Windows 2003 Server IPSEC Example for SQL

• Previous message: Jasper Smith: "Re: sql icon disappear from sys tray and getting SQL-DMO 80040005 erro"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 29 Nov 2004 13:55:45 -0500

Greetings,

I would like to secure SQL 2000 using a combination of the builtin
firewall for Windows 2003 server and IPSEC. For the firewall I would
open up ports 1433/TCP and 1434/UDP for SQL. Then I would use
IPSEC to control access to those ports. Please comment on my IPSEC
example below and on this solution for securing SQL on W2K3.

Thanks,

Stan

REM MS SQL 2000 packet filter

REM Create IPSec policy that blocks all network traffic for SQL (1433/TCP
1434/UDP)
REM with a server exception list.
REM This policy is used in conjuction with the Windows 2003 firewall which
is configured
REM to allow network traffic through said SQL ports.

:IPSec Policy Definition
netsh ipsec static add policy name="SQLFilter" description="SQL Hardening
Policy" assign=no

:IPSec Filter List Definitions
netsh ipsec static add filterlist name="BlockedSQL" description="SQL Server
Hardening"
netsh ipsec static add filterlist name="AllowedSQL" description="SQL Server
Hardening"

:IPSec Filter Definitions
netsh ipsec static add filter filterlist="AllowedSQL" srcaddr=*client*
dstaddr=me description="SQL TCP Traffic" protocol=TCP srcport=0 dstport=1433
netsh ipsec static add filter filterlist="AllowedSQL" srcaddr=*client*
dstaddr=me description="SQL UDP Traffic" protocol=UDP srcport=0 dstport=1434

netsh ipsec static add filter filterlist="BlockedSQL" srcaddr=any dstaddr=me
description="SQL TCP Traffic" protocol=TCP srcport=0 dstport=1433
netsh ipsec static add filter filterlist="BlockedSQL" srcaddr=any dstaddr=me
description="SQL UDP Traffic" protocol=UDP
srcport=0 dstport=1434

:IPSec Rule Definitions
netsh ipsec static add rule name="SQL Allowed" policy="SQLFilter"
filterlist="AllowedSQL" kerberos=yes filteraction=Permit
netsh ipsec static add rule name="SQL Blocked" policy="SQLFilter"
filterlist="BlockedSQL" kerberos=yes filteraction=Block

• Previous message: Jasper Smith: "Re: sql icon disappear from sys tray and getting SQL-DMO 80040005 erro"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Setting up IPSec on a webserver ... IPsec in windows 2000 has I believe two main functions: ... encrypt network traffic and deciding when to filter or block network ... Using packet filters to block certain ports on a web server can be ... (microsoft.public.win2000.security) Re: Windows 2003 IPSEC example for SQL ... Encapsulation is the next step. ... do I need to filter 1434/UDP in IPSEC for SQL? ... >> REM with a server exception list. ... (microsoft.public.windows.server.security) Re: stop ports! ... You can create an IPSec policy to filter all inbound/outbound traffic on a ... IPSec is a huge topic, ... Windows Server 2003 IPSec filtering ... > Do you know how can I stop the ports with outbound traffic under windows> server 2003? ... (microsoft.public.win2000.security) Re: Server 2003 macht VPN RRas auf Server Freigabe nicht richtig ... How to configure remote IPsec management and remote IPsec monitoring from ... Windows Server 2003-based and Windows XP Professional-based computers ... Das IPSec würde ich nur ungern auf dem VPN Server einrichten. ... Selbst wenn ich sämtliche Filter, Firewalls und Sperren entferne, die ich ... (microsoft.public.de.german.windows.server.networking) Re: To IPSec Packet Filter OR Not To IPSec Packet Filter - that is the question ... capabilities of IPSec and Packet Filters. ... > filter for a service that changes port number every time it is started. ... > should ask them if can be configured to use a fixed port of your choosing. ... > any port on the server. ... (microsoft.public.win2000.security)