IP Security (IPSec) Registry Settings in Windows 2000

ID: Q231588

The information in this article applies to:

Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server

IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

SUMMARY

Windows Internet Protocol security (IPSec) is designed to encrypt data as it travels between two computers, protecting the data from modification and interpretation if anyone were to see it on the network. IPSec is a key line of defense against internal, private network, and external attacks. Although most network security strategies have focused on preventing attacks from outside an organization's network, a great deal of sensitive information can be lost by internal attacks that interpret data on the network. Most data is not protected when it travels across the network, so employees, supporting staff members, or visitors may be able to plug into your network and copy data for later analysis. They can also mount network-level attacks against other computers. Firewalls offer no protection against such internal threats, so using IPSec offers significantly greater security for corporate data.

IP Security is a Security service that gives administrators the ability to monitor traffic, examine addresses, and apply various security methods to the IP data packet regardless of which program generates the data.

This article lists the common IPSec registry settings for use by administrators.

MORE INFORMATION

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).

Policy Storage

When there is no group policy with IP Security settings provided, policies are stored at:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servies\PolicyAgent\Policy\Local

When there is a group policy with IP Security settings provided, the policies are read from the Directory service (DS) and cached at:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servies\PolicyAgent\Policy\Cache

The path to a group IP Security policy is stored at various locations in the registry (the end of this article contains a complete list). The central location is:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\GPTIPSECPolicy

Policy Agent Settings

When the Service Control Manager starts Policy Agent, it first gets any values from the registry. If debugging is set in the registry, the log needs to be opened before Policy Agent starts.

The registry values for Policy Agent are located at:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servies\PolicyAgent\

Checked values include:

Debug: REG_DWORD: A value of 1 turns on logging. A log called Ipsecpa.log is created in the system root folder. The default value is 0.

Log: REG_SZ: This specifies the name of the log to open with Debug.

One last value for Policy Agent is located at:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servies\PolicyAgent\IPSECPolicy Storage

Debug: REG_DWORD: A value of 1 sends debug events for Policy Agent to the system log in Event Viewer.

The Global IPSec Policy references are found in five locations:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Policy\GPTIPSECPolicy

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\GPTIPSECPolicy

HKEY_CURRENT_USER\SOFTWARE\Microsoft\GroupPolicyObjects\{GUID}Machine\Software\Policies\Microsoft\Windows\IPSec\GPTIPSECPolicy

HKEY_CURRENT_USER\SOFTWARE\Microsoft\GroupPolicyObjects\{GUID}Machine\System\CurrentControlSet\Services\PolicyAgent\Policy\GPTIPSECPolicy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\IPSec\GPTIPSECPolicy

IPSEC Driver Registry Settings

The settings for the IPSEC driver are located at:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serviecs\IPSec

Values That Can Be Modified

SAIdleTime
Description: Security Association Idle Timer
Data Type: REG_DWORD, Default: 300 Seconds
Minimum: 300 Seconds, Maximum: 3600 Seconds

CacheSize
Description: First Level (IP Header based) cache size
Data Type: REG_DWORD, Default: 64 KB
Minimum: 64K, Maximum: 1024 KB

SAHashSize
Description: Size of the SPI, Destination has table for inbound SAs
Data Type: REG_DWORD, Default: 64 KB
Minimum: 64K, Maximum: 1024 KB

Oakley Registry Settings

By default, there are no exposed settings for Oakley. However, some entries are possible and can be very useful for troubleshooting. Create the following key in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley

Oakley registry settings include:

EnableLogging: REG_DWORD: A value of 1 creates the Oakley.log log in the system root folder.

MinLifeTime: REG_DWORD: In seconds, this is the minimum lifetime for the key used to encrypt the Oakley key exchange. The default value is 8 hours (28,000 second). This value is set in the ISAKMP policy for specific policies or can be modified in the registry to provide a default for all new policies. If a policy specifies a value lower than MinLifeTime, the MinLifeTime value is used instead.

NoLog: REG_DWORD: A value of 1 stop slogging. This is the default.

Log: REG_DWORD: A value 1 starts logging.

Additional query words:

Keywords : kbenv
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbinfo