Microsoft KB Archive/329194

= IPSec Policy Permissions in Windows 2000 and Windows Server 2003 =

Article ID: 329194

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Server
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Small Business Server 2003 Standard Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition

-



This article was previously published under Q329194



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SYMPTOMS
In a Windows 2000 domain, users may be able to view domain IPSec policies from any computer in the domain.



CAUSE
This issue occurs because the access control list (ACL) of the IP Security container in Windows 2000 Active Directory grants Read permissions for authenticated users and computers to IPSec policies. The default Discretionary ACL (DACL) for the IP Security container in Windows 2000 Server is as follows:

Owner: Domain Admin

Group: Domain Admin

Allow ACLs:

Allow Authenticated users: RP LC LO RC

Allow Domain Admin: RP WP CR LC LO CC DC RC WD WO SW

Allow Local SYSTEM: RP WP CR LC LO CC DC RC WD WO SD DT SW

The access rights use the following notation:

RP – ADS_RIGHT_DS_READ_PROP

WP - ADS_RIGHT_DS_WRITE_PROP

CR – ADS_RIGHT_DS_CONTROL_ACCESS

LC – ADS_RIGHT_DS_LIST

LO – ADS_RIGHT_DS_LIST_OBJECT

CC – ADS_RIGHT_DS_CREATE_CHILD

DC – ADS_RIGHT_DS_DELETE_CHILD

RC – READ_CONTROL WD – WRITE_DAC

WO – WRITE_OWNER SD – DELETE

DT – ADS_RIGHT_DS_DELETE_TREE

SW – ADS_RIGHT_SELF



RESOLUTION
This problem is resolved in Windows Server 2003 with the implementation of different default permissions on the Active Directory container and the built-in objects that it contains. These new security settings do not allow typical users on the domain to view IPSec policies.

However, users on the domain who have administrative credentials to their own computers can view the contents of IPSec policies that are applied to their own computers by Group Policy. Additionally, local administrators can install system services on their computers and use the IP Security Policy Management tool locally. Therefore, they can view the IP Security container in Active Directory, even with the security settings in Windows Server 2003.

With the new security settings in Windows Server 2003, by default, computers in a child domain cannot read the IPSec policy of the parent domain. If Group Policy of the parent domain is intended to apply IPSec policy to the child domain, an administrator must manually grant Read permission to the appropriate computer, group of computers, or security group for the IPSec policies on the parent domain.

The default DACL for the IP Security container in Windows Server 2003 is as follows:

Owner: Domain Admin

Group: Domain Admin

Allow ACLs:

Allow domain computers: RP LC LO RC

Allow Group policy owner creator: RP LC LO RC

Allow Domain Admin: RP WP CR LC LO CC DC RC WD WO SW

Allow Local SYSTEM: RP WP CR LC LO CC DC RC WD WO SD DT SW

The access rights use the following notation:

RP – ADS_RIGHT_DS_READ_PROP

WP - ADS_RIGHT_DS_WRITE_PROP

CR – ADS_RIGHT_DS_CONTROL_ACCESS

LC – ADS_RIGHT_DS_LIST

LO – ADS_RIGHT_DS_LIST_OBJECT

CC – ADS_RIGHT_DS_CREATE_CHILD

DC – ADS_RIGHT_DS_DELETE_CHILD

RC – READ_CONTROL

WD – WRITE_DAC

WO – WRITE_OWNER SD – DELETE DT – ADS_RIGHT_DS_DELETE_TREE SW – ADS_RIGHT_SELF

The following changes are implemented in Windows Server 2003, and they apply to both new and upgrade installations of Windows Server 2003:
 * An inheritable DACL is included with the IP Security container.
 * An empty DACL is included with the built-in IPSec policies. Because the DACL is empty, objects can inherit permissions from the IP Security container and other parent containers in Active Directory.
 * The default DACL for all IPSec objects is changed so that all new objects that you create have an empty DACL and can inherit permissions. As a result, IPsec policies that are created from Windows 2000, Windows XP or Windows Server 2003 management clients have the new permissions.

When you perform a new installation of Windows Server 2003, these changes are applied when you run Dcpromo.exe.

When you upgrade to Windows Server 2003 from Windows 2000 Server, these changes are applied when you run Adprep.exe to prepare the Windows 2000 domain or forest for the upgrade operation. If some default policy objects were deleted in Windows 2000, the ACLs for the existing default objects are modified with the new permissions. Note that the ACLs on existing user-created objects are not changed when you upgrade to Windows Server 2003. To update the permissions set on these objects, use the procedure described in the &quot;Workaround&quot; section of this article.



