The default IPsec exemptions that were present in Windows XP and Windows 2000 except for the Internet Key Exchange (IKE) exemption were removed from Windows Server 2003. The IKE exemption is specific to source and destination port UDP 500. IKE always receives this type of packet from any source address because of the default IKE exemption. It may be possible for an attacker to use the IKE ports to attack IKE itself, and perhaps cause problems. However, the IKE ports cannot be used to attack other open UDP or TCP ports. IKE will perform an IPsec policy lookup to determine whether it should reply to an incoming packet. Because IKE is used to negotiate security settings between two IPSec hosts, and IPsec filters are used only for permit and block control of traffic, IKE will fail to find a matching security policy, and will not reply to incoming requests. Vulnerability: As IPsec is increasingly used for basic host-firewall packet filtering, particularly in Internet-exposed scenarios, the effect of these default exemptions has not been fully understood. Some IPsec administrators may create IPsec policies that they think are secure, but are not actually secure against inbound attacks that use the default exemptions. Attackers could forge network traffic that appears to consist of legitimate IKE, RSVP, or Kerberos protocol packets but direct them to other network services on the host. Countermeasure: Do not configure the NoDefaultExempt entry except on computers that use IPsec filters, where this entry should be configured to a value of 3. Potential impact: This is the default behavior for Windows Server 2003. If you are supporting Windows XP and Windows 2000 in your environment as well as enabling this entry, security policies that already exist may have to be changed to work correctly, for example if you are supporting IPsec deployments that use IKE to negotiate security and IPsec protection for upper-layer protocol traffic. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic. (2) REG: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC!NoDefaultExempt