IPSec Policy Permissions in Windows 2000 and Windows Server 2003 (329194)


The information in this article applies to:

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition
  • Microsoft Windows Small Business Server 2003, Premium Edition
This article was previously published under Q329194
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SYMPTOMS

In a Windows 2000 domain, users may be able to view domain IPSec policies from any computer in the domain.

CAUSE

This issue occurs because the access control list (ACL) of the IP Security container in Windows 2000 Active Directory grants Read permissions for authenticated users and computers to IPSec policies. The default Discretionary ACL (DACL) for the IP Security container in Windows 2000 Server is as follows:

Owner: Domain Admin
Group: Domain Admin
Allow ACLs:
Allow Authenticated users: RP LC LO RC
Allow Domain Admin: RP WP CR LC LO CC DC RC WD WO SW
Allow Local SYSTEM: RP WP CR LC LO CC DC RC WD WO SD DT SW

The access rights use the following notation:

RP - ADS_RIGHT_DS_READ_PROP
WP - ADS_RIGHT_DS_WRITE_PROP
CR - ADS_RIGHT_DS_CONTROL_ACCESS
LC - ADS_RIGHT_DS_LIST
LO - ADS_RIGHT_DS_LIST_OBJECT
CC - ADS_RIGHT_DS_CREATE_CHILD
DC - ADS_RIGHT_DS_DELETE_CHILD
RC - READ_CONTROL WD - WRITE_DAC
WO - WRITE_OWNER SD - DELETE
DT - ADS_RIGHT_DS_DELETE_TREE
SW - ADS_RIGHT_SELF

RESOLUTION

This problem is resolved in Windows Server 2003 with the implementation of different default permissions on the Active Directory container and the built-in objects that it contains. These new security settings do not allow typical users on the domain to view IPSec policies.

However, users on the domain who have administrative credentials to their own computers can view the contents of IPSec policies that are applied to their own computers by Group Policy. Additionally, local administrators can install system services on their computers and use the IP Security Policy Management tool locally. Therefore, they can view the IP Security container in Active Directory, even with the security settings in Windows Server 2003.

With the new security settings in Windows Server 2003, by default, computers in a child domain cannot read the IPSec policy of the parent domain. If Group Policy of the parent domain is intended to apply IPSec policy to the child domain, an administrator must manually grant Read permission to the appropriate computer, group of computers, or security group for the IPSec policies on the parent domain.

The default DACL for the IP Security container in Windows Server 2003 is as follows:

Owner: Domain Admin
Group: Domain Admin
Allow ACLs:
Allow domain computers: RP LC LO RC
Allow Group policy owner creator: RP LC LO RC
Allow Domain Admin: RP WP CR LC LO CC DC RC WD WO SW
Allow Local SYSTEM: RP WP CR LC LO CC DC RC WD WO SD DT SW

The access rights use the following notation:

RP - ADS_RIGHT_DS_READ_PROP
WP - ADS_RIGHT_DS_WRITE_PROP
CR - ADS_RIGHT_DS_CONTROL_ACCESS
LC - ADS_RIGHT_DS_LIST
LO - ADS_RIGHT_DS_LIST_OBJECT
CC - ADS_RIGHT_DS_CREATE_CHILD
DC - ADS_RIGHT_DS_DELETE_CHILD
RC - READ_CONTROL
WD - WRITE_DAC
WO - WRITE_OWNER SD - DELETE DT - ADS_RIGHT_DS_DELETE_TREE SW - ADS_RIGHT_SELF

The following changes are implemented in Windows Server 2003, and they apply to both new and upgrade installations of Windows Server 2003:
  • An inheritable DACL is included with the IP Security container.
  • An empty DACL is included with the built-in IPSec policies. Because the DACL is empty, objects can inherit permissions from the IP Security container and other parent containers in Active Directory.
  • The default DACL for all IPSec objects is changed so that all new objects that you create have an empty DACL and can inherit permissions. As a result, IPsec policies that are created from Windows 2000, Windows XP or Windows Server 2003 management clients have the new permissions.
When you perform a new installation of Windows Server 2003, these changes are applied when you run Dcpromo.exe.

When you upgrade to Windows Server 2003 from Windows 2000 Server, these changes are applied when you run Adprep.exe to prepare the Windows 2000 domain or forest for the upgrade operation. If some default policy objects were deleted in Windows 2000, the ACLs for the existing default objects are modified with the new permissions. Note that the ACLs on existing user-created objects are not changed when you upgrade to Windows Server 2003. To update the permissions set on these objects, use the procedure described in the "Workaround" section of this article.