WORKAROUND
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. To work around this issue, follow these steps:  Create the Schema Update Allowed DWORD value in the following registry key, and then set the value to 1:

 

For additional information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:

216060 Registry Modification Required to Allow Write Operations to Schema

 Create and run the Ipsec_acl_fix.vbs script. To do so:   Start Notepad, open a new text file, and then copy and paste the following code to the text file: Option Explicit

'************************************************** '* ADS_RIGHTS_ENUM '************************************************** Const ADS_RIGHT_DS_READ_PROP = &H10& const ADS_RIGHT_DS_LIST = &H4& Const ADS_RIGHT_DS_LIST_OBJECT = &H80& Const READ_CONTROL = &H20000& Const ADS_RIGHT_DS_WRITE_PROP = &H20& Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100& Const ADS_RIGHT_DS_CREATE_CHILD =&H1& Const ADS_RIGHT_DS_DELETE_CHILD = &H2& Const WRITE_OWNER = &H80000& Const WRITE_DAC = &H40000& Const DELETE = &H10000& Const ADS_RIGHT_DS_DELETE_TREE = &H40& Const ADS_RIGHT_DS_SELF = &H8&

'************************************************** '* ADS_ACETYPE_ENUM '**************************************************

Const ADS_ACETYPE_ACCESS_ALLOWED = &H0&

'************************************************** '* ADS_ACEFLAGS_ENUM '**************************************************

Const CONTAINER_INHERIT_ACE = &H2& Const OBJECT_INHERIT_ACE = &H1&

Const ADS_ACEFLAG_INHERIT_ACE = &H2&

'************************************************** '* Check if a &quot;IP Security&quot; container exists and correct the '* Acls for the container '* 0 -> container exists, Success '* 1 -> container doesn't Exist '* 2 -> other failures '* '************************************************** Function FixupIpsecContainerAcls(InputDomainDN, DomainShortName) Dim x, deletedAce, Dacl, hResult, ace1, RemoveFlags, sd, ace hResult = 0

Set x = GetObject( &quot;LDAP://cn=IP Security,cn=system,&quot; & InputDomainDN) if Err.Number <> 0 Then MsgBox &quot;Container cn=IP Security,cn=system,&quot; & InputDomainDN & &quot;does not exist&quot;& &quot; Error :&quot; & Err.Number, vbCritical hResult = 1 End If

Set sd = x.Get(&quot;nTSecurityDescriptor&quot;) if Err.Number <> 0 Then MsgBox &quot;Could not get nTSecurityDescriptor for cn=IP Security,cn=system,&quot; & InputDomainDN & &quot; Error :&quot; & Err.Number, vbCritical hResult = 2 End If

deletedAce = FALSE

Set Dacl = sd.DiscretionaryAcl

For Each ace In Dacl If(ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED) Then if (ace.AceFlags = 0) Then if(ace.Trustee = &quot;NT AUTHORITY\Authenticated Users&quot;) Then RemoveFlags = 0 RemoveFlags = ADS_RIGHT_DS_READ_PROP Or ADS_RIGHT_DS_LIST Or ADS_RIGHT_DS_LIST_OBJECT Or READ_CONTROL If (ace.AccessMask AND RemoveFlags) <> 0 Then Dacl.RemoveAce ace deletedAce = TRUE End If                 End If            End If        End If    Next if deletedAce = FALSE Then MsgBox &quot;ACE to remove rights for Authenticated users was not found or was changed from the default installation&quot;, vbExclamation End If

set ace1 = CreateObject(&quot;AccessControlEntry&quot;)

ace1.AceType = ADS_ACETYPE_ACCESS_ALLOWED ace1.AceFlags = CONTAINER_INHERIT_ACE OR OBJECT_INHERIT_ACE ace1.AccessMask = ADS_RIGHT_DS_READ_PROP OR ADS_RIGHT_DS_LIST OR ADS_RIGHT_DS_LIST_OBJECT OR READ_CONTROL ace1.Trustee = DomainShortName &&quot;\Domain Computers&quot;

Dacl.AddAce ace1 sd.DiscretionaryAcl = Dacl

x.Put &quot;nTSecurityDescriptor&quot;, Array(sd) x.SetInfo if Err.Number <> 0 Then MsgBox &quot;There was an Error Adding ACls for cn=IP Security&quot;& &quot; Error :&quot; & Err.Number, vbCritical hResult = 2 End If

FixupIpsecContainerAcls = hResult

End Function

'************************************************** '* Clear the ACLs for all the IPSec objects so that '* they inherit Acls from their container. '* '* 0 -> container exists, Success '* 1 -> other failures '* '************************************************** Function ClearIpsecObjectAcls(InputDomainDN)

