Re: IPSEC on Win2k3 - block all default/except for a few ports
From: Ben Serebin (Serebin_at_discussions.microsoft.com)
Date: 05/04/05
- Previous message: Byron Hynes [MVP]: "Re: HELP! members only gateway access"
- In reply to: Steven L Umbach: "Re: IPSEC on Win2k3 - block all default/except for a few ports"
- Next in thread: Steven L Umbach: "Re: IPSEC on Win2k3 - block all default/except for a few ports"
- Reply: Steven L Umbach: "Re: IPSEC on Win2k3 - block all default/except for a few ports"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 3 May 2005 19:46:52 -0700
Hello Steven,
THANK YOU. You have no idea how much time I've spent on this. The trick was
to start with a block all filter rule, and then add exemptions. Why isn't
this stated everywhere!!! I've setup dozens of firewalls and have never run
into this. Damn Microsoft. I did go through everything you suggested, but in
the end your tip was on the money. Bottom line, Microsoft needs to spend more
time on UI and implementation development on IPSEC.
FYI: the URL for securityfocus you gave is 404. I found the correct
articles. I read part 1, 2, and 3 of the IPSEC intro. Way too basic for me.
Here they are for your future references.
SecurityFocus IPSEC URLs for overall explanation
http://www.securityfocus.com/infocus/1519
http://www.securityfocus.com/infocus/1526
http://www.securityfocus.com/infocus/1528
Microsoft URL was better with real world examples... but in the end I looked
through some of the code samples, and decided to try your tip before I
attempt there IIS IPSEC sample.
Thanks again,
-Ben
P.S. If you have an Amazon wish list, let me know....
"Steven L Umbach" wrote:
> Your best bet is to start off with a rule with a mirrored filter for all IP
> traffic with a block filter action. Then create another rule with the
> exceptions for permit. Make sure you are selecting the right protocol for
> the exceptions which would be tcp for what you have listed below. The link
> below may help as it is a primer on building ipsec filtering policy. The
> free Windows 2003 Server Security Guide also has examples on ipsec
> filtering. --- Steve
>
> http://www.securityfocus.com/infocus/1559 -- works the same for Windows
> 2003
> http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx
>
>
> "Ben Serebin" <Ben Serebin@discussions.microsoft.com> wrote in message
> news:62273F5E-8FC3-450C-BA10-E98D4918F97C@microsoft.com...
> > Hello All,
> >
> > I've searched high and wide, and can't get this to work. I want to enable
> > within IPSEC on Windows 2003 Server to block all ports by default unless
> > specified (e.g. port 80, 443, 1723, 3389, etc). Once I enable a filter
> > action
> > of block all within IPSEC, it disables everything, except ICMP traffic.
> > Any
> > ideas?
> >
> > If I look at IPSEC Monitor, I noticed what under Quick Mode->Generic
> > Filters->Block is the default, not sure why though.
> >
> > Source - ANY
> > Destination - My IP
> > Protocol - ANY
> > IP Filter - All
> > Filter Actions - Block
> >
> > IPSEC Rules
> > - RDP - Allow
> > - ICMP - Allow
> > - All - Block
> > - Dynamic - Default Response (Preshared Key)
> >
> > Thanks,
> > -Ben
>
>
>
- Previous message: Byron Hynes [MVP]: "Re: HELP! members only gateway access"
- In reply to: Steven L Umbach: "Re: IPSEC on Win2k3 - block all default/except for a few ports"
- Next in thread: Steven L Umbach: "Re: IPSEC on Win2k3 - block all default/except for a few ports"
- Reply: Steven L Umbach: "Re: IPSEC on Win2k3 - block all default/except for a few ports"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
