Checklist Summary:

The purpose of this guide is to inform the reader about Internet Protocol security (IPsec) services that are available in Microsoft Windows 2000 and how to configure these services to implement the desired network security policy. This guide does not attempt to provide individual IPsec security settings for all possible network architectures. Instead, this guide is designed to provide the reader an overview of the functionality that is available via IPsec and how it is implemented in Windows 2000, to provide a couple of worked examples, to make recommendations on critical security parameters, and to provide the reader with sufficient understanding to apply this information as necessary to their specific network architecture. Worked examples are used to illustrate the recommended IPsec configuration in a secure Windows 2000 network. The authors intend this guide to be used as a reference to help the planning/design phase of a network development or upgrade process. This guide focuses on a single issue related to network security (i.e., IPsec) and it should not be used on its own as an all-encompassing network design guide. Rather, other reference materials, including other NSA-produced configuration guides, should also be used.

Checklist Role:

• IPsec Client, IPsec Agent

Known Issues:

Do not attempt to implement any of the settings in this guide without first testing in a non-operational environment. This document is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore, this guide does not address site-specific configuration issues. Care must be taken when implementing this guide to address local operational and policy concerns. The security changes described in this document only apply to Microsoft Windows 2000 systems and should not be applied to any other Windows versions or operating systems.

Target Audience:

This document is intended for Microsoft Windows 2000 network administrators and network designers. However, it should be useful for anyone involved with designing or maintaining a network that includes Microsoft Windows 2000 hosts and/or servers.

Target Operational Environment:

• Managed

Testing Information:

The security configuration guide has been extensively tested in a lab and operational environment.

Regulatory Compliance:

Not provided.

Comments/Warnings/Miscellaneous:

Prior to loading Windows 2000 IPsec, Windows 2000 system administrators should update their systems with the latest service pack as soon as possible after it is released. If applicable, compare the recommendations in this guide to the existing network architecture.

Disclaimer:

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. Security configuration guides are provided for the Department of Defense and other government agencies requiring security configuration guidelines. The guides contain recommended security settings. They are not intended to replace well-structured policy or sound judgment. The guides do not address site-specific configuration issues. Care must be taken when implementing the guides to address local operational and policy concerns. All security changes described in the guides are applicable only to specifically identified operating systems or architecture components and should not be applied to any other operating system or architecture components.

Product Support:

Not provided.

Point of Contact:

SNAC.Guides@nsa.gov

Sponsor:

Not provided.

Licensing:

Refer to the legal statement provided at: http://www.nsa.gov/notices/notic00004.cfm? Address=/snac/os/win2k/w2k_ipsec.pdf

Change History:

v1.0, 2001-08-13
Updated status to Archive - 10/24/18

Dependency/Requirements:

URL	Description

References:

Reference URL	Description

NIST checklist record last modified on 10/24/2018