Configuring Security for Data Transmission
On completion of this topic you should be able to secure data transmission between client computers to meet security requirements and secure data transmission by using IPSec. You should also be able to configure IPSec policy settings and troubleshoot security for data transmission. Tools should be able to use include the IP Security Monitor and the Resultant Set of Policy (RSOP) MMC snap-ins.
There are significant differences in the use of IPSec filtering in different releases of Windows. In Windows 2000 and Windows XP, broadcast, multicast, Kerberos, Internet Key Exchange (IKE) and Resource Reservation Protocol (RSVP) traffic are exempt from filter matches by default.
However, in Windows Server 2003, broadcast, multicast, Kerberos, and RSVP traffic is not exempt from filter matches by default, only IKE traffic is exempt. Broadcast and multicast packets will be dropped if they match a filter with a filter action to negotiate security.
By default, Windows Server 2003 provides limited support for filtering broadcast and multicast traffic. A filter with a source address of Any IP Address will match multicast and broadcast addresses. A filter with a source address of Any IP Address and a destination address of Any IP Address will match inbound and outbound multicast addresses. You can use filters like this to block all traffic. However, one-way filters that would be used to block or permit specific multicast or broadcast traffic, however, are not supported.
Because of this change in the default exemption behaviour for the Windows Server 2003 implementation of IPSec, you should always verify the behaviour of IPSec policies designed for Windows 2000 or Windows XP clients to find out whether you need to configure explicit permit filters to permit specific traffic types.
You can restore the default Windows 2000 / Windows XP behaviour for IPSec policies by using the netsh ipsec dynamic set config command or by manually modifying the relevant registry settings.