How to use IPSec to block specific network protocols and ports

Source: Internet
Author: User

Source: http://support.microsoft.com/

Summary
Internet Protocol Security (IPSec) filtering rules can be used to protect Windows 2000-based computers from web-based attacks caused by viruses, worms, and other threats. This article describes how to filter out specific protocol and port combinations for inbound and outbound network communication. This document also includes steps for determining whether an IPSec Policy is specified for a Windows 2000-based computer, creating and specifying a new IPSec Policy, and canceling or deleting an IPSec Policy..
More information
The IPSec Policy can be applied locally or as part of the domain group policy to members of the domain. The local IPSec Policy can be static (valid after restart) or dynamic (easy to fail ). The static IPSec Policy is written to the local registry and remains valid after the operating system is restarted. Dynamic IPSec policies are not permanently written to the Registry and are deleted after the operating system or the IPSec Policy Agent service is restarted.

Important: This article contains information about using Ipsecpol.exe to edit the registry. Before editing the registry, you must know how to restore the Registry in case of a problem. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Microsoft Windows registry description
Note: IPSec Filtering Rules may cause network programs to lose data and stop responding to network requests, including failing to authenticate users. IPSec filtering rules should be used as a mandatory protection measure only when you have a clear understanding of the impact of blocking specific ports on your environment. If the IPSec Policy you created following the steps listed in this article has adverse effects on your network program, see the "cancel the specified and delete IPSec Policy" section later in this article, learn how to immediately disable and delete this policy.
Determine whether an IPSec Policy has been specified
Before creating or specifying any new IPSec policies for a Windows 2000-based computer, determine whether any IPSec policies are applied through the local registry or group policy object (GPO. To do this, run Setup.exe from the SupportTools folder on Windows 2000 CD to install Netdiag.exe.
2. Open the Command Prompt window and set the working folder to C: Program FilesSupport Tools.
3. Run the following command to verify that an existing IPSec Policy is specified for the computer:
Netdiag/test: ipsec
If no policy is specified, you will receive the following message:
IP Security test ......: Passed IPSec policy service is active, but no policy is assigned.

Create a static policy for blocking communication
For systems that have not enabled the locally defined IPSec Policy, follow these steps to create a new local static policy, to prevent communication between specific protocols and ports sent to computers that are based on Windows 2000 and do not specify an existing IPSec Policy: 1. verify that the IPSec Policy Agent service is enabled and started in the service MMC snap-in.
2. Visit the following Microsoft Web site to download and install Ipsecpol.exe: asp "> http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/ipsecpol-o.asp
3. Open the Command Prompt window and set the working folder to the folder where Ipsecpol.exe is installed.

Note: The default folder of Ipsecpol.exe is C: Program FilesResource Kit.
4. create a new local IPSec Policy and filter rule, and apply it to network communication from any IP address to the IP address of the computer you want to configure Based on Windows 2000, use the following syntax (the Protocol and port number are variables ):
Ipsecpol-w REG-p "Block protocol port number Filter"-r "Block Inbound protocol port number Rule"-f * = 0: Port Number: Protocol-n BLOCK-x
For example, to prevent network communication from any IP address and from any source port to the destination port UDP 2000 on a computer based on Windows 1434, type the following command. This policy effectively protects computers running Microsoft SQL Server 2000 from the "Slammer" worm.
Ipsecpol-w REG-p "Block UDP 1434 Filter"-r "Block Inbound UDP 1434 Rule"-f * = 0: 1434: UDP-n BLOCK-x
In the following example, inbound access to TCP port 80 is blocked, but outbound TCP 80 access is still allowed. This policy effectively protects computers running Microsoft Internet Information Service (IIS) 5.0 from "Code Red" and "Nimda" worms.
Ipsecpol-w REG-p "Block TCP 80 Filter"-r "Block Inbound TCP 80 Rule"-f * = 0: 80: TCP-n BLOCK-x
Note: The-x switch can immediately specify this policy. If you enter this command, the "Block UDP 1434 Filter" policy will be canceled and "Block TCP 80 Filter" will be specified ". To add but not specify this policy, enter the-x switch at the end of the command.
5. to add other Filter rules to an existing "Block UDP 2000 Filter" policy that blocks communications from a specific network (from a Windows 1434-based computer to any IP address, use the following syntax (the Protocol and port number are variables ):
Ipsecpol-w REG-p "Block protocol port number Filter"-r "Block Outbound protocol port number Rule"-f * 0 =: Port Number: Protocol-n BLOCK
For example, to prevent any network communication from a Windows 2000-based computer to UDP 1434 on any other host, type the following command. This policy effectively prevents computers running SQL Server 2000 from spreading the "Slammer" worm.
Ipsecpol-w REG-p "Block UDP 1434 Filter"-r "Block Outbound UDP 1434 Rule"-f 0 = *: 1434: UDP-n BLOCK
Note: You can use this syntax to add a required number of filter rules to a policy (for example, use the same policy to block multiple ports ).
6. The policy in step 5 will now take effect and will remain there after each restart of the computer. However, if a domain-based IPSec Policy is specified for the computer later, this local policy will be overwritten and will no longer apply. To verify that your filtering rule has been successfully specified, set the working folder to C: Program FilesSupport Tools at the command prompt, and then type the following command:
Netdiag/test: ipsec/debug
As shown in these examples, if you specify a policy for both inbound and outbound communication, you will receive the following message:
IP Security test .........:
Passed Local IPSec Policy Active: Block UDP 1434 Filter IP Security Policy Path: SOFTWAREPoliciesMicrosoftWindowsIPSecPolicyLocalipsecPolicy {D239C599-F945-47A3-A4E3-B37BC12826B9}

