Determine whether an IPSec policy is assigned
Before you create or assign any new IPSec policies to a Windows Server 2003-based computer, determine whether any IPSec policies are being applied from the local registry or through a Group Policy object (GPO). To do this, follow these steps:
1. Install Netdiag.exe from the Windows Server 2003 CD by running Suptools.msi from the SupportTools folder.
2. Open a command prompt, and then set the working folder to C:Program FilesSupport Tools.
3. Run the following command to verify that there is not an existing IPSec policy already assigned to the computer:
netdiag /test:ipsec
If no policy is assigned, you receive the following message:
IP Security test . . . . . . . . . : Passed IPSec policy service is active, but no policy is assigned.
Create a static policy to block traffic
To create a new local IPSec policy and filtering rule that applies to network traffic from any IP address to the IP address of the Windows Server 2003-based or Windows XP-based computer that you are configuring, use the following command.
Note: In the following command, Protocol and Port Number are variables.
IPSeccmd.exe -w REG -p "Block ProtocolPortNumber Filter" -r "Block Inbound ProtocolPortNumber Rule" -f *=0:PortNumber:Protocol -n BLOCK –x
For example, to block network traffic from any IP address and any source port to destination port UDP 1434 on a Windows Server 2003-based or Windows XP-based computer, type the following. This policy is sufficient to help protect computers that run Microsoft SQL Server 2000 from the "Slammer" worm.
IPSeccmd.exe -w REG -p "Block UDP 1434 Filter" -r "Block Inbound UDP 1434 Rule" -f *=0:1434:UDP -n BLOCK -x
The following example blocks inbound access to TCP port 80 but still allows outbound TCP 80 access. This policy is sufficient to help protect computers that run Microsoft Internet Information Services (IIS) 5.0 from the "Code Red" worm and the "Nimda" worm.
IPSeccmd.exe -w REG -p "Block TCP 80 Filter" -r "Block Inbound TCP 80 Rule" -f *=0:80:TCP -n BLOCK -x
Note The -x switch assigns the policy immediately. If you enter this command, the "Block UDP 1434 Filter" policy is unassigned and the "Block TCP 80 Filter" is assigned. To add the policy but not assign the policy, type the command without the -x switch at the end
Verify the IPSec Policy
To verify the successful assignment of your filtering rule, set the working folder to C:Program FilesSupport Tools at the command prompt, and then type the following command:
netdiag /test:ipsec /debug
If policies for both inbound and outbound traffic are assigned as in these examples, you will receive the following message:
IP Security test . . . . . . . . . :
Passed Local IPSec Policy Active: 'Block UDP 1434 Filter' IP Security Policy Path: SOFTWAREPoliciesMicrosoftWindowsIPSecPolicyLocalipsecPolicy{D239C599-F945-47A3-A4E3-B37BC12826B9}
There are 2 filters
No Name
Filter Id: {5EC1FD53-EA98-4C1B-A99F-6D2A0FF94592}
Policy Id: {509492EA-1214-4F50-BF43-9CAC2B538518}
Src Addr : 0.0.0.0 Src Mask : 0.0.0.0
Dest Addr : 192.168.1.1 Dest Mask : 255.255.255.255
Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 1434
Protocol : 17 TunnelFilter: No
Flags : Inbound Block
No Name
Filter Id: {9B4144A6-774F-4AE5-B23A-51331E67BAB2}
Policy Id: {2DEB01BD-9830-4067-B58A-AADFC8659BE5}
Src Addr : 192.168.1.1 Src Mask : 255.255.255.255
Dest Addr : 0.0.0.0 Dest Mask : 0.0.0.0
Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 1434
Protocol : 17 TunnelFilter: No
Flags : Outbound Block
Before you create or assign any new IPSec policies to a Windows Server 2003-based computer, determine whether any IPSec policies are being applied from the local registry or through a Group Policy object (GPO). To do this, follow these steps:
1. Install Netdiag.exe from the Windows Server 2003 CD by running Suptools.msi from the SupportTools folder.
2. Open a command prompt, and then set the working folder to C:Program FilesSupport Tools.
3. Run the following command to verify that there is not an existing IPSec policy already assigned to the computer:
netdiag /test:ipsec
If no policy is assigned, you receive the following message:
IP Security test . . . . . . . . . : Passed IPSec policy service is active, but no policy is assigned.
Create a static policy to block traffic
To create a new local IPSec policy and filtering rule that applies to network traffic from any IP address to the IP address of the Windows Server 2003-based or Windows XP-based computer that you are configuring, use the following command.
Note: In the following command, Protocol and Port Number are variables.
IPSeccmd.exe -w REG -p "Block ProtocolPortNumber Filter" -r "Block Inbound ProtocolPortNumber Rule" -f *=0:PortNumber:Protocol -n BLOCK –x
For example, to block network traffic from any IP address and any source port to destination port UDP 1434 on a Windows Server 2003-based or Windows XP-based computer, type the following. This policy is sufficient to help protect computers that run Microsoft SQL Server 2000 from the "Slammer" worm.
IPSeccmd.exe -w REG -p "Block UDP 1434 Filter" -r "Block Inbound UDP 1434 Rule" -f *=0:1434:UDP -n BLOCK -x
The following example blocks inbound access to TCP port 80 but still allows outbound TCP 80 access. This policy is sufficient to help protect computers that run Microsoft Internet Information Services (IIS) 5.0 from the "Code Red" worm and the "Nimda" worm.
IPSeccmd.exe -w REG -p "Block TCP 80 Filter" -r "Block Inbound TCP 80 Rule" -f *=0:80:TCP -n BLOCK -x
Note The -x switch assigns the policy immediately. If you enter this command, the "Block UDP 1434 Filter" policy is unassigned and the "Block TCP 80 Filter" is assigned. To add the policy but not assign the policy, type the command without the -x switch at the end
Verify the IPSec Policy
To verify the successful assignment of your filtering rule, set the working folder to C:Program FilesSupport Tools at the command prompt, and then type the following command:
netdiag /test:ipsec /debug
If policies for both inbound and outbound traffic are assigned as in these examples, you will receive the following message:
IP Security test . . . . . . . . . :
Passed Local IPSec Policy Active: 'Block UDP 1434 Filter' IP Security Policy Path: SOFTWAREPoliciesMicrosoftWindowsIPSecPolicyLocalipsecPolicy{D239C599-F945-47A3-A4E3-B37BC12826B9}
There are 2 filters
No Name
Filter Id: {5EC1FD53-EA98-4C1B-A99F-6D2A0FF94592}
Policy Id: {509492EA-1214-4F50-BF43-9CAC2B538518}
Src Addr : 0.0.0.0 Src Mask : 0.0.0.0
Dest Addr : 192.168.1.1 Dest Mask : 255.255.255.255
Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 1434
Protocol : 17 TunnelFilter: No
Flags : Inbound Block
No Name
Filter Id: {9B4144A6-774F-4AE5-B23A-51331E67BAB2}
Policy Id: {2DEB01BD-9830-4067-B58A-AADFC8659BE5}
Src Addr : 192.168.1.1 Src Mask : 255.255.255.255
Dest Addr : 0.0.0.0 Dest Mask : 0.0.0.0
Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 1434
Protocol : 17 TunnelFilter: No
Flags : Outbound Block
Tags
IPSec