Exam Objectives Fast Track | MCSE Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide and DVD Training System

The IETF designed the IPSec specifications. The IP Security Working Group of the IETF developed IPSec as an industry standard for encrypting TCP/IP traffic within networking environments.
Before secure data can be exchanged, a security agreement between the two communicating computers must be established. This security agreement is called an SA.
An SA is a combination of three things: security protocols, a negotiated key, and an SPI.
IPSec uses cryptography to provide three basic services: authentication, data integrity, and data confidentiality.
IPSec in Windows Server 2003 has two different modes: tunnel mode and transport mode.
The two primary IPSec protocols are AH and ESP. They can be used separately or together.
In addition to the protocols that operate within the IPSec framework, there are a number of operating system components involved in Microsoft’s implementation of IPSec. The most important of these are the IPSec Policy Agent service and the IPSec driver.

The first step in deploying IPSec is to determine your organizational needs in regard to the security of data traveling over the network.
When you begin to consider security levels within your organization, you must take into account the type of data each computer will typically be processing.
There are three general types of environments: minimal security, standard security, and high security.

Windows Server 2003 comes with several handy tools to enable administrators to manage IPSec. These include the IP Security Policy Management MMC and the netsh command-line utility.
IPSec policies are used to apply security at various levels within a network.
IPSec has three default policies defined: Client (Respond Only), Server (Request Security), and Server (Require Security).
To create your own custom policies with the IP Security Policy Management MMC, open the MMC and select the policy you wish to customize.

There are two encryption algorithms supported by IPSec for data encryption: DES and 3DES. The 3DES algorithm is the strongest of these.
Specific ports and protocols that can be used for firewall filtering include: IP and port 50, IP and port 51, and UDP port 500.
Diffie-Hellman groups are used to define the length of the base prime numbers that are used during the key-exchange process.
A pre-shared key is a string of Unicode characters. Pre-shared keys are stored as plaintext. This means the key can be compromised if a hacker is able to access the file on the computer. Thus, the pre-shared key is the weakest of the three IPSec authentication methods.

RSoP is used to sort through the complexities of multiple policy application and determine the totality of their effects.
There are two modes in which RSoP can be used: logging mode and planning mode.
RSoP can provide network administrators with details such as security settings, scripts, group policy installation, folder redirection, templates, and Internet Explorer maintenance.
Administrators can use RSoP features to determine which particular security policies meet their organization’s needs. RSoP security templates can be used to create and assign security options for one or many computers.