Microsoft published a paper explaining how to isolate the KMS (Key Management Service) using IPsec. KMS doesn't require any kind auf authentication. Therefore, anyone who gets network access to your KMS server is able to activate its Vista machine this way.
- OpenVPN IPv6 and IPv4 configuration - Mon, Mar 1 2021
- 4sysops author and member competition 2020 - Fri, Jan 1 2021
- Assign an IPv6 address to an EC2 instance (dual stack) - Tue, Dec 15 2020
Organizations having no firewall or are sharing their network with others might not want to expose their KMS. We also have this problem since we have public areas where students can use our computers. Anyone can just connect its own laptop to our network thereby activating his or her Vista machine. If you offer Wi-Fi access points for guests, you might have a similar problem.
To protect KMS with IPsec, you don't have to deploy any additional software. To configure your Vista clients you can use Group Policy. Thus, you can use IPsec authorization only for members of an Active Directory domain. The Group Policy settings define the IPsec policy used by the KMS clients and the KMS host. They also specify the corresponding rules for the Windows Vista Firewall.
Note that these settings will only affect KMS clients trying to communicate with the KMS host. Other machines in your network, like domain controllers or other servers don't have to use IPsec to connect to your KMS server. It is also possible to exempt configurable IP ranges from IPsec authentication. These machines don't have to be part of an Active Directory domain.
It is interesting to note that Microsoft's documentation assumes that the KMS host is installed on a Vista machine or Longhorn server. This is a bit strange since there is no release date for Longhorn yet, and using a Vista workstation to run such an important service for a large network is even stranger in my view. However, there is an appendix discussing the extra steps necessary for running the KMS host on Windows Server 2003.
The whole documentation has about 30 pages. You should be prepared to spend some time with this. I, personally, have a lot of respect for IPsec. Every time I am confronted with IPsec, it usually turns out that I needed more time to get it working than I originally planned.
So the question for me is, is it really worth the effort? First of all, if a student really "misuses" our KMS, he or she has to come back every 180 days. Otherwise, Vista will go into Reduced Functionality Mode (RFM) after the grace period expires.
Second, what could be the advantage for my organization if we protect our KMS in such a complicated way? I doubt Microsoft would take any measures against us as long as our KMS is not publicly available on the Internet.
Subscribe to 4sysops newsletter!
Third, wouldn't it much easier if KMS offers an option that would allow only Windows domain members to use it for Vista activation? If Microsoft wants us to activate our desktop computers, they should at least give us easy-to-use management tools. KMS doesn't even have a GUI! So maybe we should just wait until Microsoft offers appropriate tools instead of messing around with IPsec. What do you think?