This article has been archived. It is offered "as is" and will no longer be updated.
This article discusses a beta release of a Microsoft product. The information in this article is provided as-is and is subject to change without notice.
No formal product support is available from Microsoft for this beta product. For information about how to obtain support for a beta release, see the documentation that is included with the beta product files, or check the Web location where you downloaded the release.
This article discusses why Message Digest 5 (MD5) and the Data Encryption Standard (DES) have been removed from the default list of IPsec cryptographic algorithms in Windows Vista and in Windows Server 2008.
Microsoft is removing cryptographic algorithms that are no longer considered secure from Windows Vista and from Windows Server 2008. Therefore, policies that were created by using the IP Security Policies Management snap-in or by using the netsh ipsec command have been changed to remove MD5 and DES from the default policies. The new defaults are backward compatible with policies that were created by using the defaults in Microsoft Windows 2000, in Windows XP, and in Windows Server 2003. Additionally, MD5 and DES can still be configured as part of a policy if they are required for compatibility or interoperability reasons.
The following settings have been updated.
The main-mode cryptographic set when you use the default settings to create a new policy
3DES, SHA1, DH Medium (2) 3DES, MD5, DH Medium (2) DES, SHA1, DH Low (1) DES, MD5, DH Low (1)
3DES, SHA1, DH Medium (2)
New filtration settings for the "netsh ipsec" command when it is used together with the "action=negotiate" parameter
ESP: 3DES, SHA1 ESP: 3DES, MD5
ESP: 3DES, SHA1
Action settings for the default response rule filters