Re: IPSec Security
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Wed, 25 Jan 2006 23:44:10 -0700
To hinder the browsing behavior on the machine that is not to be
browsed the registry value Hidden dword 1 and Announce dword 0
could help. If I am recalling correctly these are in the
services/lanmanserver
perhaps lanmanserver/parameters key of HKLM.
I do not see how the proposed filter rules would accomplish what
the poster is afer, as the two mirrored rules outlined seem to only
disallow SMB and direct hosting from/to/with any IP except for
the desired subnet (the 192.168 . . .) and with that would allow
both ways. What did I miss here ??
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23%23bydNjIGHA.3408@xxxxxxxxxxxxxxxxxxxxxxx
> On the computers on network 172.18.6.100 create an ipsec policy that has a
> mirrored rule for filter action block for the ports you mention for all IP
> addresses and then create a rule for the allowed subnets with a permit
> filter action. For computers on 172.18.6.100 you would want to use
> destination ports as SMB 13x ports, protocols as needed, and 445 and
> destination address as "my IP" . The link may help in setting up ipsec
> filtering policy. Note that this may not stop "browsing" which is largely
> broadcast based but should prevent access to the share from blocked
> networks. Of course share/NTFS permissions should also be configured as to
> not allow unauthorized users/groups access. --- Steve
>
> http://www.securityfocus.com/infocus/1559
>
> <bucrepus> wrote in message news:OvpnONSIGHA.2696@xxxxxxxxxxxxxxxxxxxxxxx
>> For the sake of simplicity, I have 2 xp stations and 1 win2003 server as
>> router with 2 NICS. (actually have numerous machines on each side subnet)
>> XP station1 on 172.18.6.100 and XP 2 on 192.168.0.100. One server nic
>> 172.18.6.1 and the other 192.168.0.1. I want to be able to copy / browse
>> files from XP1 to XP2, but NOT allow XP2 to browse / see any machines on
>> XP1's side. I have tried using IPSec to block the SMB 13x ports and 445,
>> but
>> cant seem to get the right combo. Any ideas? in other words, I dont want
>> anyone on XP2 to be able to go to the run box and type \\XP1 or
>> \\172.18.6.100 and get a browse window or share list. (One way copy /
>> list)
>> Thanks
>> Bucrepus
>>
>>
>>
>
>
.
- Follow-Ups:
- Re: IPSec Security
- From: Steven L Umbach
- Re: IPSec Security
- References:
- IPSec Security
- From: bucrepus
- Re: IPSec Security
- From: Steven L Umbach
- IPSec Security
- Prev by Date: Re: IPSec Security
- Next by Date: Re: IPSec Security
- Previous by thread: Re: IPSec Security
- Next by thread: Re: IPSec Security
- Index(es):
