Re: IPSEC on Win2k3 - block all default/except for a few ports

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 05/04/05

• Next message: Steven L Umbach: "Re: Permissions"
• Previous message: Steven L Umbach: "Re: HELP! members only gateway access"
• In reply to: Ben Serebin: "Re: IPSEC on Win2k3 - block all default/except for a few ports"
• Next in thread: Ben Serebin: "Re: IPSEC on Win2k3 - block all default/except for a few ports"
• Reply: Ben Serebin: "Re: IPSEC on Win2k3 - block all default/except for a few ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 4 May 2005 12:58:49 -0500

OK. Glad you got it to work. Yes ipsec policies are a bit different to
configure. One thing that throws a lot of people off is that the order of
the rules makes no difference. They are weighted with "specific" rules
overriding "general" rules. Thanks for the links. -- Steve

"Ben Serebin" <Ben Serebin@discussions.microsoft.com> wrote in message
news:362C05FD-C3BB-4F06-B269-D1120292AC8D@microsoft.com...
> Hello Steven,
>
> THANK YOU. You have no idea how much time I've spent on this. The trick
> was
> to start with a block all filter rule, and then add exemptions. Why isn't
> this stated everywhere!!! I've setup dozens of firewalls and have never
> run
> into this. Damn Microsoft. I did go through everything you suggested, but
> in
> the end your tip was on the money. Bottom line, Microsoft needs to spend
> more
> time on UI and implementation development on IPSEC.
>
> FYI: the URL for securityfocus you gave is 404. I found the correct
> articles. I read part 1, 2, and 3 of the IPSEC intro. Way too basic for
> me.
> Here they are for your future references.
>
> SecurityFocus IPSEC URLs for overall explanation
> http://www.securityfocus.com/infocus/1519
> http://www.securityfocus.com/infocus/1526
> http://www.securityfocus.com/infocus/1528
>
> Microsoft URL was better with real world examples... but in the end I
> looked
> through some of the code samples, and decided to try your tip before I
> attempt there IIS IPSEC sample.
>
> Thanks again,
> -Ben
>
> P.S. If you have an Amazon wish list, let me know....
>
> "Steven L Umbach" wrote:
>
>> Your best bet is to start off with a rule with a mirrored filter for all
>> IP
>> traffic with a block filter action. Then create another rule with the
>> exceptions for permit. Make sure you are selecting the right protocol for
>> the exceptions which would be tcp for what you have listed below. The
>> link
>> below may help as it is a primer on building ipsec filtering policy. The
>> free Windows 2003 Server Security Guide also has examples on ipsec
>> filtering. --- Steve
>>
>> http://www.securityfocus.com/infocus/1559 -- works the same for Windows
>> 2003
>> http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx
>>
>>
>> "Ben Serebin" <Ben Serebin@discussions.microsoft.com> wrote in message
>> news:62273F5E-8FC3-450C-BA10-E98D4918F97C@microsoft.com...
>> > Hello All,
>> >
>> > I've searched high and wide, and can't get this to work. I want to
>> > enable
>> > within IPSEC on Windows 2003 Server to block all ports by default
>> > unless
>> > specified (e.g. port 80, 443, 1723, 3389, etc). Once I enable a filter
>> > action
>> > of block all within IPSEC, it disables everything, except ICMP traffic.
>> > Any
>> > ideas?
>> >
>> > If I look at IPSEC Monitor, I noticed what under Quick Mode->Generic
>> > Filters->Block is the default, not sure why though.
>> >
>> > Source - ANY
>> > Destination - My IP
>> > Protocol - ANY
>> > IP Filter - All
>> > Filter Actions - Block
>> >
>> > IPSEC Rules
>> > - RDP - Allow
>> > - ICMP - Allow
>> > - All - Block
>> > - Dynamic - Default Response (Preshared Key)
>> >
>> > Thanks,
>> > -Ben
>>
>>
>>

---

• Next message: Steven L Umbach: "Re: Permissions"
• Previous message: Steven L Umbach: "Re: HELP! members only gateway access"
• In reply to: Ben Serebin: "Re: IPSEC on Win2k3 - block all default/except for a few ports"
• Next in thread: Ben Serebin: "Re: IPSEC on Win2k3 - block all default/except for a few ports"
• Reply: Ben Serebin: "Re: IPSEC on Win2k3 - block all default/except for a few ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Mising IPSEC ... IPSec will do for you. ... also be used to filter traffic such as for an IIS machine where it is used ... Microsoft MVP - Directory Services ... Instead of the website you're using, try using OEx (Outlook Express ... (microsoft.public.windows.server.networking) Re: Problem with IPSEC ... It is not unusual not to be able to access a website by entering the IP ... troubleshooting ipsec rules. ... protocol:TCP, and filter action permit. ... I have tried other web sites too and couldn't connect with the IPSEC ... (microsoft.public.windows.server.security) Re: Problem with IPSEC ... Group Policy of course makes it easy to deploy ipsec to domain ... Consequently it cannot filter the external traffic. ... rules like this work on an internal subnet. ... addresses or even a subnet on the internet it doesn't work. ... (microsoft.public.windows.server.security) Re: Problem with IPSEC ... I have not used that many filter lists for subnets in an ipsec rule to see ... rules like this work on an internal subnet. ... addresses or even a subnet on the internet it doesn't work. ... (microsoft.public.windows.server.security) Re: IPSEC on Win2k3 - block all default/except for a few ports ... to start with a block all filter rule, ... Microsoft needs to spend more ... the URL for securityfocus you gave is 404. ... I read part 1, 2, and 3 of the IPSEC intro. ... (microsoft.public.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)