There are 2 filters
No Name
Filter Id: {5EC1FD53-EA98-4C1B-A99F-6D2A0FF94592}
Policy Id: {509425ea-1214-4f50-bf43-9cac2b538518}
Src Addr: 0.0.0.0 Src Mask: 0.0.0.0
Dest Addr: 192.168.1.1 Dest Mask: 255.255.255.255
Tunnel Addr: 0.0.0.0 Src Port: 0 Dest Port: 1434
Protocol: 17 TunnelFilter: No
Flags: Inbound Block
No Name
Filter Id: {9B4144A6-774F-4AE5-B23A-51331E67BAB2}
Policy Id: {2DEB01BD-9830-4067-B58A-AADFC8659BE5}
Src Addr: 192.168.1.1 Src Mask: 255.255.255.255
Dest Addr: 0.0.0.0 Dest Mask: 0.0.0.0
Tunnel Addr: 0.0.0.0 Src Port: 0 Dest Port: 1434
Protocol: 17 TunnelFilter: No
Flags: Outbound Block
Note: the IP address and the GUID are different. They will reflect the corresponding content of Windows 2000-based computers.

 
To add a blocking rule for a specific protocol and port on a computer that has an existing locally specified static IPSec Policy Based on Windows 2000, follow these steps: 1. visit the following Microsoft Web site to download and install Ipsecpol.exe: http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/ipsecpol-o.asp
2. identify the name of the specified IPSec Policy. To do this, enter the following command at the command prompt:
Netdiag/test: ipsec
If you have specified a policy, you will receive a message similar to the following:
IP Security test ......: Passed
Local IPSec Policy Active: Block UDP 1434 Filter
3. if you have specified an IPSec Policy for a computer (local or domain, use the following syntax to add other BLOCK filtering rules to an existing IPSec Policy (the existing IPSec Policy Name, protocol, and port number are variables ):
Ipsecpol-p "existing IPSec Policy Name"-w REG-r "Block protocol port number Rule"-f * = 0: Port Number: Protocol-n BLOCK
For example, to add a Filter rule that prevents inbound access to TCP port 80 to an existing "Block UDP 1434 Filter", type the following command:
Ipsecpol-p "Block UDP 1434 Filter"-w REG-r "Block Inbound TCP 80 Rule"-f * = 0: 80: TCP-n BLOCK


Add dynamic blocking policies for specific protocols and ports

In some cases, you may want to temporarily block a specific port (for example, before you can install a hotfix, or when you have already specified a domain-based IPSec Policy for your computer ). To use an IPSec Policy to temporarily block access to a port on a Windows 2000-based computer, follow these steps: 1. visit the following Microsoft Web site to download and install Ipsecpol.exe: http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/ipsecpol-o.asp
2. add a dynamic BLOCK to filter all data packets sent from any IP address to your system's IP address and target port, enter the following command at the command prompt (the Protocol and port number are variables ):
Ipsecpol-f [* = 0: Port Number: Protocol]
Note: This command dynamically creates a blocking filter and maintains the specified status as long as the IPSec Policy Agent service is running. If you restart the IPSec service or computer, this setting will be lost. If you want to dynamically re-specify an IPSec filter rule after each restart of the system, create a STARTUP script to re-apply the filter rule. If you want to permanently apply this filter, configure it as a static IPSec Policy. The "IPSec Policy Management MMC" Management Unit provides a graphical user interface for managing IPSec Policy configurations. If

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.