Simplified deployment

To achieve secure communications with a low cost of ownership, Windows XP simplifies the deployment of IPSec with the following features:

Integration with the Windows 2000 security framework

IPSec uses the Windows 2000 secure domain as a trust model. By default, IPSec policies use the Active Directory default authentication method (Kerberos V5 authentication) to identify and trust communicating computers. Computers that are members of a Windows 2000 domain and are in trusted domains can easily establish IPSec secured communications.

Centralized IPSec policy administration through Active Directory

IPSec policies can be assigned through Group Policy configuration of Active Directory domains and organizational units. This allows the IPSec policy to be assigned at the domain, site, or organizational unit level, eliminating the administrative overhead of configuring each computer separately.

Transparency of IPSec to users and applications

Integration at the IP layer (layer 3) provides security for any protocol in the TCP/IP suite of protocols. You do not need separate security for each protocol in the TCP/IP suite of protocols, because applications using TCP/IP pass the data to the IP protocol layer, where it is secured.

Flexible security configuration

The security services within each policy can be customized to meet the majority of security requirements for the network and data traffic.

Automatic key management

Internet Key Exchange (IKE) services dynamically exchange and manage cryptographic keys between communicating computers.

Automatic security negotiation

Internet Key Exchange (IKE) services dynamically negotiate a common set of security settings between communicating computers, eliminating the need for both computers to have identically configured policies.

Public key infrastructure support

Using public key certificates for authentication is supported. This allows trust and secure communication for computers that do not belong to a Windows 2000 trusted domain, non-Windows-brand operating systems, computers that have membership in untrusted domains, and instances in which computer access must be restricted to a smaller group than domain authentication allows.

Preshared key support

If authentication using the Kerberos V5 protocol or public key certificates is not possible, a preshared authentication key can be configured.


The integration with the Windows 2000 security framework, centralized IPSec policy administration through Active Directory, and use of the Kerberos V5 protocol described here does not apply to computers running Windows XP Home Edition.

© 2017 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy & Cookies