Appendix A: Sample GPO Template Files for Settings Used in this Guide

Applies To: Windows Server 2008, Windows Server 2008 R2

You can import an XML file containing customized registry preferences into a Group Policy object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). Creating registry setting preferences as described here is a new feature in Windows Server 2008 and Windows Vista with Service Pack 1 (SP1).

To manually create the file, build the settings under Computer Configuration, Preferences, Windows Settings, Registry. After you have created the settings, drag the container to the desktop. An .xml file is created there.

To import an .xml file to GPMC, drag it and drop it on the Registry node under Computer Configuration, Preferences, Windows Settings. If you copy the following sample XML code to a file, and then drag and drop it on the Registry node, it creates a Server and Domain Isolation collection with the six registry keys discussed in this guide.

The following sample file uses item-level targeting to ensure that the registry keys are applied only on the versions of Windows to which they apply.

Note

The file shown here is for sample use only. It should be customized to meet the requirements of your organization’s deployment. To customize this file, import it into a test GPO, modify the settings, and then drag the Server and Domain Isolation Settings node to your desktop. The new file will contain all of your customization.

<?xml version="1.0" encoding="utf-8"?>

<Collection clsid="{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}" name="Server and Domain Isolation Settings">

<Registry 
         clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
         name="Enable IPsec over NAT (W2K, XP, W2K3)"
         status="AssumeUDPEncapsulationContextOnSendRule"
         image="12"
         changed="2008-05-30 20:37:31"
         uid="{49FD6551-80DA-4876-9335-623F2575E27B}"
         desc="&lt;b&gt;Enable IPsec over NAT-T&lt;/b&gt;&lt;p&gt;
            This setting configures whether computers running Windows 2003 and Windows XP
            can make IPsec connections to servers behind NAT-enabled routers.&lt;p&gt;
            &lt;b&gt;0&lt;/b&gt;: (default) No IPsec SAs to servers behind NAT&lt;br&gt;
            &lt;b&gt;1&lt;/b&gt;: IPsec SAs can be made to servers behind NAT&lt;br&gt;
            &lt;b&gt;2&lt;/b&gt;: IPsec SAs can be made when both server and client are behind NAT"
         bypassErrors="1">
   <Properties
         action="U"
         displayDecimal="1"
         default="0"
         hive="HKEY_LOCAL_MACHINE"
         key="System\CurrentControlSet\Services\IPsec"
         name="AssumeUDPEncapsulationContextOnSendRule"
         type="REG_DWORD"
         value="00000000"/>
   <Filters>
      <FilterOs
         bool="AND" not="1"
         class="NT" version="VISTA"
         type="NE" edition="NE" sp="NE"/>
      <FilterOs
         bool="AND" not="1"
         class="NT" version="2K8"
         type="NE" edition="NE" sp="NE"/>
   </Filters>
</Registry>

<Registry
         clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
         name="Enable PMTU Discovery"
         status="EnablePMTUDiscovery"
         image="12"
         changed="2008-05-30 20:37:37"
         uid="{52C38FD7-A081-404C-A8EA-B24A9614D0B5}"
         desc="&lt;b&gt;Enable PMTU Discovery&lt;/b&gt;&lt;p&gt;
            This setting configures whether computers can use PMTU
            discovery on the network.&lt;p&gt;
            &lt;b&gt;1&lt;/b&gt; --  Enable&lt;br&gt;
            &lt;b&gt;0&lt;/b&gt; --  Disable"
         bypassErrors="1">
   <Properties
         action="U"
         displayDecimal="1"
         default="0"
         hive="HKEY_LOCAL_MACHINE"
         key="System\CurrentControlSet\Services\TCPIP\Parameters"
         name="EnablePMTUDiscovery" type="REG_DWORD" value="00000001"/>
</Registry>

