Microsoft KB Archive/231588

{|
 * width="100%"|

-

The information in this article applies to:


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Professional
 * Microsoft Windows 2000 Server

-

IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

SUMMARY
Windows Internet Protocol security (IPSec) is designed to encrypt data as it travels between two computers, protecting the data from modification and interpretation if anyone were to see it on the network. IPSec is a key line of defense against internal, private network, and external attacks. Although most network security strategies have focused on preventing attacks from outside an organization's network, a great deal of sensitive information can be lost by internal attacks that interpret data on the network. Most data is not protected when it travels across the network, so employees, supporting staff members, or visitors may be able to plug into your network and copy data for later analysis. They can also mount network-level attacks against other computers. Firewalls offer no protection against such internal threats, so using IPSec offers significantly greater security for corporate data.

IP Security is a Security service that gives administrators the ability to monitor traffic, examine addresses, and apply various security methods to the IP data packet regardless of which program generates the data.

This article lists the common IPSec registry settings for use by administrators.

MORE INFORMATION
WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).

Policy Storage
When there is no group policy with IP Security settings provided, policies are stored at: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servies\PolicyAgent\Policy\Local" When there is a group policy with IP Security settings provided, the policies are read from the Directory service (DS) and cached at: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servies\PolicyAgent\Policy\Cache" The path to a group IP Security policy is stored at various locations in the registry (the end of this article contains a complete list). The central location is: "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\GPTIPSECPolicy"

Policy Agent Settings
When the Service Control Manager starts Policy Agent, it first gets any values from the registry. If debugging is set in the registry, the log needs to be opened before Policy Agent starts.

The registry values for Policy Agent are located at: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servies\PolicyAgent\" Checked values include:
 * Debug: REG_DWORD: A value of 1 turns on logging. A log called Ipsecpa.log is created in the system root folder. The default value is 0.
 * Log: REG_SZ: This specifies the name of the log to open with Debug.

One last value for Policy Agent is located at: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servies\PolicyAgent\IPSECPolicy Storage"
 * Debug: REG_DWORD: A value of 1 sends debug events for Policy Agent to the system log in Event Viewer.

The Global IPSec Policy references are found in five locations:
 * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Policy\GPTIPSECPolicy
 * HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\GPTIPSECPolicy
 * HKEY_CURRENT_USER\SOFTWARE\Microsoft\GroupPolicyObjects\{GUID}Machine\Software\Policies\Microsoft\Windows\IPSec\GPTIPSECPolicy
 * HKEY_CURRENT_USER\SOFTWARE\Microsoft\GroupPolicyObjects\{GUID}Machine\System\CurrentControlSet\Services\PolicyAgent\Policy\GPTIPSECPolicy
 * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\IPSec\GPTIPSECPolicy

IPSEC Driver Registry Settings
The settings for the IPSEC driver are located at: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serviecs\IPSec"

Values That Can Be Modified

 * SAIdleTime

Description: Security Association Idle Timer

Data Type: REG_DWORD, Default: 300 Seconds

Minimum: 300 Seconds, Maximum: 3600 Seconds
 * CacheSize

Description: First Level (IP Header based) cache size

Data Type: REG_DWORD, Default: 64 KB

Minimum: 64K, Maximum: 1024 KB
 * SAHashSize

Description: Size of the SPI, Destination has table for inbound SAs

Data Type: REG_DWORD, Default: 64 KB

Minimum: 64K, Maximum: 1024 KB

Oakley Registry Settings
By default, there are no exposed settings for Oakley. However, some entries are possible and can be very useful for troubleshooting. Create the following key in the registry: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley" Oakley registry settings include:
 * EnableLogging: REG_DWORD: A value of 1 creates the Oakley.log log in the system root folder.
 * MinLifeTime: REG_DWORD: In seconds, this is the minimum lifetime for the key used to encrypt the Oakley key exchange. The default value is 8 hours (28,000 second). This value is set in the ISAKMP policy for specific policies or can be modified in the registry to provide a default for all new policies. If a policy specifies a value lower than MinLifeTime, the MinLifeTime value is used instead.
 * NoLog: REG_DWORD: A value of 1 stop slogging. This is the default.
 * Log: REG_DWORD: A value 1 starts logging.

Additional query words:

Keywords : kbenv

Version : WINDOWS:2000

Platform : WINDOWS

Issue type : kbinfo
 * }