We're about to implement some IP Security (IPSec) policies to protect access to certain ports on sensitive servers (as you suggest in your Windows Web Solutions article "IPSec Packet Filtering," http://www.windowswebsolutions.com, InstantDoc ID 25935). We're planning to use the preshared key authentication method and use Group Policy to distribute the IPSec policy, but we're concerned that an unauthorized individual could get the key. What risks exist with preshared keys?
Three direct risks exist. First, when a computer applies a group policy, it stores a cache of the Resultant Set of Policies (RSoP) in the local registry. Microsoft documentation clearly states that this cache stores preshared keys in clear text. Therefore, if someone gains physical access to a computer, he or she can obtain the key from the registry. Second, when a computer applies a group policy, it retrieves IPSec policy information from the domain controller (DC) through Lightweight Directory Access Protocol (LDAP). An attacker might be able to capture those packets and find the key. Third, the default permissions on Active Directory (AD) IPSec objects let the Authenticated Users and Pre-Windows 2000 Compatible Access groups read all properties for objects under System\IP Security in an AD domain, and ipsecNFA objects' ipsecData property stores preshared keys. (For an explanation of how intruders can extract this information, see the Web-exclusive sidebar "Finding an IPSec Policy's Preshared Key," http://www.secadministrator.com, InstantDoc ID 26776.)
Any user in the forest who has sufficient knowledge can obtain preshared keys from IPSec policies in AD. To defend against this possibility, use preshared keys only when necessary. If possible, configure preshared keys manually in each computer's local Group Policy Object (GPO) instead of through AD, or consider modifying the permissions on ipsecNFA objects so that only Administrators and computers to which you've assigned the policy have Read access.