<Registry
         clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
         name="Simplified IPsec Policy (W2K, XP, W2K3)"
         status="IKEFlags"
         image="12"
         changed="2008-05-30 20:43:31"
         uid="{B9A34EFB-CDF7-4603-BBED-6BB85080C96F}"
         desc="&lt;b&gt;Simplified IPsec Policy&lt;/b&gt;&lt;p&gt;
            This setting configures two aspects of IPsec fallback-to-clear
            in Windows 2003, Windows XP, and Windows 2000.&lt;p&gt;
            &lt;b&gt;0x00&lt;/b&gt;: Original 3 second fallback-to-clear&lt;br&gt;
            &lt;b&gt;0x04&lt;/b&gt;: Enables 500ms fallback-to-clear&lt;br&gt;
            &lt;b&gt;0x10&lt;/b&gt;: Improve fallback-to-clear in S&amp;amp;D Iso&lt;br&gt;
            &lt;b&gt;0x14&lt;/b&gt;: Both 0x4 and 0x10 settings enabled (recommended)"
         bypassErrors="1">
   <Properties
         action="U"
         displayDecimal="0"
         default="0"
         hive="HKEY_LOCAL_MACHINE"
         key="System\CurrentControlSet\Services\PolicyAgent\Oakley"
         name="IKEFlags"
         type="REG_DWORD"
         value="00000014"/>
   <Filters>
      <FilterOs 
         bool="AND" not="1"
         class="NT" version="VISTA"
         type="NE" edition="NE" sp="NE"/>
      <FilterOs 
         bool="AND" not="1" 
         class="NT" version="2K8" 
         type="NE" edition="NE" sp="NE"/>
   </Filters>
</Registry>

<Registry 
         clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" 
         name="IPsec Default Exemptions (W2K and XP)" 
         status="NoDefaultExempt" 
         image="12" 
         changed="2008-05-30 20:35:43" 
         uid="{60F64C68-EF12-4FAC-ACC9-00B4F21724FA}" 
         desc="&lt;b&gt;IPsec Default Exemptions for Windows 2000 SP4 
            and Windows XP SP2&lt;/b&gt;&lt;p&gt;
            This setting determines which network traffic type is exempt 
            from any IPsec authentication requirements.&lt;p&gt;
            &lt;b&gt;0&lt;/b&gt;: Exempts multicast, broadcast, RSVP, Kerberos, ISAKMP&lt;br&gt;
            &lt;b&gt;1&lt;/b&gt;: Exempts multicast, broadcast, ISAKMP" 
         bypassErrors="1">
   <Properties 
         action="U" 
         displayDecimal="1" 
         default="0" 
         hive="HKEY_LOCAL_MACHINE" 
         key="SYSTEM\CurrentControlSet\Services\IPsec" 
         name="NoDefaultExempt" 
         type="REG_DWORD" 
         value="00000001"/>
   <Filters>
      <FilterOs 
         bool="AND" not="1" 
         class="NT" version="VISTA" 
         type="NE" edition="NE" sp="NE"/>
      <FilterOs 
         bool="AND" not="1" 
         class="NT" version="2K8" 
         type="NE" edition="NE" sp="NE"/>
      <FilterOs 
         bool="AND" not="1" 
         class="NT" version="2K3R2" 
         type="NE" edition="NE" sp="NE"/>
      <FilterOs 
         bool="AND" not="1" 
         class="NT" version="2K3" 
         type="NE" edition="NE" sp="NE"/>
   </Filters>
</Registry>

<Registry 
         clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" 
         name="IPsec Default Exemptions (W2K3)" 
         status="NoDefaultExempt" 
         image="12" 
         changed="2008-05-30 20:34:03" 
         uid="{7023764D-5E8A-4E16-BEA3-EA0743024EFA}" 
         desc="&lt;b&gt;IPsec Default Exemptions for Windows Server 2008 
            and later&lt;/b&gt;&lt;p&gt;
            This setting determines which network traffic type is exempt 
            from any IPsec authentication requirements.&lt;p&gt;
            &lt;b&gt;0&lt;/b&gt;: Exempts multicast, broadcast, RSVP, Kerberos, ISAKMP&lt;br&gt;
            &lt;b&gt;1&lt;/b&gt;: Exempts multicast, broadcast, ISAKMP&lt;br&gt;
            &lt;b&gt;2&lt;/b&gt;: Exempts RSVP, Kerberos, ISAKMP&lt;br&gt;
            &lt;b&gt;3&lt;/b&gt;: Exempts ISAKMP only" 
         bypassErrors="1">
   <Properties 
         action="U" 
         displayDecimal="1" 
         default="0" 
         hive="HKEY_LOCAL_MACHINE" 
         key="SYSTEM\CurrentControlSet\Services\IPsec" 
         name="NoDefaultExempt" 
         type="REG_DWORD" 
         value="00000003"/>
   <Filters>
      <FilterOs
         bool="AND" not="0"
         class="NT" version="2K3"
         type="NE" edition="NE" sp="NE"/>
      <FilterOs
         bool="OR" not="0"
         class="NT" version="2K3R2"
         type="NE" edition="NE" sp="NE"/>
   </Filters>
</Registry>

