Source: http://support.microsoft.com/
summary
Internet
Agreement Security (IPSec) filtering rules can be used to help protect Windows 2000
Computer is free
Based on threats such as viruses and worms
attack. This article describes how to screen specific to inbound and outbound network communication.
Agreement and port combination. This article also includes WINDOWS 2000-based
The computer specifies the steps for IPSec policy to create and specify the steps to create new IPSec policies and the steps for canceling the specified and delete IPSec policy.
More information
The IPsec policy can be applied to the member of the domain as part of the group policy of the domain. Local IPsec policy can be
Static (have been valid after restart), or
Dynamic (easy to fail). Static IPsec policy is written locally
The registry is also valid after the operating system is restarted.
Dynamic IPsec policies are not permanently written
Registration, and in the operating system or ipsec policy agent
After the service is restarted, it is deleted.
Important: This article contains editing with IPSecpol.exe
The information of the registry. edit
Before the registry, you must know how to restore during a problem.
Registry. About how to back up, restore, and editing
For information on the registry, click the article number below to see Microsoft
The corresponding article in the knowledge base:
256986 Microsoft Windows
Registration list
Note: IPSec filtering rules will cause network programs to lose data and stop responding to network requests, including identity verification of users. The IPSec filtering rules should be used as a forced protective measures only after you clearly understand the impact of specific ports from your environment. If you create an adverse effect on your network programs in accordance with the steps listed in this article, see the "Cancel Specify and Remove IPSec Policy" section later, learn how to disable and delete this policy immediately.
Determine if the IPsec policy has been specified in Windows 2000
Before your computer creates or specifies any new IPSec policy, please make sure if there is a local
Any IPsec policy for the registry or group policy object (GPO) application. To do this, you need:
1. Run setup.exe from the Support / Tools folder on the Windows 2000 CD, install NetDiag.exe. 2. Open the command prompt window and set the work folder to C: / Program Files / Support Tools. 3. Run the following command to verify that "not yet" specifies the existing IPsec policy for the computer:
NetDiag / test: IPsec
If you don't specify a policy, you will receive the following message:
IP security test .............: Passed IPsec Policy Service IS Active, But no Policy is Assigned.
Creating a static policy for preventing communication For systems that do not enable local defined IPSec policy, create a new local static policy to block the send to Windows 2000, no existing IPsec policies
Specific
Communication between protocols and ports:
1. Verify that the IPsec Policy Agent service has been enabled and started in the Service MMC management unit. 2. Access the following Microsoft Web site below and install ipsecpol.exe: http://www.microsoft.com/windows/existing/ipsecpol-o.asp3. Open the command prompt window, then work The folder settings are folder for IPSecpol.exe installed. Note: The default folder for IPSecpol.exe is C: / Program Files / Resource Kit. 4. To create a new local IPsec policy and filtering rules, apply it to network communication from any IP address to the IP address of Windows 2000-based computer, use the following symphics (where protocols and The port number is a variable): ipsecpol -w reg -p "block protocol port number filter" -r "block inbound protocol port number rule" -f * = 0: port number: protocol - N Block -x
For example, to block network communication from any IP address and any source port to the target port UDP 1434 on a Windows 2000-based computer, type the following command. This policy can effectively protect the computer that runs Microsoft SQL Server 2000 from the "Slammer" worm attack.
IPsecpol -w REG -P "Block UDP 1434 Filter" -r "block inbound udp 1434 rule" -f * = 0: 1434: UDP-N Block -X
The following example prevents inbound access to the TCP port 80, but still allows an outbound TCP 80 to be accessed. This policy can effectively protect the computer that runs Microsoft Internet Information Services (IIS) 5.0 from "Code Red" and "Nimda" worm attacks.
IPsecpol -w REG -P "Block TCP 80 Filter" -r "block inbound tcp 80 rule" -f * = 0: 80: TCP-N Block -X
Note: The -x switch can specify this policy immediately. If you enter this command, you will cancel the "Block UDP 1434 Filter" policy and specify "Block TCP 80 Filter". To add but do not specify the policy, do not at the end-x switch when typing this command. 5. To add additional filtering rules to the existing BLOCK UDP 1434 Filter policy that blocks specific network communication (from Windows 2000-based computers to any IP address), use the following symptoms (where protocols and port numbers are variables) :
IPSecpol -w REG -P "Block protocol port number filter" -r "block outbound protocol port number rule" -f * 0 =: port number: protocol - N Block
For example, to block any network communication from the UDP 1434 from Windows 2000-based computers to any other host, type the following command. This policy can effectively block the computer from running SQL Server 2000 from propagating "SLammer" worm.
