How to secure a WEB Server on a workstation on an Intranet with IPSec ?

From: Tony Gangemi (gangemia_at_usq.edu.au)
Date: 04/07/05

  • Next message: Jacques: "Re: mapped drives permissions"
    Date: Thu, 7 Apr 2005 15:17:52 +1000
    
    

    My workstation is Windows XP Pro SP2 on a company intranet (static IP
    addresses are used in AD). I want to install and use a localised WEB Server
    (IIS5.1) on my workstation but I do not want it to be known to others on the
    intranet which they can access. I only want access to the WEB Server for
    all the other workstations I personally use for testing ASP for example.

    I have tried setting IPsec filters using the procedures from Microsoft
    TechNet to lock down a server for WEB server.
    ( see
    http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.mspx)

    However, after I apply the policy, it blocks all my outbound requests to the
    internet through to our proxy server so something is incorrectly configured.
    How can I achieve running a WEB server on my workstation whilst locking it
    down but still gain outbound access to the internet? The steps I undertook
    are shown below.

    I would appreciate your solutions

    Regards,

    Tony
    gangemia@usq.edu.au

    1. Local Security Settings
    2. Select IP Security Policies on Local Computer
    3. Action > Manage IP filter lists and filter actions.
    4. Add and give filter list name as "Inbound WEB Protocols" > Add
    5. IP Filter Wizard appears > Next
    6. Source Address: "Any IP Address" > Next
    7. Destination Address: " My IP Address" > Next
    8. Select a protocol "TCP" > Next
    9. IP Protocol Port " To this Post" 80 > Next > Finish > OK
    10. Add "All inbound Traffic" > Add > Next
    11. Source Address: "Any IP Address" > Next
    12. Destination Address: " My IP Address" > Next
    13. Select a protocol "Any" > Next > Finish > OK
    14. Manage Filter Action Tab
    15. Add > Next > Name is "Block" > Next
    16. Filter Action General Options > "Block" selected
    17. Finish > Close
    18. Action > Create IP Security Settings > Next
    19. IP Security Policy Name "Packet Filter" given > Next
    20. Uncheck "Active the default response rule" > Next
    21. Finish
    22. On Pack Filter Properties dialogue > Add
    23. Next
    24. "This rule does not specify a tunnel" selected > Next
    25. "All network connection" selected > Next
    26. "Active Directory default (Kerboeros V5 protocol)" selected > Next
    27. "Inbound WEB Protocols" selected > Next
    28. "Permit" filter action selected > Next
    29. Finish > OK
    30. Add > Next
    31. "This rule does not specify a tunnel" selected > Next
    32. "All network connection" selected > Next
    33. "Active Directory default (Kerboeros V5 protocol)" selected > Next
    34. "All inbound Traffic" selected > Next
    35. "Block" filter action selected > Next > Finish > Close
    36. Right Click "Packet Filter" policy > Assign


  • Next message: Jacques: "Re: mapped drives permissions"

    Relevant Pages

    • Re: IPSec Filter Question
      ... I want to use IPSec filters to not only block all access to ... Source Port: TCP Any ... - Filter Action: Negotiate and encrypt with ESPor whatever ... Use the default All IP Traffic filter ...
      (microsoft.public.win2000.security)
    • Packet filter statistics
      ... I've got a Windows 2000 web server that is spewing out over 2Mbps of ... data which is going out round robin over my 3 T-1 connections. ... as well as each packets frequency and size. ... Anyone familiar with available software that I could dump on my filter ...
      (freebsd-questions)
    • [TOOL] HTTP Filter - HTTP Tunneling and Filtering Tool
      ... HTTP Filter - HTTP Tunneling and Filtering Tool ... filtering and multiplexing that is positioned in front of the web server - ...
      (Securiteam)
    • Re: LDAP Query
      ... list of people who logs to a certain workstation an dthe total number. ... ON TO button>you can specify which computer to log onto this Domain from. ... I now need an LDAP query to give me a list of users who logs to a certain ... You should be able to use this query in ADUC, View, Filter ...
      (microsoft.public.win2000.active_directory)
    • Re: IPSEC on Win2k3 - block all default/except for a few ports
      ... Your best bet is to start off with a rule with a mirrored filter for all IP ... traffic with a block filter action. ... below may help as it is a primer on building ipsec filtering policy. ... http://www.securityfocus.com/infocus/1559 -- works the same for Windows ...
      (microsoft.public.security)