No subject


Thu Nov 23 16:36:19 EST 2017


I thought at first, I should enter "From any Port, To Port 80", but that do=
esn't do the job. Now for each port enter a rule pair like shown with port =
80. And don't forget to enter a pair of rules for UDP Port 53, to get your =
name service running. If you know the address of your name server, enter th=
e specific address instead of "Any IP Address". After entering all Rules, c=
lick OK for the "Filter List Dialog". Now there should be four Lists in the=
 "IP Filter Lists and Actions" Dialog - two preconfigured from MS and two f=
rom you.=20

Now you have to enter a new Filter Action. Click on the right Tab "Manage F=
ilter Actions". Click Add to start the Filter Action Wizard, select a name =
like "Block it baby", choose "Block", finish. Note that there is a preconfi=
gured filter action for allowing Packets to pass.=20

Close the "IP Filter Lists and Filter Actions" Dialog. You're back now in t=
he MMC.=20

Your job now is to apply the block action on the "Forbidden Packets" filter=
 list and to apply the allow action on the "Allowed Packets" filter list.

Right click in the right panel of the MMC and choose "Create IP Security Po=
licy". You're in another wizard. Give the policy a name like "Web Server". =
Uncheck the "Activate Standard Answer Rule" check box, Finish. Another Dial=
og appers "New IP Security Policy Properties". Make shure to check the "Use=
 Wizard" check box. Click Add. The Policy Rule Wizard starts. Choose "This =
rule doesn't specify a tunnel". Choose "All Network Connections". Choose "A=
ctive Directory Standard" (in W2K: "Kerberos Protocol"). This step has no i=
mpact on the rule - just choose it. Click on "Yes" in the following warning=
. Now you get a list of your filter lists. Choose one of your lists, lets s=
ay the "Allowed packets". In the next step choose "Allow", Finish. Add the =
second rule with the forbidden packets - same procedere, but choose "Block =
it baby" as Filter Action. Click OK. Now you're back in the MMC. You can se=
e your new policy in the list of policies. Right click on it and choose "As=
sign". Now your policy works - you don't need to restart. If you temporaril=
y want to unassign the policy, just right click at the policy and choose "R=
emove Assignment" - or whatever english translation applies for "Zuweisung =
entfernen" ;-).

Please mind that this steps doesn't protect your system against attacks ove=
r port 80. Always install the newest security patches, subscribe the MS Sec=
urity Bulletin and Security Focus.

Hope that helps.

Mirko

------=_NextPart_000_0016_01C304CF.47C4D850
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Maybe I can help you.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>If closing ports is all you need, IPS=
ec is a=20
very usefull tool. It's part of W2K and XP. I try to give a short=
=20
description of the steps needed to make a working filter environment. =
On my=20
machine is a german version of XP, so keep in mind that some of the Command=
s I=20
mention here may have slightly different names.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Start the IPSec MMC Snap in: Start | Run |=
=20
secpol.msc.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Right click on "IP Security Policies". Sel=
ect=20
"Configure IP Filter Lists and Actions", Select the left tab (IP Filte=
r=20
lists).</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Add two filter lists, one for the forbidde=
n=20
packets, one for the allowed packets. Let's start with the forbidden ones. =
If=20
you click "Add", you'll get a dialog, "IP Filter List". Enter a name like=20
"Forbidden Packets", make shure to select the "Use Wizard" check box. =
Then=20
click "Add", to add a filter rule. The wizard starts. In the following step=
s=20
choose "Any IP Address" as Source, "My IP Address" as destination, "Any" as=
=20
Protocol Type and finish the wizard. Close the IP Filter List dialog. Now c=
lick=20
"Add" again for the allowed packets. Choose a name like "Allowed Packets". =
For=20
each Port you need to have open (80, 21, 5900, or whatever) you need to&nbs=
p;add=20
two Filter Rules. Let's start with the first rule for HTTP:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Source Address -> Any IP=20
Address</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Dest Address -> My IP Address </FONT></=
DIV>
<DIV><FONT face=3DArial size=3D2>Protocol -> TCP</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>From Port -> 80, To Any Port</FONT></DI=
V>
<DIV><FONT face=3DArial size=3D2>Now the second Rule:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>
<DIV><FONT face=3DArial size=3D2>Source Address -> My IP Address=20
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Dest Address -> Any IP Address</FONT></=
DIV>
<DIV><FONT face=3DArial size=3D2>Protocol -> TCP</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>From Port -> 80, To any=20
Port</FONT></DIV></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I thought at first, I should enter "From a=
ny Port,=20
To Port 80", but that doesn't do the job. Now for each port enter a ru=
le=20
pair like shown with port 80. And don't forget to enter a pair of rules for=
 UDP=20
Port 53, to get your name service running. If you know the address of your =
name=20
server, enter the specific address instead of "Any IP Address". After enter=
ing=20
all Rules, click OK for the "Filter List Dialog". Now there should be =
four=20
Lists in the "IP Filter Lists and Actions" Dialog - two preconfigured from =
MS=20
and two from you. </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Now you have to enter a new Filter Action.=
 Click on=20
the right Tab "Manage Filter Actions". Click Add to start the Filter Action=
=20
Wizard, select a name like "Block it baby", choose "Block", finish. Note th=
at=20
there is a preconfigured filter action for allowing Packets to pass.=20
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Close the "IP Filter Lists and Filter Acti=
ons"=20
Dialog. You're back now in the MMC. </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Your job now is to apply the block action =
on the=20
"Forbidden Packets" filter list and to apply the allow action on the "Allow=
ed=20
Packets" filter list.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Right click in the right panel of the MMC =
and=20
choose "Create IP Security Policy". You're in another wizard. Give the poli=
cy a=20
name like "Web Server". Uncheck the "Activate Standard Answer Rule" check b=
ox,=20
Finish. Another Dialog appers "New IP Security Policy Properties". Mak=
e=20
shure to check the "Use Wizard" check box. </FONT><FONT face=3DArial=20
size=3D2>Click Add. The Policy Rule Wizard starts. Choose "This rule d=
oesn't=20
specify a tunnel". Choose "All Network Connections". Choose "Active Directo=
ry=20
Standard" (in W2K: "Kerberos Protocol"). This step has no impact on th=
e=20
rule - just choose it. Click on "Yes" in the following warning. Now you get=
 a=20
list of your filter lists. Choose one of your lists, lets say the "Allowed=
=20
packets". In the next step choose "Allow", Finish. Add the second rule with=
 the=20
forbidden packets - same procedere, but choose "Block it baby" as Filt=
er=20
Action. Click OK. Now you're back in the MMC. You can see your new policy i=
n the=20
list of policies. Right click on it and choose "Assign". Now your policy wo=
rks -=20
you don't need to restart. If you temporarily want to unassign the policy, =
just=20
right click at the policy and choose "Remove Assignment" - or whatever engl=
ish=20
translation applies for "Zuweisung entfernen" ;-).</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Please mind that this steps doesn't protec=
t your=20
system against attacks over port 80. Always install the newest security pat=
ches,=20
subscribe the MS Security Bulletin and Security Focus.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>
<DIV><FONT face=3DArial size=3D2>Hope that helps.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV>Mirko</DIV>
<DIV> </DIV></FONT></DIV></BODY></HTML>

------=_NextPart_000_0016_01C304CF.47C4D850--





More information about the Snort-users mailing list