When is it OK to disable IPSec on windows 2003?

[Tim]

I have a bunch of servers in my environment that have IPSec enabled but not
configured some of theose servers are having serious performance issues, but
if I stop and disable the IPSec service, the performance issues go away. I
have read some articles that say that IPSec should only be enabled if it's
going to be configured, but I'm not that familiar with IPSec. I have two
questions:

1. Is the statement that IPSec should only be enabled if it's going to be
configured and used a valid statement?

2. What's the easiest way - besides opening the IPSec Snap-In on every
server and checking for policies - to know whether or not a server is
actually using IPSec policies?


Thanks in advance for your help!

 

[S. Pidgorny]

G'day,

The answers: no, and by creating IPsec policy in a GPO applying to all
servers.

To elaborate on the answer to the #1: do nothing is viable and
attractive option in your case. Only change defaults if you have good
reasons to do so.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

Tim wrote:
> I have a bunch of servers in my environment that have IPSec enabled but not
> configured some of theose servers are having serious performance issues, but
> if I stop and disable the IPSec service, the performance issues go away. I
> have read some articles that say that IPSec should only be enabled if it's
> going to be configured, but I'm not that familiar with IPSec. I have two
> questions:
>
> 1. Is the statement that IPSec should only be enabled if it's going to be
> configured and used a valid statement?
>
> 2. What's the easiest way - besides opening the IPSec Snap-In on every
> server and checking for policies - to know whether or not a server is
> actually using IPSec policies?
>
>
> Thanks in advance for your help!

 

[Tim]

Thanks for responding so quickly, but your answers left me with a few more
questions. For example, I'm not sure why I would create an IPSec policy I
don't plan to use. Second, how is doing nothing an attractive option when
we're taking a performance hit because of it? Also, I've read that IPSec is
supposed to be disabled by default is that not the case and, if it is,
shouldn't I disable it until or unless I need it? I'm not trying to be
difficult I just need to understand this stuff better. Thanks again.



"S. Pidgorny <MVP>" wrote:

> G'day,
>
> The answers: no, and by creating IPsec policy in a GPO applying to all
> servers.
>
> To elaborate on the answer to the #1: do nothing is viable and
> attractive option in your case. Only change defaults if you have good
> reasons to do so.
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
> Tim wrote:
> > I have a bunch of servers in my environment that have IPSec enabled but not
> > configured some of theose servers are having serious performance issues, but
> > if I stop and disable the IPSec service, the performance issues go away. I
> > have read some articles that say that IPSec should only be enabled if it's
> > going to be configured, but I'm not that familiar with IPSec. I have two
> > questions:
> >
> > 1. Is the statement that IPSec should only be enabled if it's going to be
> > configured and used a valid statement?
> >
> > 2. What's the easiest way - besides opening the IPSec Snap-In on every
> > server and checking for policies - to know whether or not a server is
> > actually using IPSec policies?
> >
> >
> > Thanks in advance for your help!
>
>