Windows 2000/XP Internet Protocol Security IPSec - PowerPoint PPT Presentation
Title:
Windows 2000/XP Internet Protocol Security IPSec
Description:
Windows 2000/XP Internet Protocol Security IPSec Mike Chirico M.S. souptonuts.sourceforge.net/chirico/ mchirico_at_comcast.net December 18, 2003 What would you do if you ... – PowerPoint PPT presentation
Number of Views:82
Avg rating:3.0/5.0
Title: Windows 2000/XP Internet Protocol Security IPSec
1
Windows 2000/XPInternet Protocol Security IPSec
- Mike Chirico M.S.
- souptonuts.sourceforge.net/chirico/
- mchirico_at_comcast.net
- December 18, 2003
2
What would you do if you had less than 5 minutes
to lockdown a Windows 2000/XP computer?
3
IPSec vs. TCP/IP filtering
- Target specific addresses and interfaces
- Immediate (no reboot required)
- Silently discards blocked traffic
- Multiple Policies
- Blocks ICMP echo requests ping
- Ipseccmd (Audit logging)
4
Windows 2000 and Window XPDifferent commands
- Windows 2000 uses ipsecpol
- Windows XP uses ipseccmd (also all changes are
static and supports audit logging)
5
Basic Windows 2000 ipsecpol
- ipsecpol -w REG -p FireWallPolicy -o
- ipsecpol -x -w REG -p FireWallPolicy -r RPC -n
BLOCK -f 0135TCP - ipsecpol -x -w REG -p FireWallPolicy -r RPCudp
-n BLOCK -f 0135UDP - ipsecpol -x -w Reg -p FireWallPolicy -r
NetBIOSnameService -n BLOCK -f 0137UDP - ipsecpol -x -w Reg -p FireWallPolicy -r
NetBIOSdatagrServe -n BLOCK -f 0138UDP - ipsecpol -x -w Reg -p FireWallPolicy -r
NetBIOSsessionService -n BLOCK -f 0139TCP - ipsecpol -x -w Reg -p FireWallPolicy -r SMBtcp
-n BLOCK -f 0445TCP - ipsecpol -x -w Reg -p FireWallPolicy -r SMBudp
-n BLOCK -f 0445UDP - ipsecpol -x -w Reg -p FireWallPolicy -r
SQLserver -n BLOCK -f 01433TCP - ipsecpol -x -w Reg -p FireWallPolicy -r
SQLserver -n BLOCK -f 01434TCP - ipsecpol -x -w Reg -p FireWallPolicy -r FTP -n
BLOCK -f 021TCP - ipsecpol -x -w Reg -p FireWallPolicy -r Telnet
-n BLOCK -f 023TCP - ipsecpol -x -w Reg -p FireWallPolicy -r HTTP
-n BLOCK -f 080TCP - ipsecpol -x -w Reg -p FireWallPolicy -r HTTPs
-n BLOCK -f 0443TCP - ipsecpol -x -w Reg -p FireWallPolicy -r
HTTPrpc -n BLOCK -f 0593TCP - ipsecpol -x -w Reg -p FireWallPolicy -r DNStcp
-n BLOCK -f 053TCP - ipsecpol -x -w Reg -p FireWallPolicy -r DNSudp
-n BLOCK -f 053UDP -
Download ipsecpol
(or run secpol.msc ) (-x assign, -w write to
registry, -p policy, -r ruleName, -f filter)
6
Basic Windows XPipseccmd
- ipseccmd -w REG -p FireWallPolicy -o
- ipseccmd -x -w REG -p FireWallPolicy -r RPC -n
BLOCK -f 0135TCP - ipseccmd -x -w REG -p FireWallPolicy -r RPCudp
-n BLOCK -f 0135UDP - ipseccmd -x -w Reg -p FireWallPolicy -r
NetBIOSnameService -n BLOCK -f 0137UDP - ipseccmd -x -w Reg -p FireWallPolicy -r
NetBIOSdatagrServe -n BLOCK -f 0138UDP - ipseccmd -x -w Reg -p FireWallPolicy -r
NetBIOSsessionService -n BLOCK -f 0139TCP - ipseccmd -x -w Reg -p FireWallPolicy -r SMBtcp