Dim ZeroAcl, obj(22), i

set ZeroAcl = CreateObject(&quot;AccessControlList&quot;) obj(0) =&quot;LDAP://cn=ipsecPolicy{72385230-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system,&quot; & InputDomainDN obj(1) =&quot;LDAP://cn=ipsecISAKMPPolicy{72385231-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system,&quot; & InputDomainDN obj(2) =&quot;LDAP://cn=ipsecNFA{72385232-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system,&quot; & InputDomainDN obj(3) =&quot;LDAP://cn=ipsecNFA{59319BE2-5EE3-11D2-ACE8-0060B0ECCA17},cn=IP Security,cn=system,&quot; & InputDomainDN obj(4) =&quot;LDAP://cn=ipsecNFA{594272E2-071D-11D3-AD22-0060B0ECCA17},cn=IP Security,cn=system,&quot; & InputDomainDN obj(5) =&quot;LDAP://cn=ipsecNFA{6A1F5C6F-72B7-11D2-ACF0-0060B0ECCA17},cn=IP Security,cn=system,&quot; & InputDomainDN obj(6) =&quot;LDAP://cn=ipsecPolicy{72385236-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system,&quot; & InputDomainDN obj(7) =&quot;LDAP://cn=ipsecISAKMPPolicy{72385237-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system,&quot; & InputDomainDN obj(8) =&quot;LDAP://cn=ipsecNFA{59319C04-5EE3-11D2-ACE8-0060B0ECCA17},cn=IP Security,cn=system,&quot; & InputDomainDN obj(9) =&quot;LDAP://cn=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system,&quot; & InputDomainDN obj(10) =&quot;LDAP://cn=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system,&quot; & InputDomainDN obj(11) =&quot;LDAP://cn=ipsecNFA{7238523E-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system,&quot; & InputDomainDN obj(12) =&quot;LDAP://cn=ipsecNFA{59319BF3-5EE3-11D2-ACE8-0060B0ECCA17},cn=IP Security,cn=system,&quot; & InputDomainDN obj(13) =&quot;LDAP://cn=ipsecNFA{594272FD-071D-11D3-AD22-0060B0ECCA17},cn=IP Security,cn=system,&quot; & InputDomainDN obj(14) =&quot;LDAP://cn=ipsecNegotiationPolicy{59319BDF-5EE3-11D2-ACE8-0060B0ECCA17},cn=IP Security,cn=system,&quot; & InputDomainDN obj(15) =&quot;LDAP://cn=ipsecNegotiationPolicy{59319BF0-5EE3-11D2-ACE8-0060B0ECCA17},cn=IP Security,cn=system,&quot; & InputDomainDN obj(16) =&quot;LDAP://cn=ipsecNegotiationPolicy{59319C01-5EE3-11D2-ACE8-0060B0ECCA17},cn=IP Security,cn=system,&quot; & InputDomainDN obj(17) =&quot;LDAP://cn=ipsecNegotiationPolicy{72385233-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system,&quot; & InputDomainDN obj(18) =&quot;LDAP://cn=ipsecNegotiationPolicy{7238523F-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system,&quot; & InputDomainDN obj(19) =&quot;LDAP://cn=ipsecNegotiationPolicy{7238523B-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system,&quot; & InputDomainDN obj(20) =&quot;LDAP://cn=ipsecFilter{7238523A-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system,&quot; & InputDomainDN obj(21) =&quot;LDAP://cn=ipsecFilter{72385235-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system,&quot; & InputDomainDN for i=0 To 21 Dim x, hResult, sd, ace

hResult = 0 set x = GetObject(obj(i)) if Err.Number = 0 Then Set sd = x.Get(&quot;nTSecurityDescriptor&quot;) if Err.Number <> 0 Then MsgBox &quot;nTSecurityDescriptor could not be retrieved from &quot; & obj(i) & &quot; Error :&quot; & Err.Number, vbCritical hResult = 1 End If           set ZeroAcl = sd.DiscretionaryAcl For Each ace In ZeroAcl ZeroAcl.RemoveAce ace Next sd.DiscretionaryAcl = ZeroAcl x.Put &quot;nTSecurityDescriptor&quot;, Array(sd) x.SetInfo if Err.Number <> 0 Then MsgBox &quot;Error setting Acls for &quot; & obj(i) & &quot; Error :&quot; & Err.Number, vbCritical hResult = 1 End If         End If    Next

ClearIpsecObjectAcls = hResult

End Function

Function FixupSchemaObjectAcls(InputDomainDN) Dim ZeroAcl, obj(6), i, container, deletedDAAce, deletedSYAce, RemoveFlags, deletedAUAce, hResult hResult = 0

set ZeroAcl = CreateObject(&quot;AccessControlList&quot;)

container = &quot;CN=Schema, CN=Configuration,&quot; & InputDomainDN obj(0) =&quot;LDAP://cn=Ipsec-Base,&quot; & container obj(1) =&quot;LDAP://cn=Ipsec-Filter,&quot; & container obj(2) =&quot;LDAP://cn=Ipsec-ISAKMP-Policy,&quot; & container obj(3) =&quot;LDAP://cn=Ipsec-Negotiation-Policy,&quot; & container obj(4) =&quot;LDAP://cn=Ipsec-NFA,&quot; & container obj(5) =&quot;LDAP://cn=Ipsec-Policy,&quot; & container for i = 0 To 5

