IPSec default exemptions are removed in Windows Server 2003

The Internet Protocol Security (IPsec) feature in Windows Server 2003 was not designed as a full-featured host-based firewall. It was designed to provide basic permit and block filtering using address, protocol and port information in network packets. IPsec was also designed as an administrative tool to enhance the security of communications in a way that is transparent to the programs. Because of this, it provides traffic filtering that is necessary to negotiate security for IPsec transport mode or IPsec tunnel mode, primarily for intranet environments where machine trust was available from the Kerberos service or for specific paths across the Internet where public key infrastructure (PKI) digital certificates can be used.

The default exemptions to IPsec policy filters are documented in the Microsoft Windows 2000 and Microsoft Windows XP Help. These filters make it possible for Internet Key Exchange (IKE) and Kerberos to function. The filters also make it possible for the network Quality of Service(QoS) to be signaled (RSVP) when the data traffic is secured by IPsec, and for traffic that IPsec cannot secure such as multicast and broadcast traffic.

For additional information about these filters, click the following article number to view the article in the Microsoft Knowledge Base:

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. As IPsec is increasingly used for basic host-firewall packet filtering, particularly in Internet-exposed scenarios, the effect of these default exemptions has not been fully understood. Because of this, some IPsec administrators may create IPsec policies that they believe to be secure, but that are not secure against inbound attacks that use the default exemptions.

For these reasons, Microsoft has removed most of the default exemptions in Windows Server 2003. This may require IPsec policy changes for Windows Server 2003 for IPsec deployment scenarios where you use IKE to negotiate security and IPsec protection for upper-layer protocol traffic.

Removal of default exemptions Windows

By default, Windows Server 2003, removes all default exemptions, except for the IKE exemption. Changes to existing IPsec policy designs may be required before you can use the policy on Windows Server 2003 .

Administrators should start planning for these changes for all existing and new IPsec deployments by using NoDefaultExempt=1 on their Windows 2000-based and Windows XP-based computers. The NoDefaultExempt=1 registry key is supported in Windows Server 2003 to make it possible for administrators to restore the earlier default exemption behavior for backward compatibility with earlier IPsec policy designs and program compatibility. During the upgrade to Windows Server 2003, the value of an existing NoDefaultExempt=1 registry key setting is preserved.

For additional information about default exemptions for Windows 2000-based and Windows XP-based computers, click the following article number to view the article in the Microsoft Knowledge Base: Note Review this article (811832) before you use the registry key to re-enable the default exemptions.

Also review the "Specifying Default Exemptions to IPSec Filtering" section in the Windows Server 2003 IPsec Deployment kit for more information. To obtain the Microsoft Windows 2003 Server Deployment Kit, visit the following Microsoft Web site:To modify the default filtering behavior for Windows Server 2003 IPSec, you can use the Netsh IPSec command or modify the registry.

To modify the default filtering behavior by using the Netsh IPSec command:

1. Click Start, and then click Run.
2. Type cmd, and then click OK.
3. At the command prompt, type netsh ipsec dynamic set config ipsecexempt value={ 0 | 1 | 2 | 3}, and then press ENTER.

The use of { 0 | 1 | 2 | 3} in this command represents all available options for this command. You can only use one value. Depending on the exemptions you want you to use, specify the value as:

• A value of 0 specifies that multicast, broadcast, RSVP, Kerberos, and ISAKMP traffic are exempt from IPSec filtering. This is the default filtering behavior for Windows 2000 and Windows XP. Use this setting only if you have to for compatibility with an existing IPsec policy or Windows 2000 and Windows XP behavior.
• A value of 1 specifies that Kerberos and RSVP traffic are not exempt from IPSec filtering, but multicast, broadcast, and ISAKMP traffic are exempt.
• A value of 2 specifies that multicast and broadcast traffic are not exempt from IPSec filtering, but RSVP, Kerberos, and ISAKMP traffic are exempt.
• A value of 3 specifies that only ISAKMP traffic is exempt from IPSec filtering. This is the default filtering behavior for Windows Server 2003.

If you change the value for this setting, you must restart the computer for the new value to take effect. To modify the default filtering behavior by using the registry:

1. Click Start, and then click Run.
2. Type Regedit, and then click OK.
3. Click the following registry key:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC
   Note If you are using Windows Server 2008, click the following registry key:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
4. Right-click IPSEC, point to New, and then click DWORD Value.
5. Name this new entry NoDefaultExempt.
6. Assign this entry any value from 0 through 3.
7. Restart your computer.

The filtering behaviors for each value are equivalent to those that are noted for the netsh ipsec dynamic set config ipsecexempt value=x command.

Impact of IKE exemption

The effect of the IKE exemption is the same as for Windows 2000 and Windows XP. However, Windows Server 2003 provides improved DoS avoidance to flooding attacks.

For additional information about IKE exemption for Windows 2000 and Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:

Effect of Kerberos exemption

If NoDefaultExempt is set to 0 or 2 to restore the exemption, the effect of Kerberos exemption is the same as described for Windows 2000 and Windows XP.

For more information about Kerberos exemption for Windows 2000 and Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:

Effect of RSVP exemption

If NoDefaultExempt is set to 0 or 2 to restore the exemption, the RSVP exemption risk is limited to third-party RSVP implementations that may be installed. By default, Windows Server 2003 does not include the QoS RSVP service. The –R option has been removed from the Pathping utility so it does not support the RSVP protocol.

Effect of broadcast and multicast exemptions

If NoDefaultExempt is set to 0 or 1 to restore the exemption, the effect of broadcast and multicast exemptions is the same as described for Windows 2000 and Windows XP. However, Windows Server 2003 IPsec does support filtering broadcast and multicast traffic. An IPsec policy design may have filters that would be matched by outbound broadcast or multicast such as a filter with source address of “My IP Address” and a destination address of “Any IP Address”. IPsec policies should be tested in the lab and in operation to confirm the effect of an existing policy design on this traffic. Broadcast and multicast traffic can be blocked in a limited way by using an IPsec filter with source and destination address of “Any IP Address”. The Microsoft Windows Server 2003 Resource Kit contains more information.

For additional information about broadcast and multicast exemptions for Windows 2000 and Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:

Which programs can receive broadcast traffic?

Windows Server 2003 supports a socket option for programs to explicitly disable the receipt of broadcast traffic, but there is no change to the default behavior that programs that are listening on UDP ports receive broadcast traffic.

Which Programs can receive multicast traffic?

In Windows Server 2003, programs still must explicitly register with the TCPIP stack to receive inbound multicast traffic types, and traffic may be dropped if the multicast group is unregistered.

Using IPsec with the Internet Connection Firewall

As in Windows XP, ICF and IPsec filtering capabilities can be combined to create advanced filtering behaviors. This is particularly useful where IPsec must statically permit certain outbound traffic to the Internet such as for HTTP or DNS or SMTP. This makes it possible for ICF to provide stateful filtering of outbound traffic that IPsec permits.

For additional information about the effect of IP Security default exemptions, click the following article number to view the article in the Microsoft Knowledge Base: For more information about filtering and deployment guidance for IPsec in Windows Server 2003, see the IPsec deployment chapter in the Microsoft Windows 2003 Server Deployment Kit. To do so, visit the following Microsoft Web site: