data traffic is secured by IPsec, and for traffic that IPsec
cannot secure such as multicast and broadcast traffic.
For additional information about these
filters, click the following article number to view the article in the Microsoft Knowledge Base:
253169
Traffic that can--and cannot--be secured by IPSec
MORE INFORMATION
WARNING: If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using Registry
Editor incorrectly. Use Registry Editor at your own risk.
As IPsec is increasingly used for basic host-firewall
packet filtering, particularly in Internet-exposed scenarios, the effect of
these default exemptions has not been fully understood. Because of this, some
IPsec administrators may create IPsec policies that they believe to be secure,
but that are not secure against inbound attacks that use the default
exemptions.
For these reasons, Microsoft has removed most of the
default exemptions in Windows Server 2003. This may require IPsec policy
changes for Windows Server 2003 for IPsec deployment scenarios where you use
IKE to negotiate security and IPsec protection for upper-layer protocol
traffic.
Removal of default exemptions
Windows.
By default, Windows Server 2003, removes all default exemptions,
except for the IKE exemption. Changes to existing IPsec policy designs may be
required before you can use the policy on Windows Server 2003
.
Administrators should start planning for these changes for all
existing and new IPsec deployments by using
NoDefaultExempt=1 on their Windows 2000-based and Windows XP-based computers. The
NoDefaultExempt=1 registry key is supported in Windows Server 2003 to make it
possible for administrators to restore the earlier default exemption behavior
for backward compatibility with earlier IPsec policy designs and program
compatibility. During the upgrade to Windows Server 2003, the value of an
existing
NoDefaultExempt=1 registry key setting is preserved.
For additional information about default
exemptions for Windows 2000-based and Windows XP-based
computers, click the following article number to view the article in the Microsoft Knowledge Base:
811832
IPSec default exemptions can be used to bypass IPsec protection in some scenarios
Review this article (811832) before you use the registry key to
re-enable the default exemptions.
Also review the "Specifying Default
Exemptions to IPSec Filtering" section in the Windows Server 2003 IPsec
Deployment kit for more information. To obtain the Microsoft Windows 2003
Server Deployment Kit, visit the following Microsoft Web site:
To modify the default filtering behavior for Windows Server 2003
IPSec, you can use the
Netsh IPSec command or modify the
registry.
To modify the default filtering behavior by using the
Netsh IPSec command:
- Click Start, and then click
Run.
- Type cmd, and then click
OK.
- At the command prompt, type netsh ipsec dynamic
set config ipsecexempt value={ 0 | 1 | 2 |
3}, and then press ENTER.
The use of
{ 0 | 1 | 2 | 3} in this
command represents all available options for this command. You can only use one
value. Depending on the exemptions you want you to use, specify the value as:
- A value of 0 specifies that multicast, broadcast, RSVP,
Kerberos, and ISAKMP traffic are exempt from IPSec filtering. This is the
default filtering behavior for Windows 2000 and Windows XP. Use this setting
only if you have to for compatibility with an existing IPsec policy or Windows
2000 and Windows XP behavior.
- A value of 1 specifies that Kerberos and RSVP traffic are
not exempt from IPSec filtering, but multicast, broadcast, and ISAKMP traffic
are exempt.
- A value of 2 specifies that multicast and broadcast
traffic are not exempt from IPSec filtering, but RSVP, Kerberos, and ISAKMP
traffic are exempt.
- A value of 3 specifies that only ISAKMP traffic is exempt
from IPSec filtering. This is the default filtering behavior for Windows Server
2003.
If you change the value for this setting, you must restart the
computer for the new value to take effect. To modify the default filtering
behavior by using the registry:
- Click Start, and then click
Run.
- Type Regedit, and then click
OK.
- Click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC
- Right-click IPSEC, point to
New, and then click DWORD Value.
- Name this new entry
NoDefaultExempt.
- Assign this entry any value from 0 through 3.
- Restart your computer.
The filtering behaviors for each value are equivalent to those
that are noted for the
netsh ipsec dynamic set config ipsecexempt
value=x command.
Impact of IKE exemption
The effect of the IKE exemption is the same as for Windows 2000
and Windows XP. However, Windows Server 2003 provides improved DoS avoidance to
flooding attacks.
For additional
information about IKE exemption for Windows 2000 and Windows XP, click the
following article number to view the article in the Microsoft Knowledge Base:
811832
IPSec Default Exemptions Can Be Used to Bypass IPsec Protection in Some
Scenarios
Effect of Kerberos exemption
If
NoDefaultExempt is set to
0 or
2 to restore the exemption, the effect of broadcast and multicast
exemptions is the same as described for Windows 2000 and Windows
XP.
For additional
information about broadcast and multicast exemptions for Windows 2000 and
Windows XP, click the following article number to view the article in the
Microsoft Knowledge Base:
811832
IPSec Default Exemptions Can Be Used to Bypass IPsec Protection in Some
Scenarios
Effect of RSVP exemption
If
NoDefaultExempt is set to
0 or
2 to restore the exemption, the RSVP exemption risk is limited to
third-party RSVP implementations that may be installed. By default, Windows
Server 2003 does not include the QoS RSVP service. The
-R option has been removed from the Pathping utility so it does not
support the RSVP protocol.
Effect of broadcast and multicast exemptions
If
NoDefaultExempt is set to
0 or
1 to restore the exemption, the effect of broadcast and multicast
exemptions is the same as described for Windows 2000 and Windows XP. However,
Windows Server 2003 IPsec does support filtering broadcast and multicast
traffic. An IPsec policy design may have filters that would be matched by
outbound broadcast or multicast such as a filter with source address of "My IP
Address" and a destination address of "Any IP Address". IPsec policies should
be tested in the lab and in operation to confirm the effect of an existing
policy design on this traffic. Broadcast and multicast traffic can be blocked
in a limited way by using an IPsec filter with source and destination address
of "Any IP Address". The Microsoft Windows Server 2003 Resource Kit contains
more information.
Which programs can receive broadcast traffic?
Windows Server 2003 supports a socket option for programs to
explicitly disable the receipt of broadcast traffic, but there is no change to
the default behavior that programs that are listening on UDP ports receive
broadcast traffic.
Which Programs can receive multicast traffic?
In Windows Server 2003, programs still must explicitly register
with the TCPIP stack to receive inbound multicast traffic types, and traffic
may be dropped if the multicast group is unregistered.
Using IPsec with the Internet Connection Firewall
As in Windows XP, ICF and IPsec filtering capabilities can be
combined to create advanced filtering behaviors. This is particularly useful
where IPsec must statically permit certain outbound traffic to the Internet
such as for HTTP or DNS or SMTP. This makes it possible for ICF to provide
stateful filtering of outbound traffic that IPsec permits.