IP Security Filtering

One of the lesser-known features of Windows 2000's IP Security (IPSec) is packet filtering based on IP addresses and port filtering. With IPSec filtering, you wrap your servers or workstations with another layer of security that protects them against attackers who try to connect from elsewhere on your internal network or from the Internet. You can use this technology in many ways, but in this article I'll show you how to protect onsite workstations exposed to the Internet, laptops that employees use to dial into an ISP when traveling off site, and computers that employees use to telecommute.

Attackers are always scanning the Internet for unsecured PCs. What would happen if attackers found a way into your company's computers through an employee's offsite laptop? Although personal firewalls provide many benefits, not everyone has the option of installing that kind of software on their offsite computers. If your company can't deploy personal firewalls because of budget concerns or logistics, consider using IPSec filtering. I'll show you how to build a Win2K IPSec policy that blocks incoming access to a computer's file shares, which attackers frequently target. You can then extend this policy to block access to other ports that intruders frequently attack.

To get started, open Local Security Policy under Administrative Tools in Windows 2000 Server right-click IPSec Policies on Local Machine, and select Create IPSec Policy, which starts the IPSec Policy Wizard. Type in a descriptive name (e.g., Block Incoming Connections to File Sharing), as Figure 1 shows. Click Next four times, accepting the defaults, until you see the Rules tab, as Figure 2 shows.

At this point, you basically have a blank IPSec policy; you need to add a new rule. To display the Security Rule Wizard, click Add, and click Next on the first 2 pages until you get to the Security Rule Wizard page, where you see Network Type, as Figure 3 shows. You can choose whether this policy applies to packets on your internal LAN, remote access dial-up connections, or both. If you're only trying to protect this computer when it's connected to the Internet through a modem, you can select Remote access. However, if you want protection from malicious users on your internal LAN as well, select All network connections, and click Next twice (until you see the window with the IP Filter List, as Figure 4 shows).

Next, you need to create an IP filter list that describes the type of packets to which you want to apply this IPSec rule. As you can see, the two existing policies that Figure 4 shows are too broad for your needs, so click Add. Change the name of this filter list to Incoming file share access, as Figure 5 shows, and click Add. Work your way through the Filter Wizard, specifying Any IP Address as Source address, My IP Address as Destination address, TCP as the Protocol type, and 139 as the "Destination port." After finishing the IP filter list, you need to edit the new filter and clear the Mirrored check box, as Figure 6 shows. Add additional filters for TCP ports 445, 137 and138 (these are UDP ports), 139, and 445 to complete what you see in Figure 5. NetBIOS-based file sharing uses ports 137 and 139, and Common Internet File Sharing (CIFS) uses port 443. (To eliminate Win2K's dependence on NetBIOS, Win2K defaults to using CIFS for file-sharing sessions.) Click Close, as Figure 5 shows, to return to the IP Filter List, as Figure 4 shows. Select the new filter list you created, and click Next to go to the Filter Action page, as Figure 7 shows.

You now need to specify the action you want IPSec to take when your filter list catches a packet. As you can see, there's no blocking action listed under Filter Actions, so you'll need to create one. To open the Filter Action Wizard, click Add, and click Next on the first page. Type in a name (e.g., Block), and click Next. The wizard asks what action behavior you want to take, as Figure 8 shows. Select Block, click Next, and click Finish, which returns you to the Filter Action page, as Figure 7 shows. Select the new Block action, click Next, and click Finish, which returns you to your completed policy, as Figure 9 shows.

To test your policy, open a command prompt, and run secedit /refreshpolicy machine_policy. This command forces your computer to immediately apply Group Policy. Next, create a shared folder, Test, on your computer. From another computer on your network, attempt to map a drive to the Test folder on your computer. If you created the IPSec policy correctly, the mapping will fail.

This policy addresses only file sharing, but you can specify additional ports to block if you want to protect other services. If you're worried about being able to administer workstations remotely after deploying this policy, remember that IPSec is very flexible. You can create a combination of rules that lets you block all attempts to access the local services except for the computers that your administrators use.