Appendix A: Sample GPO Template Files for Settings Used in this Guide
Applies To: Windows Server 2008, Windows Server 2008 R2
You can import an XML file containing customized registry preferences into a Group Policy object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). Creating registry setting preferences as described here is a new feature in Windows Server 2008 and Windows Vista with Service Pack 1 (SP1).
To manually create the file, build the settings under Computer Configuration, Preferences, Windows Settings, Registry. After you have created the settings, drag the container to the desktop. An .xml file is created there.
To import an .xml file to GPMC, drag it and drop it on the Registry node under Computer Configuration, Preferences, Windows Settings. If you copy the following sample XML code to a file, and then drag and drop it on the Registry node, it creates a Server and Domain Isolation collection with the six registry keys discussed in this guide.
The following sample file uses item-level targeting to ensure that the registry keys are applied only on the versions of Windows to which they apply.
Note
The file shown here is for sample use only. It should be customized to meet the requirements of your organization’s deployment. To customize this file, import it into a test GPO, modify the settings, and then drag the Server and Domain Isolation Settings node to your desktop. The new file will contain all of your customization.
<?xml version="1.0" encoding="utf-8"?>
<Collection clsid="{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}" name="Server and Domain Isolation Settings">
<Registry
clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
name="Enable IPsec over NAT (W2K, XP, W2K3)"
status="AssumeUDPEncapsulationContextOnSendRule"
image="12"
changed="2008-05-30 20:37:31"
uid="{49FD6551-80DA-4876-9335-623F2575E27B}"
desc="<b>Enable IPsec over NAT-T</b><p>
This setting configures whether computers running Windows 2003 and Windows XP
can make IPsec connections to servers behind NAT-enabled routers.<p>
<b>0</b>: (default) No IPsec SAs to servers behind NAT<br>
<b>1</b>: IPsec SAs can be made to servers behind NAT<br>
<b>2</b>: IPsec SAs can be made when both server and client are behind NAT"
bypassErrors="1">
<Properties
action="U"
displayDecimal="1"
default="0"
hive="HKEY_LOCAL_MACHINE"
key="System\CurrentControlSet\Services\IPsec"
name="AssumeUDPEncapsulationContextOnSendRule"
type="REG_DWORD"
value="00000000"/>
<Filters>
<FilterOs
bool="AND" not="1"
class="NT" version="VISTA"
type="NE" edition="NE" sp="NE"/>
<FilterOs
bool="AND" not="1"
class="NT" version="2K8"
type="NE" edition="NE" sp="NE"/>
</Filters>
</Registry>
<Registry
clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
name="Enable PMTU Discovery"
status="EnablePMTUDiscovery"
image="12"
changed="2008-05-30 20:37:37"
uid="{52C38FD7-A081-404C-A8EA-B24A9614D0B5}"
desc="<b>Enable PMTU Discovery</b><p>
This setting configures whether computers can use PMTU
discovery on the network.<p>
<b>1</b> -- Enable<br>
<b>0</b> -- Disable"
bypassErrors="1">
<Properties
action="U"
displayDecimal="1"
default="0"
hive="HKEY_LOCAL_MACHINE"
key="System\CurrentControlSet\Services\TCPIP\Parameters"
name="EnablePMTUDiscovery" type="REG_DWORD" value="00000001"/>
</Registry>
<Registry
clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
name="Simplified IPsec Policy (W2K, XP, W2K3)"
status="IKEFlags"
image="12"
changed="2008-05-30 20:43:31"
uid="{B9A34EFB-CDF7-4603-BBED-6BB85080C96F}"
desc="<b>Simplified IPsec Policy</b><p>
This setting configures two aspects of IPsec fallback-to-clear
in Windows 2003, Windows XP, and Windows 2000.<p>
<b>0x00</b>: Original 3 second fallback-to-clear<br>
<b>0x04</b>: Enables 500ms fallback-to-clear<br>
<b>0x10</b>: Improve fallback-to-clear in S&amp;D Iso<br>
<b>0x14</b>: Both 0x4 and 0x10 settings enabled (recommended)"
bypassErrors="1">
<Properties
action="U"
displayDecimal="0"
default="0"
hive="HKEY_LOCAL_MACHINE"
key="System\CurrentControlSet\Services\PolicyAgent\Oakley"
name="IKEFlags"
type="REG_DWORD"
value="00000014"/>
<Filters>
<FilterOs
bool="AND" not="1"
class="NT" version="VISTA"
type="NE" edition="NE" sp="NE"/>
<FilterOs
bool="AND" not="1"
class="NT" version="2K8"
