JSI Tip 7469. IPSec default exemptions are removed in Windows Server 2003?

Microsoft Knowledge Base Article 810207 contains the following summary:

The Internet Protocol Security (IPsec) feature in Windows Server 2003 was not designed as a full-featured host-based firewall. It was designed to provide basic permit and block filtering using address, protocol and port information in network packets. IPsec was also designed as an administrative tool to enhance the security of communications in a way that is transparent to the programs. Because of this, it provides traffic filtering that is necessary to negotiate security for IPsec transport mode or IPsec tunnel mode, primarily for intranet environments where machine trust was available from the Kerberos service or for specific paths across the Internet where public key infrastructure (PKI) digital certificates can be used.

The default exemptions to IPsec policy filters are documented in the Microsoft Windows 2000 and Microsoft Windows XP Help. These filters make it possible for Internet Key Exchange (IKE) and Kerberos to function. The filters also make it possible for the network Quality of Service(QoS) to be signaled (RSVP) when the data traffic is secured by IPsec, and for traffic that IPsec cannot secure such as multicast and broadcast traffic.

For additional information about these filters, click the following article number to view the article in the Microsoft Knowledge Base:

253169 Traffic that can--and cannot--be secured by IPSec