Re: IPSec Security

I was assuming he did not want to restrict what networks 172 can connect to
for file shares and hence not use any ipsec policy to prevent such. The
block I suggested [or meant to suggest] was for only inbound fps ports to
172 [destination my IP, ports/protocols - fps] from anywhere [source any
IP, source ports any]- not block all and everything inbound/outbound for 172
computers. --- Steve


"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:uIjIyboIGHA.1760@xxxxxxxxxxxxxxxxxxxxxxx
> "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:e0mI01kIGHA.2900@xxxxxxxxxxxxxxxxxxxxxxx
>>I was proposing that he allow only inbound file and print sharing to 172
>>from whatever networks he wanted in the permit rule that would of course
>>not include 192. My understanding is that mirroring only allows return
>>traffic for the filter entry so in this case the traffic permitted from
>>any port to port 139 on the server would be also be permitted from port
>>139 on the server to any port on the client computer. --- Steve
>>
> got ya, but in that case I don't see how it allows 172 to get to 192 with
> file&print
>
>> "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
>> news:enxkrPkIGHA.1876@xxxxxxxxxxxxxxxxxxxxxxx
>>> To hinder the browsing behavior on the machine that is not to be
>>> browsed the registry value Hidden dword 1 and Announce dword 0
>>> could help. If I am recalling correctly these are in the
>>> services/lanmanserver
>>> perhaps lanmanserver/parameters key of HKLM.
>>>
>>> I do not see how the proposed filter rules would accomplish what
>>> the poster is afer, as the two mirrored rules outlined seem to only
>>> disallow SMB and direct hosting from/to/with any IP except for
>>> the desired subnet (the 192.168 . . .) and with that would allow
>>> both ways. What did I miss here ??
>>>
>>>
>>> "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>> news:%23%23bydNjIGHA.3408@xxxxxxxxxxxxxxxxxxxxxxx
>>>> On the computers on network 172.18.6.100 create an ipsec policy that
>>>> has a mirrored rule for filter action block for the ports you mention
>>>> for all IP addresses and then create a rule for the allowed subnets
>>>> with a permit filter action. For computers on 172.18.6.100 you would
>>>> want to use destination ports as SMB 13x ports, protocols as needed,
>>>> and 445 and destination address as "my IP" . The link may help in
>>>> setting up ipsec filtering policy. Note that this may not stop
>>>> "browsing" which is largely broadcast based but should prevent access
>>>> to the share from blocked networks. Of course share/NTFS permissions
>>>> should also be configured as to not allow unauthorized users/groups
>>>> access. --- Steve
>>>>
>>>> http://www.securityfocus.com/infocus/1559
>>>>
>>>> <bucrepus> wrote in message
>>>> news:OvpnONSIGHA.2696@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> For the sake of simplicity, I have 2 xp stations and 1 win2003 server
>>>>> as
>>>>> router with 2 NICS. (actually have numerous machines on each side
>>>>> subnet)
>>>>> XP station1 on 172.18.6.100 and XP 2 on 192.168.0.100. One server nic
>>>>> 172.18.6.1 and the other 192.168.0.1. I want to be able to copy /
>>>>> browse
>>>>> files from XP1 to XP2, but NOT allow XP2 to browse / see any machines
>>>>> on
>>>>> XP1's side. I have tried using IPSec to block the SMB 13x ports and
>>>>> 445, but
>>>>> cant seem to get the right combo. Any ideas? in other words, I dont
>>>>> want
>>>>> anyone on XP2 to be able to go to the run box and type \\XP1 or
>>>>> \\172.18.6.100 and get a browse window or share list. (One way copy /
>>>>> list)
>>>>> Thanks
>>>>> Bucrepus
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>


.

Relevant Pages

  • Re: IPSec Security
    ... from whatever networks he wanted in the permit rule that would of course not ... for the filter entry so in this case the traffic permitted from any port to ... >> a mirrored rule for filter action block for the ports you mention for all ...
    (microsoft.public.win2000.security)
  • Re: IPSec Security
    ... >from whatever networks he wanted in the permit rule that would of course ... >port to port 139 on the server would be also be permitted from port 139 on ... >>> permit filter action. ...
    (microsoft.public.win2000.security)
  • Re: IPSec Security
    ... >I was assuming he did not want to restrict what networks 172 can connect to ... >for file shares and hence not use any ipsec policy to prevent such. ... >>>from whatever networks he wanted in the permit rule that would of course ... >>>any port to port 139 on the server would be also be permitted from port ...
    (microsoft.public.win2000.security)
  • RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
    ... Subject: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! ... Seems to be the most common opinion of those who have no apparent experience with large networks. ... held no responsibility here, ...
    (Full-Disclosure)
  • Re: Cannot Remote Desktop (or ping) between 2 SBS sites
    ... First step is to change the listening port on all WS you wish to RDP to. ... Next in ISA Server Management Expand Access Policy and under Protocols ... >>> SBS2K3 site to VPN into the SBS2K site, ... >>> are different between networks ofcourse) - still cannot ...
    (microsoft.public.windows.server.sbs)