If you don't want IPSec ever & don't want L2TP/IPSec VPN connections, the local admin can shutdown the IPSec Policy Agent service, and/or disable the service entirely. The roles of "users" in general in Win2k, be they domain admins, local admins, backup operators, local users, guests, etc and associated security configurations & activities by those users are defined by the OS security team for the entire OS, and IPSec as a service is consistent as possible with that model and the rest of the components in the OS which provide manageability of the platform.
This is why taking any particular IPSec functionality on it's own, out of context, elevating it to philosophical levels, just isn't going to be a productive discussion. Win2k IPSec is designed to be a centrally administrated tool to increase the protection of OS & application traffic. We have had many smart & knowledgeable people working on this, and many more external to the product team looking at it to ensure quality of design and implementation, not to mention worldwide beta testing, for literally 3 years. The UI was revised 3 times throughout the beta cycles - at some point we had to stop and ship it.
So I actually do appreciate the feedback from those on the list. Though preferably, please send it to me directly. I am not able to stay current on the list as much as I would like.
-----Original Message-----
From: Jan Vilhuber [mailto:vilhuber@cisco.com]
Sent: Tuesday, May 16, 2000 7:18 PM
To: William Dixon
Cc: ipsec@lists.tislabs.com
Subject: RE: more microsoft policy issues?
On Tue, 16 May 2000, William Dixon wrote:
> Jan, posting this without context is just inflammatory. If it makes you
> happy, send flame to me personally. The list isn't here to discuss
> product bugs, postulate on what may be a bug, nor complain about the
> wording on dialogs.
>
Sorry. That's all the context I had. Maybe I was a bit hasty (in view of the
recent thread). If so, I apologize.
Reading the rest below, though, it sounds like if the OS can override a local
decision, then you again have a scenario where I click on a choice, and win2k
overrides me without telling me. Bad. I mean, what would YOU expect, if you
said: Don't do ipsec. *I* would expect that ipsec will not be performed. At
all. Ever.
And I wasn't venting about a product bug, either (although I was hoping it
would turn out to be one). it's the gratuitous overriding of user-selected
policy that was the issue I meant to address.
jan
> The news group for Windows 2000 networking functionality in general is:
> microsoft.public.win2000.networking
>
> Or you can email NTBUGTRAQ to report verified problems or email
> secure@microsoft.com to get a formal corporate response to a discovered
> security weakness for any Microsoft product.
>
> This setting is in the advanced properties of the TCPIP properties and
> allows a local admin to select a default IPSec policy. By default the
> selection is says in text "Do not use IPSec". This is a local setting
> which can be overridden by Win2k domain IPSec policy, and by OS
> components such as L2TP which require IPSec for their operation. And
> once again, the behavior is documented in online help and elsewhere.
> The TCPIP properties UI is a quick and easy way for an admin to change
> between different custom policies that have been created on the local
> system.
>
> As one of our KB articles notes, we provide the default policies as an
> example only, for initial testing only - real production use requires
> your own custom designed IPSec policy.
>
>
> -----Original Message-----
> From: Jan Vilhuber [mailto:vilhuber@cisco.com]
> Sent: Tuesday, May 16, 2000 2:01 PM
> To: ipsec@lists.tislabs.com
> Cc: William Dixon
> Subject: more microsoft policy issues?
>
>
> >From an email I just saw going across my desk:
>
> > Even though the "do not use IPSec" is marked in the W2000
> configuration the
> > W2000 client still uses IPSec. Please note in Windows 2000 build 2195
> > Microsoft have decided to use IPSec all the time.
>
> Come on, guys! Please tell me that THIS at least is a bug, and not
> another one
> of those design decisions...
>
> jan
> P.S. Caveat: I don't have any idea of build numbers. Maybe 2195 is
> really old
> and this is already fixed...
> --
> Jan Vilhuber
> vilhuber@cisco.com
> Cisco Systems, San Jose (408)
> 527-0847
>
>
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847