WORKAROUND

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. To work around this issue, follow these steps:
  1. Create the Schema Update Allowed DWORD value in the following registry key, and then set the value to 1:

    HKEY LOCAL MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

    For additional information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:

    216060 Registry Modification Required to Allow Write Operations to Schema

  2. Create and run the Ipsec_acl_fix.vbs script. To do so:
    1. Start Notepad, open a new text file, and then copy and paste the following code to the text file:
      Option Explicit

'**************************************************
'* ADS_RIGHTS_ENUM
'**************************************************
Const ADS_RIGHT_DS_READ_PROP = &H10&
const ADS_RIGHT_DS_LIST = &H4&
Const ADS_RIGHT_DS_LIST_OBJECT = &H80&
Const READ_CONTROL = &H20000&
Const ADS_RIGHT_DS_WRITE_PROP  = &H20&
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100&
Const ADS_RIGHT_DS_CREATE_CHILD =&H1&
Const ADS_RIGHT_DS_DELETE_CHILD = &H2&
Const WRITE_OWNER = &H80000&
Const WRITE_DAC = &H40000&
Const DELETE = &H10000&
Const ADS_RIGHT_DS_DELETE_TREE = &H40&
Const ADS_RIGHT_DS_SELF = &H8&

'**************************************************
'* ADS_ACETYPE_ENUM
'**************************************************

Const ADS_ACETYPE_ACCESS_ALLOWED = &H0&

'**************************************************
'* ADS_ACEFLAGS_ENUM
'**************************************************

Const CONTAINER_INHERIT_ACE = &H2&
Const OBJECT_INHERIT_ACE = &H1&

Const ADS_ACEFLAG_INHERIT_ACE = &H2&

'**************************************************
'* Check if a "IP Security" container exists and correct the 
'* Acls for the container
'* 0 -> container exists, Success
'* 1 -> container doesn't Exist
'* 2 -> other failures
'*
'**************************************************
Function FixupIpsecContainerAcls(InputDomainDN, DomainShortName)
 
	Dim x, deletedAce, Dacl, hResult, ace1, RemoveFlags, sd, ace
	
	hResult = 0

	Set x = GetObject( "LDAP://cn=IP Security,cn=system," & InputDomainDN)
	if Err.Number <> 0 Then
		MsgBox "Container cn=IP Security,cn=system," & InputDomainDN & "does not exist"& " Error :" & Err.Number, vbCritical
		hResult = 1
	End If

	Set sd = x.Get("nTSecurityDescriptor")
	if Err.Number <> 0 Then
		MsgBox "Could not get nTSecurityDescriptor for cn=IP Security,cn=system," & InputDomainDN & " Error :" & Err.Number, vbCritical
		hResult = 2
	End If

	deletedAce = FALSE

	Set Dacl = sd.DiscretionaryAcl

	For Each ace In Dacl
		If(ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED) Then
			if (ace.AceFlags = 0) Then
				if(ace.Trustee = "NT AUTHORITY\Authenticated Users") Then
					RemoveFlags = 0
					RemoveFlags = ADS_RIGHT_DS_READ_PROP Or ADS_RIGHT_DS_LIST Or ADS_RIGHT_DS_LIST_OBJECT Or READ_CONTROL
					If (ace.AccessMask AND RemoveFlags) <> 0 Then
						Dacl.RemoveAce ace
						deletedAce = TRUE
					End If	
				End If
			End If
		End If
	Next
	
	if deletedAce = FALSE Then
		MsgBox "ACE to remove rights for Authenticated users was not found or was changed from the default installation", vbExclamation
	End If

	set ace1 = CreateObject("AccessControlEntry")

	ace1.AceType = ADS_ACETYPE_ACCESS_ALLOWED
	ace1.AceFlags = CONTAINER_INHERIT_ACE OR OBJECT_INHERIT_ACE
	ace1.AccessMask = ADS_RIGHT_DS_READ_PROP OR ADS_RIGHT_DS_LIST OR ADS_RIGHT_DS_LIST_OBJECT OR READ_CONTROL
	ace1.Trustee = DomainShortName &"\Domain Computers"

	Dacl.AddAce ace1 
	sd.DiscretionaryAcl = Dacl

	x.Put "nTSecurityDescriptor", Array(sd)
	x.SetInfo
	if Err.Number <> 0 Then
		MsgBox "There was an Error Adding ACls for cn=IP Security"& " Error :" & Err.Number, vbCritical
		hResult = 2
	End If

