Use the command line to write IPSec (win) http://www.chinaunix.net Author: t920 Posted: 2003-12-13 22:12:13
A fewer customers have requested the settings of IPSec rules on WIN, KAO crazy! ! ! ! !
Waiting for a long time, I finally got it, but there is nothing, it is the tool IPsecpol.exe with a command line provided by MS.
Hohohoho is awkwardly starting to parish Microsoft! ! ! ! !
××××××××××××××××××××××××××××××××××
Write a script with IPsecpol.exe
IPsecpol.exe Inside Windows 2000 Resource Kit, IPSecpol.exe is a command line utility for creating, assigning, and deleting an IPSec policy. IPSecpol.exe is very flexible, which creates dynamic and static strategies in Active Directory and local and remote registry. For complete information, see the documentation in the Resource Kit. Here, a static strategy will be created in the registry of the local computer.
IPSecpol.exe has many parameters, and it is not easy to understand when its syntax begins. However, if you follow the example operations provided here, all configurations displayed in the previous GUI example can be replicated with three commands. You may want to open the MMC after each command and refresh it to verify that the command is executed in the expected manner. let's start.
The first command (as shown below) Create a new policy, add a rule to the policy and add two filter lists and a filter operation in the rule.
IPSecpol -w REG -P "Packet Filter" -R "Inbound Web Agreement" -f * 131.107.1.1: 80: TCP -F * 131.107.1.1: 443: TCP-N Pass
This command is displayed in two lines for printing, please press a row. These include the following parameters:
* -W REG - Write a static policy to the registry. This is exactly the same as using MMC. * -P "Packet Filter" - Create a policy named "Packet Filter". * -R "Inbound Web Protocol" - Create a rule named "Inbound Web Agreement". * -F * 131.107.1.1: 80: TCP - Add filter, where * Specifies any source address and any port, 131.107.1.1: 80 Specify the target address (address of the server itself) and a specific port,: TCP specified protocol, Indicate the filter has been mirrored. * -F * 131.107.1.1: 443: TCP - except that the target address is 443, the same as the above parameters. * -N pass - Pass communication without negotiating security.
Please note that the value zone of -w, -f and -n parameters are case sensitive, only uppercase!
You can include any multiple filters. Remember the previous discussion of the role-based filter list, if your server runs multiple services, you should use a separate ipsecpol.exe command for each filter. For example, the following command allows port 110, 995, 143, 993, and 25 inbound connections, and allows port 25 to anywhere.
IPsecpol -w REG -P "Packet Filter" -R "Inbound / Outbound Mail" -F * 131.107.1.1: 110: TCP -F * 131.107.1.1: 995: TCP -F * 131.107. 1.1: 143: TCP -F * 131.107.1.1: 993: TCP -F * 131.107.1.1: 25: TCP -F 131.107.1.1 *: 25: TCP-N Pass (last filter -f 131.107. 1.1 *: 25: TCP looks slightly different. It allows you to initiate from any port on the server's own address to the outbound of the 25 port on any server. This filter allows the server to start to the Internet SMTP connection. }
The next command creates a general rule that matches and blocks all communications:
IPSecpol -w REG -P "Packet Filter" -R "All Inbound Communications" -f * 131.107.1.1 -n Block
These include the following parameters:
* -W REG - Write a static policy to the registry. This is exactly the same as using MMC. * -P "Packet Filter" - Add an existing policy called "Packet Filter". * -R "All Inbound Communications" - Create a rule named "All Inbound Communications". * -F * 131.107.1.1 - Add filter, where * Specify any source address and any port, 131.107.1.1 Specify the target address and any port, the protocol vacancies mean any protocol, and specify the filter has been mirror * - N block - block communication.
The last command assigns a policy:
IPSecpol -w REG -P "Packet Filter" -x
These include the following parameters:
* -W REG - Write a static policy to the registry. This is exactly the same as using MMC. * -P "Packet Filter" - Add an existing policy called "Packet Filter". * -X - Assignment Policy.
This is all the commands. Then, use three commands, you have completed the same tasks that use the GUI. When adding IPSecpol.exe support in the server compile script, remember that before you complete the server, you may not want to actually assign a policy. Therefore, the script should only include the -n pass and -n block command; after all the servers are installed, the following forms of command can be used to remotely assign policies:
IPSecpol // Machine Name-W Reg -P "Policy Name" -x
You need to have administrative privileges for specifying machines in this command. If you need to temporarily cancel the assignment of the policy, use -x with -x.
You can remove the entire policy with the following command (including all related filter lists and filter operations):
IPsecpol -w REG -P "Policy Name"
This will be useful if your server creation process allows you to dynamically change the role of the server (without restarting). Delete existing policies and create new policies. If you wish to write a script to create a policy on all servers, you can add // host name to all forms of commands.
The difference between GUI and IPSecpol.exe. Yes, there are some differences, but only the way some content is displayed in the GUI.
* The default response rules cannot be disabled, but in the packet filter example, this is indeed a matter of matter, because the incoming connection is not always allowed to be blocked. * The rule name is used as a list of filters. * -n pass and -n block commands Do not use existing allowable and blocked (if you have created it in GUI); but create new allowable or block operations for each rule, and name the new operation as " List NEGPOL ". * In the properties of each filter, there is a default list of security methods, but because there is no actual security negotiation, the list will be ignored. * Remove the strategy with the -o command and you will also delete the filter list and filter operations associated with it. The filter list and filter operation associated with it is not deleted when the policy is deleted in the GUI. So, is this really effective?
In short, this is indeed effective. Shortly after Windows 2000 released, a popular industry magazine tested the security of many web servers. Microsoft is invited to participate in this test. We created a Windows 2000 Server that enabling Internet Information Services 5.0. To protect the server, everything we do is to add a password to the administrator account and create an IPSec policy like this example. The server is directly connected to the Internet and is scared in the attack on the trial within a few weeks.
***********************************************************
This place is so slowly! ! ! Hohohoho wants that can't get online? ? ? ? ipsecpol -w reg -p fw -r outdeny -f 0 = * -N block is getting it! ! ! (Only for Win2000, XP and 2003 have other similar tools)