<Registry
         clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
         name="IPsec Default Exemptions (Vista and W2K8)"
         status="NoDefaultExempt"
         image="12"
         changed="2008-05-30 20:33:32"
         uid="{AE5C505D-283E-4060-9A55-70659DFD56B6}"
         desc="&lt;b&gt;IPsec Default Exemptions for Windows Server 2008
            and later&lt;/b&gt;&lt;p&gt;
            This setting determines which network traffic type is exempt
            from any IPsec authentication requirements.&lt;p&gt;
            &lt;b&gt;0&lt;/b&gt;: Exempts multicast, broadcast, RSVP, Kerberos, ISAKMP&lt;br&gt;
            &lt;b&gt;1&lt;/b&gt;: Exempts multicast, broadcast, ISAKMP&lt;br&gt;
            &lt;b&gt;2&lt;/b&gt;: Exempts RSVP, Kerberos, ISAKMP&lt;br&gt;
            &lt;b&gt;3&lt;/b&gt;: Exempts ISAKMP only"
         bypassErrors="1">
   <Properties
         action="U"
         displayDecimal="1"
         default="0"
         hive="HKEY_LOCAL_MACHINE"
         key="SYSTEM\CurrentControlSet\Services\PolicyAgent"
         name="NoDefaultExempt"
         type="REG_DWORD"
         value="00000003"/>
   <Filters>
      <FilterOs
         bool="AND" not="0"
         class="NT" version="VISTA"
         type="NE" edition="NE" sp="NE"/>
      <FilterOs
         bool="OR" not="0"
         class="NT" version="2K8"
         type="NE" edition="NE" sp="NE"/>
   </Filters>
</Registry>

<Registry 
         clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" 
         name="Enable IPsec over NAT (Vista and W2K8)" 
         status="AssumeUDPEncapsulationContextOnSendRule" 
         image="12" 
         changed="2008-05-30 20:32:56" 
         uid="{61C18AA8-F78E-453B-809A-98354D407035}" 
         desc="&lt;b&gt;Enable IPsec over NAT-T&lt;/b&gt;&lt;p&gt;
            This setting configures whether computers running Windows 2003 
            and Windows XP can make IPsec connections to servers behind 
            NAT-enabled routers.&lt;p&gt;
            &lt;b&gt;0&lt;/b&gt;: (default) No IPsec SAs to servers behind NAT&lt;br&gt;
            &lt;b&gt;1&lt;/b&gt;: IPsec SAs can be made to servers behind NAT&lt;br&gt;
            &lt;b&gt;2&lt;/b&gt;: IPsec SAs can be made when both server and client are behind NAT"
         bypassErrors="1">
   <Properties 
         action="U" 
         displayDecimal="1" 
         default="0" 
         hive="HKEY_LOCAL_MACHINE" 
         key="System\CurrentControlSet\Services\PolicyAgent" 
         name="AssumeUDPEncapsulationContextOnSendRule" 
         type="REG_DWORD" 
         value="00000000"/>
   <Filters>
      <FilterOs 
         bool="AND" not="0" 
         class="NT" version="VISTA" 
         type="NE" edition="NE" sp="NE"/>
      <FilterOs 
         bool="OR" not="0" 
         class="NT" version="2K8" 
         type="NE" edition="NE" sp="NE"/>
   </Filters>
</Registry>

</Collection>