	FixupIpsecContainerAcls = hResult

End Function


'**************************************************
'* Clear the ACLs for all the IPSec objects so that 
'* they inherit Acls from their container. 
'* 
'* 0 -> container exists, Success
'* 1 -> other failures
'*
'**************************************************
Function ClearIpsecObjectAcls(InputDomainDN)

	Dim ZeroAcl, obj(22), i

	set ZeroAcl = CreateObject("AccessControlList")
	
	obj(0) ="LDAP://cn=ipsecPolicy{72385230-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN
	obj(1) ="LDAP://cn=ipsecISAKMPPolicy{72385231-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN
	obj(2) ="LDAP://cn=ipsecNFA{72385232-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN
	obj(3) ="LDAP://cn=ipsecNFA{59319BE2-5EE3-11D2-ACE8-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN
	obj(4) ="LDAP://cn=ipsecNFA{594272E2-071D-11D3-AD22-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN
	obj(5) ="LDAP://cn=ipsecNFA{6A1F5C6F-72B7-11D2-ACF0-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN
	obj(6) ="LDAP://cn=ipsecPolicy{72385236-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN
	obj(7) ="LDAP://cn=ipsecISAKMPPolicy{72385237-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN
	obj(8) ="LDAP://cn=ipsecNFA{59319C04-5EE3-11D2-ACE8-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN
	obj(9) ="LDAP://cn=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN
	obj(10) ="LDAP://cn=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN
	obj(11) ="LDAP://cn=ipsecNFA{7238523E-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN
	obj(12) ="LDAP://cn=ipsecNFA{59319BF3-5EE3-11D2-ACE8-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN
	obj(13) ="LDAP://cn=ipsecNFA{594272FD-071D-11D3-AD22-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN
	obj(14) ="LDAP://cn=ipsecNegotiationPolicy{59319BDF-5EE3-11D2-ACE8-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN
	obj(15) ="LDAP://cn=ipsecNegotiationPolicy{59319BF0-5EE3-11D2-ACE8-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN
	obj(16) ="LDAP://cn=ipsecNegotiationPolicy{59319C01-5EE3-11D2-ACE8-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN
	obj(17) ="LDAP://cn=ipsecNegotiationPolicy{72385233-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN
	obj(18) ="LDAP://cn=ipsecNegotiationPolicy{7238523F-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN
	obj(19) ="LDAP://cn=ipsecNegotiationPolicy{7238523B-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN
	obj(20) ="LDAP://cn=ipsecFilter{7238523A-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN
	obj(21) ="LDAP://cn=ipsecFilter{72385235-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN
	
	for i=0 To 21
		Dim x, hResult, sd, ace

		hResult = 0
		
		set x = GetObject(obj(i))
		if Err.Number = 0 Then
			Set sd = x.Get("nTSecurityDescriptor")
	 		if Err.Number <> 0 Then
				MsgBox "nTSecurityDescriptor could not be retrieved from " & obj(i) & " Error :" & Err.Number, vbCritical
				hResult = 1
			End If
	
			set ZeroAcl = sd.DiscretionaryAcl
			For Each ace In ZeroAcl
				ZeroAcl.RemoveAce ace
			Next
			sd.DiscretionaryAcl = ZeroAcl
			x.Put "nTSecurityDescriptor", Array(sd)
			x.SetInfo
			if Err.Number <> 0 Then
				MsgBox "Error setting Acls for " & obj(i) & " Error :" & Err.Number, vbCritical
				hResult = 1
			End If	
		End If
	Next

	ClearIpsecObjectAcls = hResult

End Function

Function FixupSchemaObjectAcls(InputDomainDN)
 
	Dim ZeroAcl, obj(6), i, container, deletedDAAce, deletedSYAce, RemoveFlags, deletedAUAce, hResult
	
	hResult = 0

	set ZeroAcl = CreateObject("AccessControlList")

	container = "CN=Schema, CN=Configuration," & InputDomainDN
	obj(0) ="LDAP://cn=Ipsec-Base," & container
	obj(1) ="LDAP://cn=Ipsec-Filter," & container
	obj(2) ="LDAP://cn=Ipsec-ISAKMP-Policy," & container
	obj(3) ="LDAP://cn=Ipsec-Negotiation-Policy," & container
	obj(4) ="LDAP://cn=Ipsec-NFA," & container
	obj(5) ="LDAP://cn=Ipsec-Policy," & container
	
	for i = 0 To 5

		Dim x, sd

		Set x = GetObject( obj(i) )
		if Err.Number <> 0 Then
			MsgBox obj(i) & "does not exist"& " Error :" & Err.Number, vbCritical
			hResult = 1
		Else
			sd = x.Get("defaultSecurityDescriptor")
			x.Put "defaultSecurityDescriptor", "D:"
			x.SetInfo
			if Err.Number <> 0 Then
				MsgBox "Error setting defaultsecurityDescriptor for " & obj(i) & " Error :" & Err.Number, vbCritical
				hResult = 1
			End If	
		End If
	Next 
	