IPsecpol -w REG -P "Block UDP 1434 Filter" -r "block outbound udp 1434 rule" -f 0 = *: 1434: udp -n block
Note: You can use this syntax to add the required number of filter rules to the policy (for example, block multiple ports using the same policy). 6. The policy in step 5 will now take effect and will exist since each restart computer. However, if the domain-based IPSec policy is specified later, this local policy will be overwritten and will no longer apply. To verify that your filter rules have been successfully specified, please set the work folder to C: / Program Files / Support Tools at the command prompt, then type the following command: NetDiag / test: ipsec / debug
As shown in these examples, if you specify a policy for inbound communications and outbound communication, you will receive the following message:
IP Security Test ...........:
Passed Local IPSec Policy Active: 'Block UDP 1434 Filter' IP Security Policy Path: SOFTWARE / Policies / Microsoft / Windows / IPSec / Policy / Local / ipsecPolicy {D239C599-F945-47A3-A4E3-B37BC12826B9}
There Are 2 Filters
No name
Filter ID: {5EC1FD53-EA98-4C1B-A99F-6D2A0FF94592}
Policy ID: {509492ea-1214-4f50-bf43-9cac2b538518}
SRC AddR: 0.0.0.0 Src Mask: 0.0.0.0
Dest Addr: 192.168.1.1 dest Mask: 255.255.255.255
Tunnel Addr: 0.0.0.0 SRC Port: 0 DEST port: 1434
Protocol: 17 TunnelFilter: No
Flags: Inbound Block
No name
Filter ID: {9B4144A6-774F-4AE5-B23A-51331E67BAB2}
Policy ID: {2DEB01BD-9830-4067-B58A-AADFC8659BE5}
SRC Addr: 192.168.1.1 Src Mask: 255.255.255.255
Dest Addr: 0.0.0.0 Dest Mask: 0.0.0.0
Tunnel Addr: 0.0.0.0 SRC Port: 0 DEST port: 1434
Protocol: 17 TunnelFilter: No
Flags: Outbound Block
Note: The IP address and graphical user interface (GUID) number will be different. They will reflect the corresponding content of the Windows 2000-based computer.
Adding blocking rules for specific protocols and ports To Windows 2000-based, have existing local designated static IPsec policies
Specific
The protocol and port add blocking rules, follow these steps:
1. Access the Microsoft Web site below to download and install ipsecpol.exe: http://www.microsoft.com/windows/existing/ipsecpol-o.asp2. Identify the name of the currently specified IPSec policy . To do this, type the following command at the command prompt:
NetDiag / test: IPsec
If you have specified a policy, you will receive a message similar to the following:
IP security test .........: Passed
Local IPsec Policy Active: 'Block UDP 1434 FILTER'
3. If IPSec policy is specified for your computer (local or domain), use the following syntax to add Other Block Filter Rules to an existing IPSec policy (where existing IPsec policy names, protocols and port numbers are variables): IPsecPol - P "Existing IPsec Policy Name" -w REG -R "Block protocol port number rule" -f * = 0: port number: protocol - N Block
For example, to add a filter rule for preventing an inbound access to TCP port 80 to an existing "Block UDP 1434 Filter", type the following command:
IPsecpol -p "block udp 1434 filter" -w reg -r "block inbound tcp 80 rule" -f * = 0: 80: TCP-N Block
Add dynamic blocking strategies for specific protocols and ports
In some cases, you may want to temporarily block specific ports (for example, before you can install the fix, or is already
The computer specifies the domain-based IPSec policy). To temporarily prevent Windows 2000 using IPsec policies
Access to a port on your computer, follow these steps:
1. Access the following Microsoft Web site below and install ipsecpol.exe: http://www.microsoft.com/windows/existing/IPSecpol-o.asp2. To add a dynamic block filter Send all packets from any IP address to your system's IP address and target port, type the following command at the command prompt (where the protocol and port number are variables):
IPSecpol -f [* = 0: port number: protocol]
Note: This command dynamically creates this blocking filter, and as long as the IPSec Policy Agent service is running, the policy remains specified. This setting will be lost if the IPSec service or computer is restarted. If you want to dynamically reset the IPSec filtering rule after each restart system, create a boot script to re-apply the filter rule. If you want to use this filter permanently, configure this filter as a static IPsec policy. The IPSec Policy Management MMC snap-in provides a graphical user interface to manage the IPSec policy configuration. If the domain-based IPsec policy has been applied, the NetDiag / Test: IPsec / debug command will only display filter details only when executed by users with domain administrator credentials. NetDiag.exe's update version will be available in Windows 2000 Service Pack 4, and local administrators can use it to view domain-based IPsec policies.