Dim x, sd

Set x = GetObject( obj(i) ) if Err.Number <> 0 Then MsgBox obj(i) & &quot;does not exist&quot;& &quot; Error :&quot; & Err.Number, vbCritical hResult = 1 Else sd = x.Get(&quot;defaultSecurityDescriptor&quot;) x.Put &quot;defaultSecurityDescriptor&quot;, &quot;D:&quot; x.SetInfo if Err.Number <> 0 Then MsgBox &quot;Error setting defaultsecurityDescriptor for &quot; & obj(i) & &quot; Error :&quot; & Err.Number, vbCritical hResult = 1 End If         End If    Next FixupSchemaObjectAcls = hResult

End Function

Function IsSchemaUpdateAllowed

Dim WshShell, bKey

Set WshShell = WScript.CreateObject(&quot;WScript.Shell&quot;) bKey = WshShell.RegRead(&quot;HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Schema Update Allowed&quot;)

IsSchemaUpdateAllowed = bKey

End Function

'************************************************** '* MAIN '**************************************************

Dim Info Dim dnsName, domainDN Dim regOk, retVal1, retVal2, retVal3

MsgBox &quot;This script attempts to correct the ACLs of IP Security related objects and schema in Active Directory. For this, it needs Schema changes be allowed through a registry Key.&quot;& vbcrlf & &quot;Please read Q and Q216060 for more details.&quot;

regOk = IsSchemaUpdateAllowed if regOk <> 1 Then MsgBox &quot;The registry key to allow schema updates is not set. Please read Q216060 for more information.&quot; & vbcrlf & &quot;The Script will stop processing. The ACL corrections have not been made.&quot;, vbExclamation Else Set Info = CreateObject(&quot;AdSystemInfo&quot;) dnsName = Info.DomainDNSName domainDN = Replace(dnsName, &quot;.&quot;, &quot;,dc=&quot;) domainDN = &quot;dc=&quot; & domainDN

retVal1 = FixupIpsecContainerAcls(domainDN, Info.DomainShortName)

retVal2 = ClearIpsecObjectAcls(domainDN)

retVal3 = FixupSchemaObjectAcls(domainDN)

If retVal1 = 0 And retVal2 = 0 And retVal3 = 0 Then MsgBox &quot;The ACL corrections for IPSec Objects on domain &quot; & Info.DomainShortName & &quot; Completed successfully.&quot; & vbcrlf & &quot;You may now reset/delete the registry key that allows schema updates per Q216060&quot; Else MsgBox &quot;The ACL corrections for IPSec Objects on domain &quot; & Info.DomainShortName & &quot; Completed with some errors&quot; & vbcrlf & &quot;If you are not going to retry the operation, you may reset/delete the registry key that allows schema updates per Q216060&quot; End If   End If  On the File menu, click Save, click All Files in the Save as type box, type ipsec_acl_fix.vbs in the File name box, specify a location where you want to save the file, and then click Save. Quite Notepad.</li> Run the Ipsec_acl_fix.vbs script from a command prompt.</li></ol> </li> Delete the Schema Update Allowed registry value that you created in step 1.</li></ol>

Note You can also use this procedure to modify the permissions of the IPSec policy of a Windows Server 2003 domain that you upgraded from Windows 2000, in the situation where the permissions of policy objects were not modified during the upgrade operation.

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in Windows 2000.

<div class="moreinformation_section">

MORE INFORMATION
The Ipsec_acl_fix.vbs script performs the following actions: <ul> Removes the following ACLS from the CN=IP Security,CN=System,DC= container for NT AUTHORITY\Authenticated Users:

ADS_RIGHT_DS_READ_PROP

ADS_RIGHT_DS_LIST

ADS_RIGHT_DS_LIST_OBJECT

READ_CONTROL

</li> Adds the following ACLs to the CN=IP Security,CN=System,DC= container for Domain Computers:

ADS_RIGHT_DS_READ_PROP

ADS_RIGHT_DS_LIST

ADS_RIGHT_DS_LIST_OBJECT

READ_CONTROL)

</li> Clears the ACLs on the objects in the CN=IP Security,CN=System,DC= container so that they inherit the new ACLs.</li> Modifies the schema for IPSec objects so that new objects that you create correctly inherit permissions.</li></ul>

After you run the script, only computers in the domain can apply IPSec policies, and you cannot assign a policy in a Group Policy Object to an IPSec policy in a different domain.

Keywords: kbbug kbfix KB329194

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.