Specifying Default Exemptions to IPSec Filtering
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
By default in Windows 2000 and Windows XP, broadcast, multicast, Kerberos, RSVP, and ISAKMP traffic is exempt from IPSec filtering. In Windows Server 2003, the default filtering exemptions have been removed for Kerberos, RSVP, and multicast and broadcast traffic, but remain for ISAKMP traffic, and inbound multicast and broadcast traffic.
To modify the default filtering behavior for Windows Server 2003 IPSec, you can use the Netsh IPSec context or modify the registry.
To modify the default filtering behavior by using the Netsh IPSec context, use the following command:
netsh ipsec dynamic set config ipsecexempt value={0|1|2|3}
Depending on which exemptions you want, specify the values as follows:
A value of 0 specifies that multicast, broadcast, RSVP, Kerberos, and ISAKMP traffic are exempt from IPSec filtering. This is the default filtering behavior for Windows 2000 and Windows XP.
Use this setting only if required for compatibility with Windows 2000 and Windows XP. However, if Kerberos traffic is exempted from filtering, an attacker can bypass other IPSec filters by using either UDP or TCP source port 88 to access any open port. Many port scan tools will not detect this because these tools do not allow setting the source port to 88 when checking for open ports.
A value of 1 specifies that Kerberos and RSVP traffic are not exempt from IPSec filtering (multicast, broadcast, and ISAKMP traffic are exempt).
A value of 2specifies that multicast and broadcast traffic are not exempt from IPSec filtering (RSVP, Kerberos, and ISAKMP traffic are exempt).
A value of 3 specifies that only ISAKMP traffic is exempt from IPSec filtering. This is the default filtering behavior for Windows Server 2003.
If you change the value for this setting, you must restart the computer for the new value to take effect.
To modify the default filtering behavior by using the registry, do the following:
Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC, add a new DWORD entry named NoDefaultExempt.
Assign this entry any value from 0through 3.
Restart the computer.
The filtering behaviors for each value are equivalent to those noted above for the **netsh ipsec dynamic set config ipsecexempt value=**x command.
Warning
Do not edit the registry unless you have no alternative. The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back it up first and see the Registry Reference at https://go.microsoft.com/fwlink/?LinkID=33702.
The following table summarizes the equivalent filters that are implemented if all default exemptions to IPSec filtering are enabled (that is, if NoDefaultExempt is 0). When the IP address is specified, the subnet mask is 255.255.255.255. When the IP address is Any, the subnet mask is 0.0.0.0.
Table 6.6 Equivalent Filters for NoDefaultExempt=0
| Source Address | Destination Address | Protocol | Source Port | Destination Port | Filter Action |
|---|---|---|---|---|---|
My IP Address |
Any IP Address |
UDP |
Any |
88 |
Permit |
Any IP Address |
My IP Address |
UDP |
88 |
Any |
Permit |
Any IP Address |
My IP Address |
UDP |
Any |
88 |
Permit |
My IP Address |
Any IP Address |
UDP |
88 |
Any |
Permit |
My IP Address |
Any IP Address |
TCP |
Any |
88 |
Permit |
Any IP Address |
My IP Address |
TCP |
88 |
Any |
Permit |
Any IP Address |
My IP Address |
TCP |
Any |
88 |
Permit |
My IP Address |
Any IP Address |
TCP |
88 |
Any |
Permit |
My IP Address |
Any IP Address |
UDP |
500 |
500 (1) |
Permit |
Any IP Address |
My IP Address |
UDP |
500 |
500 |
Permit |
My IP Address |
Peer IP Address |
UDP |
4500 |
4500 (2) |
Permit |
Peer IP Address |
My IP Address |
UDP |
4500 |
4500 |
Permit |
My IP Address |
Any |
46 (RSVP) |
Permit |
||
Any IP Address |
My IP Address |
46 (RSVP) |
Permit |
||
Any IP Address |
<multicast> (3) |
Permit |
|||
My IP Address |
<multicast> |
Permit |
|||
Any IP Address |
<broadcast> (4) |
Permit |
|||
My IP Address |
<broadcast> |
Permit |
|||
<All IPv6 protocol traffic> (5) |
Permit |
(1) In order for IPSec transport mode to be negotiated through an IPSec tunnel mode SA, ISAKMP traffic is not exempted if it needs to pass through the IPSec tunnel first.
(2) When IPSec NAT-T is performed, the filter exemption for UDP port 4500 is automatically generated, based on the source and destination IP addresses used during the initial part of the IKE negotiation on UDP port 500. This dynamic permit filter for port 4500 is displayed in the IP Security Monitor snap-in, under Quick Mode\Specific Filters, and in the output for the netsh ipsec dynamic show qmfilter command.
(3) Multicast traffic is defined as the class D range, with a destination address range of 224.0.0.0 with a 240.0.0.0 subnet mask, which corresponds to the range of addresses from 224.0.0.0 to 239.255.255.255.
(4) Broadcast traffic is defined as a destination address of 255.255.255.255 (the limited broadcast address), or as having the host ID portion of the IP address set to all 1’s (the subnet broadcast address).
(5) IPSec does not support filtering for IP version 6 (IPv6) packets, except when IPv6 packets are encapsulated with an IPv4 header.
Windows Server 2003 IPSec does not support specific filters for broadcast protocols or ports, nor does it support multicast groups, protocols, or ports. Because IPSec does not negotiate security for multicast and broadcast traffic, these types of traffic are dropped if they match a filter with a corresponding filter action to negotiate security. A filter with a source address of Any IP Address and a destination address of Any IP Address can block or permit all multicast and broadcast traffic. By default (and if the NoDefaultExempt registry key is set to a value of 2 or 3), outbound multicast or broadcast traffic will be matched against a filter with a source address of My IP Address and a destination address of Any IP Address. More specific unicast IP address filters that block, permit, or negotiate security for unicast IP traffic should be configured in the same IPSec policy to achieve appropriate security.
For more information about viewing or modifying filter settings, see "Add, edit, or remove filter actions" and "Select a filter action for a rule" in Help and Support Center for Windows Server 2003.