Applies To: Microsoft iSCSI Software Target
Microsoft iSCSI Software Target supports encryption and authentication to help ensure the security of data that is transmitted between the iSCSI initiator and iSCSI target.
Data encryption is accomplished in iSCSI Software Target through the use of Internet Protocol security (IPsec). IPsec is a protocol that enforces data encryption and authentication at the IP packet layer to provide data privacy, integrity, and authenticity between the iSCSI initiator and iSCSI target. The Windows® TCP/IP stack includes IPsec and offers several encryption methods such as Kerberos, certification authority (CA), and preshared keys. iSCSI Software Target uses the Windows TCP/IP stack, taking advantage of the Windows Server 2003 built-in IPsec implementation and management model.
IPsec is configured by using the Local Security Policy snap-in or by using Group Policy on the iSCSI initiator and on the iSCSI target. Additional IPsec configuration options are provided in Microsoft iSCSI Software Initiator, but no configuration is done in iSCSI Software Target. For more information about the IPsec configuration of the iSCSI initiator, see the documentation of the iSCSI initiator manufacturer.
For more information about IPsec, see the IPsec Technical Reference.
CHAP and reverse CHAP authentication
There are several levels of iSCSI security available. The basic level is based on the Challenge Handshake Authentication Protocol (CHAP). CHAP is a protocol that is used to authenticate the peer of a connection, and it is based on the peers sharing a secret (a security key that is similar to a password).
In Microsoft iSCSI Software Target, CHAP and reverse CHAP authentication are not enabled by default. You can enable authentication by using the following authentication methods:
You can use CHAP to provide one-way authentication. With this method, the iSCSI target authenticates each iSCSI initiator, but the iSCSI initiator does not authenticate the iSCSI target. A shared secret is configured on the iSCSI target, and all iSCSI initiators must use the same secret to start a session with the iSCSI target.
Enable reverse CHAP authentication
You can use reverse CHAP authentication to provide authentication of the iSCSI target by the iSCSI initiator. A separate shared secret is configured on the iSCSI initiator and each iSCSI target must provide the appropriate shared secret to the iSCSI initiator.
At a minimum, use one-way CHAP authentication between iSCSI initiators and targets. To provide better security, also enable reverse CHAP authentication.
For more information about the CHAP protocol, see Challenge Handshake Authentication Protocol (CHAP). For more information about iSCSI security and to learn more about iSCSI in general, see Microsoft Storage Technologies - iSCSI.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review the details in "Additional considerations" in this topic.
To enable authentication of an iSCSI target
In Microsoft iSCSI Software Target, in the console tree, click iSCSI Targets.
In the results pane, right-click the iSCSI target for which you want to enable authentication, and then click Properties.
On the Authentication tab, select the Enable CHAP check box, or the Enable reverseCHAP authentication check box, or both check boxes.
For each authentication method you select, specify an appropriate name in User name, specify a secret and confirm it, and then click OK.
If you enable CHAP and reverse CHAP authentication, you must specify a different secret for each.
You must be a member of the local Administrators group to perform these tasks.
To open iSCSI Software Target, click Start, point to Administrative Tools, and then click Microsoft iSCSI Software Target. (Another way to open iSCSI Software Target is to click Start, click Run, and then type iscsitarget.msc.)