GPO_DOMISO_IsolatedDomain_Clients_WinXP
Applies To: Windows Server 2008, Windows Server 2008 R2
This GPO is authored by using the Computer Configuration\Windows Settings\Security Settings\IP Security Policies section in the GPO editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to computers running Windows XP.
This GPO provides the following settings and rules:
IPsec rules
The GPO is configured to use the following IPsec elements:
IPsec filter lists
The GPO is configured to use the IP filter lists shown in the following table.
| Name | Mirrored | Source <->Dest | Ports | Protocols |
|---|---|---|---|---|
All IP Traffic |
Yes |
Any <-> Any |
Any <-> Any |
Any |
ICMP Traffic |
Yes |
Any <-> Any |
Any <-> Any |
ICMP |
Exemption List |
Yes |
Any <-> IP address list of all exempted hosts |
Any <-> Any |
Any |
Note
You must set the source and destination addresses as shown in the previous table to ensure that Windows applies the filters correctly from most specific to most general.
IPsec filter actions
The GPO is configured to use the IPsec filter actions shown in the following table.
| Name | Method | Algorithms AH|ESP:{integrity/encryption} | Key lifetime (KB/seconds) |
|---|---|---|---|
Request Security |
Negotiate Selected Selected |
ESP:SHA1/none ESP:SHA1/3DES |
100,000/3600 |
Allow Traffic |
Permit Not applicable Not applicable |
n/a |
Not applicable |
Require Security |
Negotiate Cleared Selected |
ESP:SHA1/none ESP:SHA1/3DES |
100,000/3600 |
The Method column in the previous table includes the following three settings in the following order:
Permit / Block / Negotiate security options
Accept unsecured communication, but always respond using IPsec check box. This is the inbound fallback-to-clear option.
Allow fallback to unsecured communication if a secure connection cannot be established check box. This is the outbound fallback-to-clear option.
IPsec policies
The GPO is configured to use an IPsec policy named "Isolated Domain" that contains the rules shown in the following table. The rules are composed of the filter lists and filter actions that were configured earlier in this topic.
| IP Filter list | Filter action | Authentication |
|---|---|---|
All IP traffic |
Require Security (see Caution below) |
Kerberos V5 Certificate from internal CA |
ICMP traffic |
Allow Traffic |
Not applicable |
Exemption List |
Allow Traffic |
Not applicable |
Warning
When the IPsec policy is first deployed, we strongly recommended that you first set the filter action to request security so that if any computers fail to receive the IPsec policy they can continue to communicate. After you confirm that all the computers are successfully communicating by using IPsec, change the filter action to require security.
IPsec registry settings
The GPO is configured to use the registry settings shown in the following table. For more information, see the description of the registry settings in Isolated Domain.
| Setting | Value |
|---|---|
Enable PMTU Discovery |
1 |
IPsec Exemptions |
1 |
Enable IPsec over NAT-T |
0 |
Simplified IPsec Policy |
0x14 |
Note
The simplified IPsec policy setting has no effect on computers that are running Windows 2000. The value is ignored.