Windows 2000/XP Internet Protocol Security IPSec Mike Chirico M.S. souptonuts.sourceforge.net/chirico/ December 18, 2003

What would you do if you had less than 5 minutes to lockdown a Windows 2000/XP computer?

IPSec vs. TCP/IP filtering Target specific addresses and interfaces Immediate (no reboot required) Silently discards blocked traffic Multiple Policies Blocks ICMP echo requests “ping” Ipseccmd (Audit logging)Audit logging

Windows 2000 and Window XP Different commands: Windows 2000 uses ipsecpol Windows XP uses ipseccmd (also all changes are static and supports audit logging)

Basic Windows 2000 ipsecpol ipsecpol -w REG -p FireWallPolicy -o ipsecpol -x -w REG -p FireWallPolicy -r RPC -n BLOCK -f *=0:135:TCP ipsecpol -x -w REG -p FireWallPolicy -r RPCudp -n BLOCK -f *=0:135:UDP ipsecpol -x -w Reg -p FireWallPolicy -r NetBIOSnameService -n BLOCK -f *=0:137:UDP ipsecpol -x -w Reg -p FireWallPolicy -r NetBIOSdatagrServe -n BLOCK -f *=0:138:UDP ipsecpol -x -w Reg -p FireWallPolicy -r NetBIOSsessionService -n BLOCK -f *=0:139:TCP ipsecpol -x -w Reg -p FireWallPolicy -r SMBtcp -n BLOCK -f *=0:445:TCP ipsecpol -x -w Reg -p FireWallPolicy -r SMBudp -n BLOCK -f *=0:445:UDP ipsecpol -x -w Reg -p FireWallPolicy -r SQLserver -n BLOCK -f *=0:1433:TCP ipsecpol -x -w Reg -p FireWallPolicy -r SQLserver -n BLOCK -f *=0:1434:TCP ipsecpol -x -w Reg -p FireWallPolicy -r FTP -n BLOCK -f *=0:21:TCP ipsecpol -x -w Reg -p FireWallPolicy -r Telnet -n BLOCK -f *=0:23:TCP ipsecpol -x -w Reg -p FireWallPolicy -r HTTP -n BLOCK -f *=0:80:TCP ipsecpol -x -w Reg -p FireWallPolicy -r HTTPs -n BLOCK -f *=0:443:TCP ipsecpol -x -w Reg -p FireWallPolicy -r HTTPrpc -n BLOCK -f *=0:593:TCP ipsecpol -x -w Reg -p FireWallPolicy -r DNStcp -n BLOCK -f *=0:53:TCP ipsecpol -x -w Reg -p FireWallPolicy -r DNSudp -n BLOCK -f *=0:53:UDP *Download ipsecpol (or run secpol.msc ) (-x assign, -w write to registry, -p policy, -r ruleName, -f filter)

Basic Windows XP ipseccmd ipseccmd -w REG -p FireWallPolicy -o ipseccmd -x -w REG -p FireWallPolicy -r RPC -n BLOCK -f *=0:135:TCP ipseccmd -x -w REG -p FireWallPolicy -r RPCudp -n BLOCK -f *=0:135:UDP ipseccmd -x -w Reg -p FireWallPolicy -r NetBIOSnameService -n BLOCK -f *=0:137:UDP ipseccmd -x -w Reg -p FireWallPolicy -r NetBIOSdatagrServe -n BLOCK -f *=0:138:UDP ipseccmd -x -w Reg -p FireWallPolicy -r NetBIOSsessionService -n BLOCK -f *=0:139:TCP ipseccmd -x -w Reg -p FireWallPolicy -r SMBtcp -n BLOCK -f *=0:445:TCP ipseccmd -x -w Reg -p FireWallPolicy -r SMBudp -n BLOCK -f *=0:445:UDP ipseccmd -x -w Reg -p FireWallPolicy -r SQLserver -n BLOCK -f *=0:1433:TCP ipseccmd -x -w Reg -p FireWallPolicy -r SQLserver -n BLOCK -f *=0:1434:TCP ipseccmd -x -w Reg -p FireWallPolicy -r FTP -n BLOCK -f *=0:21:TCP ipseccmd -x -w Reg -p FireWallPolicy -r Telnet -n BLOCK -f *=0:23:TCP ipseccmd -x -w Reg -p FireWallPolicy -r HTTP -n BLOCK -f *=0:80:TCP ipseccmd -x -w Reg -p FireWallPolicy -r HTTPs -n BLOCK -f *=0:443:TCP ipseccmd -x -w Reg -p FireWallPolicy -r HTTPrpc -n BLOCK -f *=0:593:TCP ipseccmd -x -w Reg -p FireWallPolicy -r DNStcp -n BLOCK -f *=0:53:TCP ipseccmd -x -w Reg -p FireWallPolicy -r DNSudp -n BLOCK -f *=0:53:UDP (-x assign, -w write to registry, -p policy, -r ruleName, -f filter)

IPSec remotely (Windows 2000) net use x: \\ \c$ /user:administrator ipsecpol \\ w REG -p FireWallPolicy -o ipsecpol \\ x -w REG -p FireWallPolicy -r AllowMe -n PASS -f ipsecpol \\ x -w REG -p FireWallPolicy -r BlockAll -n BLOCK -f 0+*

C:\netstat -na Proto Local Address Foreign Address State TCP : :0 LISTENING TCP : :0 LISTENING TCP : :0 LISTENING TCP : :0 LISTENING ….. TCP : :139 ESTABLISHED ….

