Windows. Apply the command line to configure the IPsec Policy

Source Address: http://www.zjahzz.com/blog/article.asp? Id = 99

IPSec
The first thing to note is that IPsec and TCP/IP filtering are different. Do not confuse them. The TCP/IP filtering function is very limited, far less flexible and powerful than IPSec. The following describes how to control IPSec under the command line.

 

XP is ipseccmd
2000 is ipsecpol
Win2003 is IPSec
... Unfortunately, they are not included in the system. Ipseccmd is in support/tools/support. cab of the XP system installation disk, and ipsecpol is in 2000 Resource Kit. In addition, to use ipsecpol, the other two files must be included: ipsecutil. dll and text2pol. dll. The three files are 119kb in total.

In the WINXP command line, IPSec blocks insecure ports. Click here to download ipseccmd.
IPSec is called Internet Protocol Security. The main function is to provide network data by setting IPSec rules.
Package encryption and authentication. However, I did not receive such advanced functions, but I only used the filtering function. You can block insecure port connections by setting rules to filter data packets.

You can run gpedit. MSC and set it manually in Windows Settings> Computer Settings> IP Security Settings
. A simpler method is to use the ipseccmd command.

Ipseccmd is not installed by default in Windows XP.
Support/tools/support. Cab. In Windows2000, the name is ipsecpol. The default value is
It should have not been installed. You can find it by yourself.

You can use ipseccmd to set filtering rules. The main function of ipseccmd is to set a filtering rule, specify a name for it, and specify a policy name. A policy is just a set of filtering rules. For example, if you want to disable the two-way data sending and receiving on the tcp135 port, run the following command:

Ipseccmd-W reg-P "Block default ports"-R "block TCP/135"-f * + 0: 135: TCP-N block-x

Here we use static mode. Common parameters are as follows:
-W Reg indicates that the configuration is written to the Registry and remains valid after restart.
-P specifies the policy name. If the policy name exists, add the rule to this policy. Otherwise, create one.
-R: Specifies the rule name.
-N indicates the operation, which can be block, pass, or inpass. It must be capitalized.
-X activates the policy.
-Y to make it invalid.
-O deletes the policy specified by-P.
Among them, the most critical is-f. It is used to set your filtering rules,
Format:"A. B .c.d/mask: Port = a. B .c.d/mask: Port: Protocol".
Where"="The source address and the target address are listed later.
If you use"+"Indicates that the rule is bidirectional. IP address used"*"Represents any IP address,
"0"Represents my own IP address. You can also use wildcards, such as 144. 92. *. *, which is equivalent to 144.92.0.0/255.255.0.0.
Use ipseccmd /? You can get help.

If you want to delete a rule, you must use-y to make it invalid. Otherwise, the rule will last for a period of time.
Blockport. bat in the attachment is a sample program of mine. You can use it as a reference for modification.

Now, you can use IPsec to customize your filtering rules as needed.
If you have insecure ports or IP addresses that you do not like, you can block them in your big
Outside the door.

Now, your machine is basically safe, and you don't have to worry about connecting to the network cable any more. Today
The weather is good. Hurry up and surf the Internet. There are beautiful shells on the coast. Don't forget.
Give me a few.

[Code list]

@ Echo off
Rem
Rem blockport. bat
Rem Spirituel @ smth
Rem
Rem this file use the IPsec filters to block default ports of windows.
Rem it can work on Windows 2003 and Windows XP system if there is ipseccmd command on it.
Rem it can also work on Windows2000, If you Chang "ipseccmd" to "ipsecpol" When ipsecpol command cocould work well.
Rem you can customize your own policy easily.
Rem please refer to readme.txt for more details.
Rem notice: no warranty totally. Please use it carefully.
Rem
Rem
Rem
Echo [usage] blockport [-O or-y]
Echo set policy of filter rules and enable them without parameter.
Echo-y parameter to make the policy inactive.
Echo-O parameter to disable and delete the policy.

If "% 1" = "-y" Goto: inactive
If "% 1" = "-o" Goto: Delete

@ Echo on
Ipseccmd-W reg-P "Block default ports"-y
Ipseccmd-W reg-P "Block default ports"-o
Ipseccmd-W reg-P "Block default ports"-R "block TCP/135"-f * + 0: 135: TCP-N Block
Ipseccmd-W reg-P "Block default ports"-R "block TCP/139"-f * + 0: 139: TCP-N Block
Ipseccmd-W reg-P "Block default ports"-R "block TCP/445"-f * + 0: 445: TCP-N Block
Ipseccmd-W reg-P "Block default ports"-R "Block UDP/123"-f * + 0: 123: UDP-N Block
Ipseccmd-W reg-P "Block default ports"-R "Block UDP/135"-f * + 0: 135: UDP-N Block
Ipseccmd-W reg-P "Block default ports"-R "Block UDP/137"-f * + 0: 137: UDP-N Block
Ipseccmd-W reg-P "Block default ports"-R "Block UDP/138"-f * + 0: 138: UDP-N Block
Ipseccmd-W reg-P "Block default ports"-R "Block UDP/139"-f * + 0: 139: UDP-N Block
Ipseccmd-W reg-P "Block default ports"-R "Block UDP/445"-f * + 0: 445: UDP-N Block
@ REM ipseccmd-W reg-P "Block default ports"-R "Block ping"-F 0 + *: ICMP-N Block
Ipseccmd-W reg-P "Block default ports"-x
@ Goto: End

