Message Digest 5 (MD5) and the Data Encryption Standard (DES) have been removed from the default list of IPsec cryptographic algorithms in Windows Vista and in Windows Server 2008

This article discusses why Message Digest 5 (MD5) and the Data Encryption Standard (DES) have been removed from the default list of IPsec cryptographic algorithms in Windows Vista and in Windows Server 2008.

Microsoft is removing cryptographic algorithms that are no longer considered secure from Windows Vista and from Windows Server 2008. Therefore, policies that were created by using the IP Security Policies Management snap-in or by using the netsh ipsec command have been changed to remove MD5 and DES from the default policies. The new defaults are backward compatible with policies that were created by using the defaults in Microsoft Windows 2000, in Windows XP, and in Windows Server 2003. Additionally, MD5 and DES can still be configured as part of a policy if they are required for compatibility or interoperability reasons.

The following settings have been updated.

The main-mode cryptographic set when you use the default settings to create a new policy
New filtration settings for the "netsh ipsec" command when it is used together with the "action=negotiate" parameter
Action settings for the default response rule filters
Note The default response rule is deprecated in Windows Vista. The rule is available only to manage policies for earlier versions of Windows.

For more information, click the following article number to view the article in the Microsoft Knowledge Base: