Use the built-in Window policy for security reinforcement

Note: Be cautious when performing operations on all servers. Click OK to implement it again! The client cannot be remotely protected only by protecting the security of the link and the website being attacked. Ipsec Security Policy

Method: Set security policies. Use window IPSec for protection. Allow 80 port 3306. Deny all other port connections.

1: Control Panel-system and security-management tools-Local Security Policy

Open the Local Security Policy. The default value is none. Here I have added a policy.

 

Right-click Properties and click Add.

 

Note that the security policy is sorted by letter or number. A starts at the bottom (not set to deny for the first time, only allow)

 

The client accesses the fixed server. So here we use the default

 

Network type. We use all network connections.

 

Click Add directly. In this way, Add. You can add a name to the Ip Filter list.

 

Click Add

 

In the next step, we can see that the description is used here. Select Image

 

Next, we will see the source of ip traffic. Here, we provide web Services Based on the situation. Therefore, we allow all ip addresses, that is, the source ip address, to select any ip address.

 

After the next step, you need to select the target address, because we need to understand that the client accesses our web Service server. So we select my IP address directly.

 

Because it is an http service, select tcp and click Next. To protocol port settings

 

According to the information, port 80 of the server is requested from the client. Select this port. Click Finish.

Then an ip Filter is created.

 

After the creation is complete, select one of them,

 

Click Next. To set the filter (I have already added it), click here to add

 

Enter the Filter Name Creation, because it is port 80. Therefore, the name is unconditionally allowed.

 

Click Next. You can select three action options. Security of license blocking and negotiation. We directly select license

 

Click Finish... Return to the current security rule Wizard Page, and select the allowed method we have created,

 

Click Next and return. We will continue to add the required list. On the IP address filtering list page. Select another port. Continue with the behavior settings just now. Click OK.

Common services (for example, web services that are provided on the Internet. Or some fixed public ports)

 

Access rules

Next we will start to set fixed access rules, such as website database separation.

What we need to know is that 3306 is for a fixed machine to access a fixed machine, and no one else has the permission to access this port. Port 80 provided by the server is public, and we can set port 80 according to the above.

Let's see how to set a fixed access port in 3306:

In the ip Filter list, click Add

Write the name. Click Add-Next, set description-set ip traffic source.

Because the website is the request side, and the database server is the target. So here we set our own IP Address

 

Click Next to set the target address. Select a specific IP address or subnet. Select an IP address

 

Click "Next", select "tcp port" as "3306", and click "finish. In the ip Filter list, click OK to return to the selection page. Select the 3306 filter currently set and click Next to create the security rule wizard.

 

Click "add". We will select this option to negotiate security. Click Next

 

After completion. We are on the security rules page. Select the negotiation option we wrote.

 

We are in the authentication method. Set string protection methods

 

Now, all are completed. Right-click the policy rule and choose allocate. In this case, OK. Never forget to set a denial policy starting with w. From all to the local server. All protocols. No !.

 

Result: Only webpage access is normal. You can remotely call the database.

Implicit bypass solution: Start with problems on the web page. The exported shell file is obtained after penetration. Download it locally and modify it.

Target type: General hacker attacks. Prevent cain