Article ID: 947211 - Last Review: February 1, 2008 - Revision: 1.2

Message Digest 5 (MD5) and the Data Encryption Standard (DES) have been removed from the default list of IPsec cryptographic algorithms in Windows Vista and in Windows Server 2008

View products that this article applies to.
Beta Information
This article discusses a beta release of a Microsoft product. The information in this article is provided as-is and is subject to change without notice.

No formal product support is available from Microsoft for this beta product. For information about how to obtain support for a beta release, see the documentation that is included with the beta product files, or check the Web location where you downloaded the release.
Expand all | Collapse all

INTRODUCTION

This article discusses why Message Digest 5 (MD5) and the Data Encryption Standard (DES) have been removed from the default list of IPsec cryptographic algorithms in Windows Vista and in Windows Server 2008.

MORE INFORMATION

Microsoft is removing cryptographic algorithms that are no longer considered secure from Windows Vista and from Windows Server 2008. Therefore, policies that were created by using the IP Security Policies Management snap-in or by using the netsh ipsec command have been changed to remove MD5 and DES from the default policies. The new defaults are backward compatible with policies that were created by using the defaults in Microsoft Windows 2000, in Windows XP, and in Windows Server 2003. Additionally, MD5 and DES can still be configured as part of a policy if they are required for compatibility or interoperability reasons.

The following settings have been updated.

The main-mode cryptographic set when you use the default settings to create a new policy
Collapse this tableExpand this table
PreviousCurrent
3DES, SHA1, DH Medium (2)
3DES, MD5, DH Medium (2)
DES, SHA1, DH Low (1)
DES, MD5, DH Low (1) 		3DES, SHA1, DH Medium (2)

New filtration settings for the "netsh ipsec" command when it is used together with the "action=negotiate" parameter
Collapse this tableExpand this table
PreviousCurrent
ESP: 3DES, SHA1
ESP: 3DES, MD5 		ESP: 3DES, SHA1

Action settings for the default response rule filters
Collapse this tableExpand this table
PreviousCurrent
ESP: 3DES, SHA1
ESP: 3DES, MD5
ESP: DES, SHA1
ESP: DES, MD5
AH: SHA1
AH: MD5 		ESP: 3DES, SHA1
AH: SHA1

Note The default response rule is deprecated in Windows Vista. The rule is available only to manage policies for earlier versions of Windows.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
942964  (http://support.microsoft.com/kb/942964/ ) How the default response rule for IPsec policies functions in Windows Vista and in Windows Server 2008 Beta 3
APPLIES TO
  • Windows Vista Enterprise 64-bit Edition
  • Windows Vista Home Basic 64-bit Edition
  • Windows Vista Home Premium 64-bit Edition
  • Windows Vista Ultimate 64-bit Edition
  • Windows Vista Business
  • Windows Vista Business 64-bit Edition
  • Windows Vista Enterprise
  • Windows Vista Home Basic
  • Windows Vista Home Premium
  • Windows Vista Starter
  • Windows Vista Ultimate
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
Back to the top
Keywords: 
kbexpertiseinter kbhowto kbinfo KB947211
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations