Create a policy to make Web servers openly available

At present, many organizations have set up a WEB server in the LAN to publish some business or financial information. In order to prevent unauthorized users from accessing the WEB server at will, large enterprises tend to purchase specialized security software or equipment at any cost to protect the security of LAN servers. However, for small organizations, they do not need to purchase security devices or security tools separately. They only need to use the built-in IPSEC functions of the Windows server system, create a security policy that is only open to a specific workstation, so as to protect the WEB server from random access by others.

For the sake of convenience, this article assumes that the WEB server of the local area network uses port 1588 to provide Web services, and requires that only workstation users of the 10.176.6.0 network segment can access the server through TCP/IP protocol, wks in other network segments are prohibited from accessing the server through any protocol to ensure that the WEB server is truly "targeted.

Create a WEB server access list

To allow wks from 10.176.6.0 to Access lan web Servers through TCP/IP protocol, we need to create a WEB server access Filter list in the server system. When creating a WEB server access Filter list, follow these steps:

First, click "start", "program", "Administrative Tools", and "Internet Information Service Manager" commands on the server desktop to open the IIS Console window in the local server system, right-click the lan web server option and execute the "properties" command from the shortcut menu to open the server's site property settings window, in the settings window, change the communication port of the WEB server to "1588" and restart the IIS server so that the WEB server can provide services only through port 1588.

Return to the server system desktop, and click Start/run in sequence. In the displayed system run dialog box, enter gpedit. msc string command, click the Enter key to open the Group Policy Edit window of the local system. In the left-side area of the edit window, double-click the "Computer Configuration" item, select "Windows Settings", "Security Settings", "IP Security Settings", and "Local Computer" under the Group Policy Branch that appears.

In the displayed area on the right of the corresponding "IP Security Settings, on the local computer" option, right-click the blank area, run the "manage IP Filter tables and Filter Operations" command from the shortcut menu shown in "1", and select the "manage IP Filter list" tab on the page that appears, click "add" on the corresponding tag page to bring up an IP Filter list creation wizard dialog box. Here, we can take a reasonable name for the newly created IP address Filter list, for example, "WEB Oriented open" (2), and then click the "add" button in the window.

 
Figure 1

 
Figure 2

When the wizard window asks us to enter the "Source Address", we must select "a specific subnet" and enter the starting IP address of the target CIDR Block in the subsequently Activated IP address information box, enter "10.176.6.1", set the subnet mask of the corresponding network segment to "10.176.6.0", and click "Next; when the wizard window asks us to enter the "target address", we must select the "my IP Address" option and enter the IP address of the WEB server correctly here.

Next, the wizard window requires us to select a specific communication protocol. We must select the "TCP/IP" protocol, and then click the "Next" button to open the parameter setting interface shown in 3; select the "to this port" project in the interface, and enter the communication port of the WEB server in the text box of the corresponding project. The port number entered here should be "1588 ". After completing the preceding parameter settings, click the "finish" button to create the Filter list for accessing the WEB server, in the future, any Workstation user from the 10.176.6.0 CIDR block will have the right to access the LAN server.
 
Figure 3

Considering that the IPSEC feature provided by Windows server does not allow access denied by default, in order to prevent workstation users of other network segments from accessing the lan web server through any protocol, we also need to create a WEB server blocking access list. When creating this type of list, we first need to open the Group Policy Edit window of the local server system, select "Computer Configuration", "Windows Settings", "Security Settings", and "IP Security Settings on the Local Computer" in the left-side area of the window, in the displayed area on the right of the corresponding "IP Security Settings, on the local computer" option, right-click the blank area, then, run the "manage IP Filter table and Filter Operations" command in the shortcut menu, and select the "manage IP Filter list" tab.

On the corresponding tab page, click "add" to bring up an IP Filter list creation wizard dialog box. Here, we can create an IP Filter list named "all WEB open" and click the "add" button in this window. When the wizard window asks us to enter the "Source Address, you must select "any IP address" (4) and click "Next". In the wizard window, enter "target address ", in this case, you must select "my IP Address" and enter the IP address of the WEB server correctly.
 
Figure 4

The wizard window will ask us to select a specific communication protocol. Here we set the protocol parameters to "arbitrary", and then click the "finish" button, in this way, the WEB server can allow all workstations in the LAN to access through any protocol.

Create a block filter

To prevent workstation users of other network segments from accessing the lan web server through any protocol, we also need to filter the "All WEB open" access list, and set the filter operation to "Block", so that you can create a WEB server to block the access list. When creating a "Block" filter, follow these steps:

First, follow the previous steps to open the manage IP Filter table and filter operation dialog box, click the "manage filter operation" tab, and click the "add" button on the corresponding tab page, go to the IP Filter Operation Management wizard page, click "Next", and set the filter operation name to "WEB blocking access". Then, we will see the setting interface shown in Figure 5, here, we must set the operation behavior to "Block" and click "finish.
 
Figure 5

Enable IP Security Protection Policy

After completing the preparations, we can now create and enable the IP Security protection policy to protect the lan web server from only enabling targeted access to workstations in specific network segments, the procedure is as follows:

Click Start or run, and enter gpedit in the displayed dialog box. msc string command, click the Enter key to open the Group Policy Edit window of the local system. In the left-side area of the edit window, double-click the "Computer Configuration" item, select "Windows Settings", "Security Settings", "IP Security Settings", and "Local Computer" under the Group Policy Branch that appears.

In the displayed area on the right of the corresponding "IP Security Settings, on the local computer" option, right-click the blank area and execute the "Create IP Security Policy" command in the shortcut menu, click "Next" as prompted on the page to open the attribute setting window for the target security policy, as shown in figure 6.
 
Figure 6

Then, click "add" in the window, in the wizard window that appears, select the "do not specify tunnel for this rule" option, "all network connections" option, and "Kerberos V5" option, next, in the IP Filter list, we will see the "WEB Oriented open" and "WEB all open" projects that have been created earlier, and select the "WEB Oriented open" project, set the filtering item to "allow", select the "All WEB open" project, set the filtering item to "Block", and click "OK, create an IP Security protection policy.

Summary:

After a few steps above, we have basically completed the protection of the web server, but at last we have to go through a small "modifier", and we will return to the system group policy editing window again, in "Computer Configuration", "Windows Settings", "Security Settings", and "IP Security Settings", the area is displayed on the right of the branch project on the local computer, we can see the previously created IP Security Protection Policy, right-click the policy option, and execute the "Assign" command in the shortcut menu, in this way, the lan web server will be protected by the IP security policy we have created earlier. This policy ensures that the lan web server is only available to workstation users in the 10.176.6.0 network segment, users of other network segments cannot access the WEB server through any protocol.