type="NE" edition="NE" sp="NE"/>
</Filters>
</Registry>
<Registry
clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
name="IPsec Default Exemptions (W2K and XP)"
status="NoDefaultExempt"
image="12"
changed="2008-05-30 20:35:43"
uid="{60F64C68-EF12-4FAC-ACC9-00B4F21724FA}"
desc="<b>IPsec Default Exemptions for Windows 2000 SP4
and Windows XP SP2</b><p>
This setting determines which network traffic type is exempt
from any IPsec authentication requirements.<p>
<b>0</b>: Exempts multicast, broadcast, RSVP, Kerberos, ISAKMP<br>
<b>1</b>: Exempts multicast, broadcast, ISAKMP"
bypassErrors="1">
<Properties
action="U"
displayDecimal="1"
default="0"
hive="HKEY_LOCAL_MACHINE"
key="SYSTEM\CurrentControlSet\Services\IPsec"
name="NoDefaultExempt"
type="REG_DWORD"
value="00000001"/>
<Filters>
<FilterOs
bool="AND" not="1"
class="NT" version="VISTA"
type="NE" edition="NE" sp="NE"/>
<FilterOs
bool="AND" not="1"
class="NT" version="2K8"
type="NE" edition="NE" sp="NE"/>
<FilterOs
bool="AND" not="1"
class="NT" version="2K3R2"
type="NE" edition="NE" sp="NE"/>
<FilterOs
bool="AND" not="1"
class="NT" version="2K3"
type="NE" edition="NE" sp="NE"/>
</Filters>
</Registry>
<Registry
clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
name="IPsec Default Exemptions (W2K3)"
status="NoDefaultExempt"
image="12"
changed="2008-05-30 20:34:03"
uid="{7023764D-5E8A-4E16-BEA3-EA0743024EFA}"
desc="<b>IPsec Default Exemptions for Windows Server 2008
and later</b><p>
This setting determines which network traffic type is exempt
from any IPsec authentication requirements.<p>
<b>0</b>: Exempts multicast, broadcast, RSVP, Kerberos, ISAKMP<br>
<b>1</b>: Exempts multicast, broadcast, ISAKMP<br>
<b>2</b>: Exempts RSVP, Kerberos, ISAKMP<br>
<b>3</b>: Exempts ISAKMP only"
bypassErrors="1">
<Properties
action="U"
displayDecimal="1"
default="0"
hive="HKEY_LOCAL_MACHINE"
key="SYSTEM\CurrentControlSet\Services\IPsec"
name="NoDefaultExempt"
type="REG_DWORD"
value="00000003"/>
<Filters>
<FilterOs
bool="AND" not="0"
class="NT" version="2K3"
type="NE" edition="NE" sp="NE"/>
<FilterOs
bool="OR" not="0"
class="NT" version="2K3R2"
type="NE" edition="NE" sp="NE"/>
</Filters>
</Registry>
<Registry
clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
name="IPsec Default Exemptions (Vista and W2K8)"
status="NoDefaultExempt"
image="12"
changed="2008-05-30 20:33:32"
uid="{AE5C505D-283E-4060-9A55-70659DFD56B6}"
desc="<b>IPsec Default Exemptions for Windows Server 2008
and later</b><p>
This setting determines which network traffic type is exempt
from any IPsec authentication requirements.<p>
<b>0</b>: Exempts multicast, broadcast, RSVP, Kerberos, ISAKMP<br>
<b>1</b>: Exempts multicast, broadcast, ISAKMP<br>
<b>2</b>: Exempts RSVP, Kerberos, ISAKMP<br>
<b>3</b>: Exempts ISAKMP only"
bypassErrors="1">
<Properties
action="U"
displayDecimal="1"
default="0"
hive="HKEY_LOCAL_MACHINE"
key="SYSTEM\CurrentControlSet\Services\PolicyAgent"
name="NoDefaultExempt"
type="REG_DWORD"
value="00000003"/>
<Filters>
<FilterOs
bool="AND" not="0"
class="NT" version="VISTA"
type="NE" edition="NE" sp="NE"/>
<FilterOs
bool="OR" not="0"
class="NT" version="2K8"
type="NE" edition="NE" sp="NE"/>
</Filters>
</Registry>
<Registry
clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
name="Enable IPsec over NAT (Vista and W2K8)"
status="AssumeUDPEncapsulationContextOnSendRule"
image="12"
changed="2008-05-30 20:32:56"
uid="{61C18AA8-F78E-453B-809A-98354D407035}"
desc="<b>Enable IPsec over NAT-T</b><p>
This setting configures whether computers running Windows 2003
and Windows XP can make IPsec connections to servers behind
NAT-enabled routers.<p>
<b>0</b>: (default) No IPsec SAs to servers behind NAT<br>
<b>1</b>: IPsec SAs can be made to servers behind NAT<br>
<b>2</b>: IPsec SAs can be made when both server and client are behind NAT"
bypassErrors="1">
<Properties
action="U"
displayDecimal="1"
default="0"
hive="HKEY_LOCAL_MACHINE"
key="System\CurrentControlSet\Services\PolicyAgent"
name="AssumeUDPEncapsulationContextOnSendRule"
type="REG_DWORD"
value="00000000"/>
<Filters>
<FilterOs
bool="AND" not="0"
class="NT" version="VISTA"
type="NE" edition="NE" sp="NE"/>
<FilterOs
bool="OR" not="0"
class="NT" version="2K8"
type="NE" edition="NE" sp="NE"/>
</Filters>
</Registry>
</Collection>