IPSec Filter Rules and Group Policy For Environments that specify an IPSec policy through Group Policy settings, you must update your entire domain's policy to block specific
Agreement and port. After you successfully configure the Group Policy IPSec setting, you must force all Windows 2000-based windows 2000 in the field.
Group Policy Settings on your computer. To do this, use the following command:
SECEDIT / RefreshPolicy Machine_Policy
The IPsec policy change will detect within one of two different polling intervals. For an IPSec policy applied to the GPO, the IPSec policy will be applied to the client within the time set for the Group Policy Round, or run on the client
The service / refreshpolicy machine_policy command is applied to the client. If the IPSec policy has been specified for the GPO and adding new IPSec filtering or rules to an existing policy, the successdit command will not change the IPSec identification. In this case, modifications to GPO-based existing IPsec policies will be detected within the IPSec policy. This interval is in this IPsec policy
Specified on the General Tab. You can also restart the IPsec Policy Agent
Service to force refresh IPsec policy settings. If IPSec
The service is stopped or restarted, and the communication protected by IPsec will be interrupted and will take a few seconds to recover. This may cause the program connection to be disconnected, and the link is even more connected to the active transmission of large amounts of data. When IPsec strategy is applied to locally
You don't have to restart when your computer
service.
Cancel the designation and delete IPsec policy
• Computers for using local defined static strategies
1. Open the command prompt window and set the work folder to your folder where you have IPSecpol.exe. 2. To cancel the specified filter before you have created, use the following syntax:
IPSecpol -w REG -P "Block protocol port number filter" -y
For example, to demonstrate the "Block UDP 1434 Filter" you have created previously, use the following command:
IPsecpol -w REG -P "Block UDP 1434 Filter"
3. To delete the filter you created, use the following syntax:
IPSecpol -w REG -P "Block protocol port number filter" -r "block protocol port number rule" -o
For example, to delete the "Block UDP 1434 Filter" filter and the two rules you have previously created, use the following command:
IPsecpol -w REG -P "Block UDP 1434 Filter" -r "block inbound udp 1434 rule" -r "block outbound udp 1434 rule" -o
• Dynamic IPSec policy will be canceled by using a computer that uses local definition dynamic policies. However, to delete previously used specific commands, please follow these steps:
1. Open the command prompt window and set the work folder to your folder where you have IPSecpol.exe. 2. Type the command below:
IPsecpol -u
Note: You may also need to restart the IPsec Policy Agent service to clear all dynamically specified policies.
Apply your new filter rules to all protocols and ports By default, in Microsoft Windows 2000 and Microsoft Windows
In XP, IPsec makes broadcast, multi-channel broadcast, RSVP, IKE, and Kerberos communications from any filtering and authentication restrictions. For additional information about these exemptions, click the article number below to view Microsoft
The corresponding article in the knowledge base:
253169 Traffic That Can - And Cannot - Be Secured by ipsec
When IPSec is only used to allow and block communication, it can be changed.
Registry value to delete Kerberos and RSVP
Exemption of the agreement. For a complete note on how to do this, click the article number below to see the article in the Microsoft Knowledge Base:
254728 Ipsec Does Not Secure Kerberos Traffic Between Domain Controllers
Operation by follow these instructions, even
Attackers set their source to Kerberos port TCP / UDP 88, you can also protect UDP 1434. By deleting Kerberos exemption, you can now match all filtering from the IPSec policy. Therefore, Kerberos can be protected (block or allowed) inside the IPSec. Thus, if the IPSec screen matches the Kerberos communication sent to the domain controller IP address, you may need to change the IPSec policy design to add new filtering to allow Kerberos communication to each domain controller IP address (if you don't follow
Knowledge Base Article 254728's instructions use IPsec to protect all communication between domain controllers).
Apply IPSec Filter Rules when your computer is restarted All IPSec policies depend on the IPsec Policy Agent to specify
service. When Based on Windows 2000
When the computer is starting, the IPSec Policy Agent is
Service is not necessarily the first startup
service. As a result, there may be a short moment, at this time
Computer network connection is easy to receive
Virus or worm
attack. Only in IPsec Policy Agent
There is potential before the service starts and specifies all policies.
Vulnerable
This happens when the service successfully started and started to accept the connection.
The information in this article applies to:
• Microsoft Windows 2000 Professional Edition • Microsoft Windows 2000 Server • Microsoft Windows 2000 Advanced Server • Microsoft Windows 2000 Datacenter Server
