What the Heck is the “Default Response Rule”?

====================== DISCLAIMER ====================
This posting is provided "AS IS" with no warranties, and confers no rights.

The default response rule is used to ensure that the peer computer responds to requests for secure communication. If the active policy does not have a rule defined for a computer that is requesting secure communication, then the default response rule is applied and security is negotiated. For example, when Computer A communicates securely with Computer B and Computer B does not have an inbound filter defined for Computer A, the default response rule is used.

The default response rule, which can be used for all policies, has the IP filter list of <Dynamic> and the filter action of Default Response when the list of rules is viewed with the IP Security Policies snap-in. The filter list of <Dynamic> indicates that the filter list is not configured, but that filters are created automatically based on the receipt of IKE negotiation packets.

The default response rule cannot be deleted, but it can be deactivated. It is activated for all of the default policies and you have the option of enabling it when you create new IPSec policies with the IP Security Policy Wizard.

The Default Response Rule and Security

A consequence of using the default response rule is that the peer computer can send unsecured data to a secured server after the quick mode SA and dynamic filter have timed out. These peer computers, also called “client computers” because they use the “Client” default security action, rely on the computer with which they are communicating to initiate secure communications. This reliance occurs both when communication is initiated and when it is resumed after a delay that is sufficient to time out a previously established quick mode SA and dynamic filter.

To prevent client computers from sending unsecured data to secure servers, you must configure your client computer IPSec policy with additional rules that initiate secured communications to secure servers.

If the secure server sends new data on the existing connection, it renegotiates the quick mode SA before sending this data to the client computer because a rule exists on the secure server to secure traffic between itself and all other computers.

The Default Response Rule and Firewalls

After the firewall is opened to allow the IKE and IPSec protocols, the firewall might not be able to inspect packets to control which traffic is secured by IPSec. IPSec policy filters determine which traffic IPSec can secure, so if you want only a specific protocol to flow between two peers, you must create IPSec filters that enforce this behavior. Port-specific filters can control the direction in which connections are made.

Therefore, if a computer is in a more trusted network (inside the firewall) and you want IPSec to secure traffic only over certain protocols and ports on that computer, do not enable the default response rule in the IPSec policy for that computer. If the default response rule is enabled and an attacker compromises the remote computer, the attacker might be able to modify the IPSec policy to negotiate security for all traffic through the firewall.