MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic Countermeasure: Do not configure the MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering (recommended) entry except on computers that use IPsec filters, where this entry should be configured to a value of Enabled. The possible values for this registry entry are: ? A value of 0 specifies that multicast, broadcast, RSVP, Kerberos, and IKE (ISAKMP) traffic are exempt from IPsec filters, which is the default configuration for Windows 2000 and Windows XP. Use this setting only if you require compatibility with an IPsec policy that already exists or Windows 2000 and Windows XP. ? A value of 1 specifies that Kerberos protocol and RSVP traffic are not exempt from IPsec filters, but multicast, broadcast, and IKE traffic are exempt. This setting is the recommended value for Windows 2000 and Windows XP. ? A value of 2 specifies that multicast and broadcast traffic are not exempt from IPsec filters, but RSVP, Kerberos, and IKE traffic are exempt. This setting is supported only in Windows Server 2003. ? A value of 3 specifies that only IKE traffic is exempt from IPsec filters. This setting is supported only in Windows Server 2003, which contains this default behavior although the registry key does not exist by default. In the SCE UI, these options appear as: ? 0 ? 1 ? 2 ? 3 Potential Impact: After you enable this entry, security policies that already exist may have to be changed to work correctly. For details, refer to the Microsoft Knowledge Base article "IPSec Default Exemptions Can Be Used to Bypass IPsec Protection in Some Scenarios" at http://support.microsoft.com/default.aspx?kbid=811832,which was referenced earlier in this section."

[enabled/disabled]

(1) GPO: Computer Configuration\Administrative Templates\MSS (Legacy)\MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic (2) REG: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC!NoDefaultExempt