	FixupSchemaObjectAcls = hResult

End Function

Function IsSchemaUpdateAllowed()

	Dim WshShell, bKey

	Set WshShell = WScript.CreateObject("WScript.Shell")
	bKey = WshShell.RegRead("HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Schema Update Allowed")

	IsSchemaUpdateAllowed = bKey

End Function

'**************************************************
'* MAIN
'**************************************************

	Dim Info
	Dim dnsName, domainDN
	Dim regOk, retVal1, retVal2, retVal3

	MsgBox "This script attempts to correct the ACLs of IP Security related objects and schema in Active Directory. For this, it needs Schema changes be allowed through a registry Key."& vbcrlf & "Please read Q<KB #> and Q216060 for more details."

	regOk = IsSchemaUpdateAllowed()
	if regOk <> 1 Then
		MsgBox "The registry key to allow schema updates is not set. Please read Q216060 for more information." & vbcrlf & "The Script will stop processing. The ACL corrections have not been made.", vbExclamation
	Else
		Set Info = CreateObject("AdSystemInfo")
		dnsName = Info.DomainDNSName
		domainDN = Replace(dnsName, ".", ",dc=")
		domainDN = "dc=" & domainDN

		retVal1 = FixupIpsecContainerAcls(domainDN, Info.DomainShortName)

		retVal2 = ClearIpsecObjectAcls(domainDN)

		retVal3 = FixupSchemaObjectAcls(domainDN)

		If retVal1 = 0 And retVal2 = 0 And retVal3 = 0 Then	
			MsgBox "The ACL corrections for IPSec Objects on domain " & Info.DomainShortName & " Completed successfully." & vbcrlf & "You may now reset/delete the registry key that allows schema updates per Q216060"
		Else
			MsgBox "The ACL corrections for IPSec Objects on domain " & Info.DomainShortName & " Completed with some errors" & vbcrlf & "If you are not going to retry the operation, you may reset/delete the registry key that allows schema updates per Q216060"
		End If
	End If
    2. On the File menu, click Save, click All Files in the Save as type box, type ipsec_acl_fix.vbs in the File name box, specify a location where you want to save the file, and then click Save.
    3. Quite Notepad.
    4. Run the Ipsec_acl_fix.vbs script from a command prompt.
  3. Delete the Schema Update Allowed registry value that you created in step 1.
Note You can also use this procedure to modify the permissions of the IPSec policy of a Windows Server 2003 domain that you upgraded from Windows 2000, in the situation where the permissions of policy objects were not modified during the upgrade operation.

STATUS

Microsoft has confirmed that this is a problem in Windows 2000.

MORE INFORMATION

The Ipsec_acl_fix.vbs script performs the following actions:
  • Removes the following ACLS from the CN=IP Security,CN=System,DC=Domain container for NT AUTHORITY\Authenticated Users:

    ADS_RIGHT_DS_READ_PROP
    ADS_RIGHT_DS_LIST
    ADS_RIGHT_DS_LIST_OBJECT
    READ_CONTROL

  • Adds the following ACLs to the CN=IP Security,CN=System,DC=Domain container for Domain Computers:

    ADS_RIGHT_DS_READ_PROP
    ADS_RIGHT_DS_LIST
    ADS_RIGHT_DS_LIST_OBJECT
    READ_CONTROL)

  • Clears the ACLs on the objects in the CN=IP Security,CN=System,DC=Domain container so that they inherit the new ACLs.
  • Modifies the schema for IPSec objects so that new objects that you create correctly inherit permissions.
After you run the script, only computers in the domain can apply IPSec policies, and you cannot assign a policy in a Group Policy Object to an IPSec policy in a different domain.
Modification Type:MajorLast Reviewed:3/1/2004
Keywords:kbbug kbfix KB329194
©2004 Microsoft Corporation. All rights reserved.