Default Internet Protocol Security Policies in Windows 2000

ID: Q231586

The information in this article applies to:
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server

SUMMARY

Windows 2000 includes three predefined Internet protocol security (IPSec) policies as a model for creating your own policies. These policies eliminate the need for you to create policies, except where special requirements are necessary.


MORE INFORMATION

The following predefined policies are included:

Client (Respond Only)

This policy is for computers that usually do not need secure communications. For example, intranet clients may not require secure communications except when requested by another computer. This policy enables the computer on which it is active to appropriately respond to requests for secured communications, but it does not configure the client to initiate requests for IP security. It contains a Default Response rule, which enables negotiation with computers requesting IP security. Only the requested protocol and port traffic for the communication is secured.

Server (Request Security)

This policy is for computers that usually do require secure communications, such as servers that transmit sensitive data. This policy enables the computer to accept unsecured traffic, but the computer always attempts to negotiate secure communications when functioning as a client or server. This policy allows the entire communication to be unsecured if the other computer is not IP security enabled.

Secure Server (Require Security)

This policy is for computers that always require secure communications, such as a server that transmits highly sensitive data, or a security gateway that protects the intranet from the outside. This policy accepts unsecured incoming communications, and outgoing traffic is always secured. Unsecured outgoing communications are not allowed, even if a peer is not IP security enabled.

Creating Custom IPSec Policies

You can create customized IPSec policies using the IP Security Policy Management snap-in.

To select an IPSec policy for a workstation:
  1. Click Start, point to Settings, click Control Panel, and then double click Network and Dial-up Connections.


  2. Right-Click Local Area Connection, and then click Properties.


  3. Click Internet Protocol (TCP/IP), and then click Properties.


  4. Click Advanced, and then click the Options tab.


  5. Under Optional settings, click IP security, and then click Properties.


  6. Click Use this IP security policy, and then click the IPSec policy you want.


  7. Click OK, click OK, click OK, and then click OK.


Or, you can use the IPSecurity Polices snap-in in Microsoft Management Console (MMC). Set it to use the local computer, right click the policy you want, and then click Assign.

You must be a member of the Administrators group to set IPSec policies. If the computer participates in a Windows 2000 domain, the computer may receive the IPSec policy from Active Directory, overriding the local IPSec policy. In this case, the options are disabled and you cannot change them from the local computer.

Additional query words:

Keywords : kbenv
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbinfo


Last Reviewed: February 1, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.