: Inactive
@ Echo on
Ipseccmd-W reg-P "Block default ports"-y
@ Goto: End

: Delete
@ Echo on
Ipseccmd-W reg-P "Block default ports"-y
Ipseccmd-W reg-P "Block default ports"-o

: End
@ Echo off
Pause

IPsec can be controlled through group policies, but I have searched msdn and have not found the syntax of the corresponding security template. The configured IPsec Policy cannot be exported as a template. Therefore, the Group Policy cannot be implemented. The IPSec settings are stored in the registry (HKEY_LOCAL_MACHINE/software/policies/Microsoft/Windows/IPSec/policy/local). In theory, you can modify the Registry to configure IPSec. However, it is difficult to read and modify a lot of information in binary format. In contrast, it is more convenient to upload the command line tool.

2000 ipsecpol instance

You can find a lot of information about ipsecpol and ipseccmd on the Internet, so I will not elaborate on this article, just to list some practical examples.
In terms of setting an IPsec Policy, the syntax of the ipseccmd command is almost the same as that of ipsecpol, so only ipsecpol is used as an example:

1. Defend against RPC-DCOM attacks

Ipsecpol-P myfirewall-r RPC-DCOM-f * + 0: 135: TCP * + 0: 135: udp * + 0: 137: udp * + 0: 138: UDP * + 0: 139: TCP * + 0: 445: TCP * + 0: 445: UDP-N block-W reg-x

This command disables ports tcp135, 139,445, udp135, and 137,138,445 of the local host.
The specific meaning is as follows:
-P myfirewall: Specify the Policy Name myfirewall.
-R rpc-DCOM: Specify the rule name RPC-DCOM.
-F ...... Create 7 filters. * Indicates any address (source); 0 indicates the local address (target); + indicates image (bidirectional) filtering. For detailed syntax, see ipsecpol -?
-N block specifies that filtering X is "blocking ". Note that the block must be in uppercase.
-W Reg writes the configuration to the Registry, which is still valid after restart.
-X immediately activates the policy.

2. Prevent Ping

Ipsecpol-P myfirewall-r antiping-f * + 0: ICMP-N block-W reg-x

If the policy named myfirewall already exists, the antiping rule is added to it.
Note that this rule also prevents the host from pinging others.

3. Restrict the IP addresses of backdoors
Assume that you have installed DameWare Mini Remote Control on a host. To protect it from brute-force password cracking or overflow, access to its service port 6129 should be restricted.

Ipsecpol-P myfw-r dwmrc_block_all-f * + 0: 6129: TCP-N block-W Reg
Ipsecpol-P myfw-r dwmrc_pass_me-F 123.45.67.89 + 0: 6129: TCP-N pass-W reg-x

In this way, only 123.45.67.89 can access port 6129 of the host.
If you are a dynamic IP address, you should set rules based on the IP address range. For example:

Ipsecpol-P myfw-r dwmrc_block_all-f * + 0: 6129: TCP-N block-W Reg
Ipsecpol-P myfw-r dwmrc_pass_me-F 123.45.67. * + 0: 6129: TCP-N pass-W reg-x

In this way, IP addresses from 123.45.67.1 to 123.45.67.254 are allowed to access port 6129.

When writing rules, be careful not to block yourself. If you are not sure whether the effects of a rule are the same as expected, you can "Leave A Back Path" by planning the task first ". For example:

C:/> Net start schedule
The Task Scheduler Service is starting ..
The Task Scheduler Service has been started successfully.

C:/> time/T
12: 34

C:/> at 12:39 ipsecpol-P myfw-y-W Reg
A new job is added. Its job ID is 1.

Then, you have five minutes to set a myfw policy and test it. After 5 minutes, the scheduled task stops the policy.
If the test results are not satisfactory, delete the policy.

C:/> ipsecpol-P myfw-o-w Reg

Note: before deleting a policy, make sure it is stopped. If you do not stop it, the deletion will take effect for a period of time. The duration depends on the refresh time of the policy. The default value is 180 minutes.

If the test passes, enable it.

C:/> ipsecpol-P myfw-X-W Reg

Finally, let's look at the IPsec Policy method.
For XP, it's very easy. Just run one command -- ipseccmd show Filters
Ipsecpol does not have the query function. Use the command line tool netdiag. It is located in support/tools/support. cab of the 2000 system installation disk. (If you have uploaded three files, you do not need to upload one. ^_^)

Netdiag must be supported by the RemoteRegistry Service. Start the service first:

Net start RemoteRegistry

If you do not start RemoteRegistry, an error is returned:

[Fatal] failed to get system information of this machine.

Netdiag is a powerful tool that can obtain network-related information! However, the output information is always detailed, and the output cache of cmd.exe is beyond the command line. Instead, each remote cmd shell can use the more command for paging.

The command to view the IPsec Policy is:
Netdiag/debug/test: IPSec

Then there is a long string of output information. The IPsec Policy is at the end.