Microsoft published a paper explaining how to isolate the KMS (Key Management Service) using IPsec. KMS doesn't require any kind auf authentication. Therefore, anyone who gets network access to your KMS server is able to activate its Vista machine this way.

Latest posts by Michael Pietroforte (see all)

Organizations having no firewall or are sharing their network with others might not want to expose their KMS. We also have this problem since we have public areas where students can use our computers. Anyone can just connect its own laptop to our network thereby activating his or her Vista machine. If you offer Wi-Fi access points for guests, you might have a similar problem.

To protect KMS with IPsec, you don't have to deploy any additional software. To configure your Vista clients you can use Group Policy. Thus, you can use IPsec authorization only for members of an Active Directory domain. The Group Policy settings define the IPsec policy used by the KMS clients and the KMS host. They also specify the corresponding rules for the Windows Vista Firewall.

Note that these settings will only affect KMS clients trying to communicate with the KMS host. Other machines in your network, like domain controllers or other servers don't have to use IPsec to connect to your KMS server. It is also possible to exempt configurable IP ranges from IPsec authentication. These machines don't have to be part of an Active Directory domain.

It is interesting to note that Microsoft's documentation assumes that the KMS host is installed on a Vista machine or Longhorn server. This is a bit strange since there is no release date for Longhorn yet, and using a Vista workstation to run such an important service for a large network is even stranger in my view. However, there is an appendix discussing the extra steps necessary for running the KMS host on Windows Server 2003.

The whole documentation has about 30 pages. You should be prepared to spend some time with this. I, personally, have a lot of respect for IPsec. Every time I am confronted with IPsec, it usually turns out that I needed more time to get it working than I originally planned.

So the question for me is, is it really worth the effort? First of all, if a student really "misuses" our KMS, he or she has to come back every 180 days. Otherwise, Vista will go into Reduced Functionality Mode (RFM) after the grace period expires.

Second, what could be the advantage for my organization if we protect our KMS in such a complicated way? I doubt Microsoft would take any measures against us as long as our KMS is not publicly available on the Internet.

Subscribe to 4sysops newsletter!

Third, wouldn't it much easier if KMS offers an option that would allow only Windows domain members to use it for Vista activation? If Microsoft wants us to activate our desktop computers, they should at least give us easy-to-use management tools. KMS doesn't even have a GUI! So maybe we should just wait until Microsoft offers appropriate tools instead of messing around with IPsec. What do you think?

  1. Avatar
    Joe 17 years ago

    Wow, a very interesting topic that I doubt anyone on our campus has pondered yet. I would agree with your point about breaking your back to protect the licenses. If Microsoft didn’t provide a tool to make it practical, then they’ve expressed the amount of importance they put on the ‘problem’. Do keep us all informed on what direction you go in.

  2. Avatar

    Joe, I think many are not yet aware of this. There was a discussion going on if we should install one KMS for our whole university. We have about 40,000 students and the University buildings are spread out all over the city. Everyone can step in those buildings. So this KMS would probably be a big Windows Vista activation center for the whole city. So my first thought was this is simply impossible. But on second thought, why not? I think, we’ll have such “public Vista activation centers

Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account