Will this work? ipsecpol -x -w Reg -p FireWallPolicy -r AllUDP137 -n BLOCK -f 0:137+*::UDP ipsecpol -x -w Reg -p FireWallPolicy -r AllUDP138 -n BLOCK -f 0:138+*::UDP ipsecpol -x -w Reg -p FireWallPolicy -r AllTCP139 -n BLOCK -f 0:139+*::TCP ipsecpol -x -w Reg -p FireWallPolicy -r AllTCP445 -n BLOCK -f 0:445+*::TCP ipsecpol -x -w Reg -p FireWallPolicy -r AllUDP445 -n BLOCK -f 0:445+*::UDP ipsecpol -x -w Reg -p FireWallPolicy -r All1433 -n BLOCK -f 0:1433+*::TCP ipsecpol -x -w Reg -p FireWallPolicy -r AllFTP -n BLOCK -f 0:21+*::TCP

/ :80= / :80:TCP will filter all TCP traffic from the first subnet, port 80 to the second subnet, port *.*.* is same as / *.* is the same as above 128.* is the same as above *.* is same as /

Common commands Rem blocks everything ipsecpol -x -w REG -p "FireWallPolicy" -r "BlockAll" -n BLOCK -f 0+* Rem blocks ping ipsecpol -x -w REG -p "FireWallPolicy" -r "BlockICMP" -n BLOCK -f 0+*::ICMP

Server ipsecpol -w REG -p "FireWallPolicy" -o rem ipsecpol -x -w REG -p "FireWallPolicy" -r "BlockAll" -n BLOCK -f 0+* ipsecpol -x -w REG -p "FireWallPolicy" -r "SMTP" -n BLOCK -f *=0:25:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "FTP" -n BLOCK -f *=0:21:TCP Ipsecpol -x -w REG –p "FireWallPolicy" -r " Telnet" -n BLOCK -f *=0:23:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "DNS_udp" -n BLOCK -f *=0:53:UDP ipsecpol -x -w REG -p "FireWallPolicy" -r "WINS_replication_udp" -n BLOCK -f *=0:42:UDP ipsecpol -x -w REG -p "FireWallPolicy" -r "WINS_replication_tcp" -n BLOCK -f *=0:42:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "DNS_tcp" -n BLOCK -f *=0:53:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "WWW" -n BLOCK -f *=0:80:TCP

Server ipsecpol -x -w REG -p "FireWallPolicy" -r "Kerberos_udp" -n BLOCK -f *=0:88:UDP ipsecpol -x -w REG -p "FireWallPolicy" -r "Kerberos_tcp" -n BLOCK -f *=0:88:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "RPC" -n BLOCK -f *=0:135:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "NetBIOS_Name_Service_udp" -n BLOCK -f *=0:137:UDP ipsecpol -x -w REG -p "FireWallPolicy" -r "NetBIOS_Name_Service_tcp" -n BLOCK -f *=0:137:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "NetBIOS_Datagram_Service" -n BLOCK -f *=0:138:UDP

Server ipsecpol -x -w REG -p "FireWallPolicy" -r "NetBIOS_Session_Service" -n BLOCK -f *=0:139:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "LDAP_udp" -n BLOCK -f *=0:389:UDP ipsecpol -x -w REG -p "FireWallPolicy" -r "LDAP_tcp" -n BLOCK -f *=0:389:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "HTTPoverSSL" -n BLOCK -f *=0:443:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "SMB_udp" -n BLOCK -f *=0:445:UDP ipsecpol -x -w REG -p "FireWallPolicy" -r "SMB_tcp" -n BLOCK -f *=0:445:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "Kerberos_kpasswd_udp" -n BLOCK -f *=0:464:UDP

Server ipsecpol -x -w REG -p "FireWallPolicy" -r "Kerberos_kpasswd_tcp" -n BLOCK -f *=0:464:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "IKE" -n BLOCK -f *=0:500:UDP ipsecpol -x -w REG -p "FireWallPolicy" -r "RealStream" -n BLOCK -f *=0:554:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "HTTP_RPC" -n BLOCK -f *=0:593:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "LDAP_SSL" -n BLOCK -f *=0:636:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "WINS_resol_udp" -n BLOCK -f *=0:1512:UDP ipsecpol -x -w REG -p "FireWallPolicy" -r "NFS-orIIS" -n BLOCK -f *=0:1025:TCP

Server ipsecpol -x -w REG -p "FireWallPolicy" -r "iad2" -n BLOCK -f *=0:1031:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "pptp" -n BLOCK -f *=0:1723:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "mysql" -n BLOCK -f *=0:3306:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "msdtc" -n BLOCK -f *=0:3372:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "WINS_resol_tcp" -n BLOCK -f *=0:1512:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "SQL_Server" -n BLOCK -f *=0:1433:TCP

Server ipsecpol -x -w REG -p "FireWallPolicy" -r "AD_GLobal_Catalog" -n BLOCK -f *=0:3268:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "AD_Global_Catalog_ssl" -n BLOCK -f *=0:3269:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "ssh" -n BLOCK -f *=0:22:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "ssh_udp" -n BLOCK -f *=0:22:UDP ipsecpol -x -w REG -p "FireWallPolicy" -r "Windows_Terminal_Service" -n BLOCK -f *=0:3389:TCP

References Good overview IPSec setup ns/using_ipsec.asp ns/using_ipsec.asp List of ports reskit/samplechapters/cnfc/cnfc_por_simw.asp t.asp?url=/technet/ittasks/tasks/adrepfir.asp reskit/samplechapters/cnfc/cnfc_por_simw.asp t.asp?url=/technet/ittasks/tasks/adrepfir.asp Current scanning activity

References continued Nmap (good for testing your configuration) More on IPSec IEFT standard Security Sites