-n BLOCK -f 0445TCP - ipseccmd -x -w Reg -p FireWallPolicy -r SMBudp
-n BLOCK -f 0445UDP - ipseccmd -x -w Reg -p FireWallPolicy -r
SQLserver -n BLOCK -f 01433TCP - ipseccmd -x -w Reg -p FireWallPolicy -r
SQLserver -n BLOCK -f 01434TCP - ipseccmd -x -w Reg -p FireWallPolicy -r FTP -n
BLOCK -f 021TCP - ipseccmd -x -w Reg -p FireWallPolicy -r Telnet
-n BLOCK -f 023TCP - ipseccmd -x -w Reg -p FireWallPolicy -r HTTP
-n BLOCK -f 080TCP - ipseccmd -x -w Reg -p FireWallPolicy -r HTTPs
-n BLOCK -f 0443TCP - ipseccmd -x -w Reg -p FireWallPolicy -r
HTTPrpc -n BLOCK -f 0593TCP - ipseccmd -x -w Reg -p FireWallPolicy -r DNStcp
-n BLOCK -f 053TCP - ipseccmd -x -w Reg -p FireWallPolicy -r DNSudp
-n BLOCK -f 053UDP - (-x assign, -w write to registry, -p policy, -r
ruleName, -f filter)
7
IPSec remotely (Windows 2000)
- net use x \\192.168.0.70\c /useradministrator
- ipsecpol \\192.168.0.70 -w REG -p
FireWallPolicy -o - ipsecpol \\192.168.0.70 -x -w REG -p
FireWallPolicy -r AllowMe -n PASS -f
0192.168.0.71 - ipsecpol \\192.168.0.70 -x -w REG -p
FireWallPolicy -r BlockAll -n BLOCK -f 0
8
C\netstat -na
- Proto Local Address Foreign Address
State - TCP 0.0.0.080 0.0.0.00
LISTENING - TCP 0.0.0.0135 0.0.0.00
LISTENING - TCP 0.0.0.0443 0.0.0.00
LISTENING - TCP 0.0.0.0445 0.0.0.00
LISTENING - ..
- TCP 192.168.0.711644 192.168.0.70139
ESTABLISHED - .
9
Will this work?
- ipsecpol -x -w Reg -p FireWallPolicy -r
AllUDP137 -n BLOCK -f 0137UDP - ipsecpol -x -w Reg -p FireWallPolicy -r
AllUDP138 -n BLOCK -f 0138UDP - ipsecpol -x -w Reg -p FireWallPolicy -r
AllTCP139 -n BLOCK -f 0139TCP - ipsecpol -x -w Reg -p FireWallPolicy -r
AllTCP445 -n BLOCK -f 0445TCP - ipsecpol -x -w Reg -p FireWallPolicy -r
AllUDP445 -n BLOCK -f 0445UDP - ipsecpol -x -w Reg -p FireWallPolicy -r All1433
-n BLOCK -f 01433TCP - ipsecpol -x -w Reg -p FireWallPolicy -r AllFTP
-n BLOCK -f 021TCP
10
(No Transcript)
11
(No Transcript)
12
(No Transcript)
13
(No Transcript)
14
- 172.31.0.0/255.255.0.080157.0.0.0/255.0.0.080T
CP - will filter all TCP traffic from the first
subnet, port 80 to the second subnet, port 80 - 128... is same as 128.0.0.0/255.0.0.0
- 128.. is the same as above
- 128. is the same as above
- 144.92.. is same as 144.92.0.0/255.255.0.0
15
Common commands
- Rem blocks everything
- ipsecpol -x -w REG -p "FireWallPolicy" -r
"BlockAll" -n BLOCK -f 0 - Rem blocks ping
- ipsecpol -x -w REG -p "FireWallPolicy" -r
"BlockICMP" -n BLOCK -f 0ICMP
16
Server
- ipsecpol -w REG -p "FireWallPolicy" -o
- rem ipsecpol -x -w REG -p "FireWallPolicy" -r
"BlockAll" -n BLOCK -f 0 - ipsecpol -x -w REG -p "FireWallPolicy" -r
"SMTP" -n BLOCK -f 025TCP - ipsecpol -x -w REG -p "FireWallPolicy" -r "FTP"
-n BLOCK -f 021TCP - Ipsecpol -x -w REG p "FireWallPolicy" -r "
Telnet" -n BLOCK -f 023TCP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"DNS_udp" -n BLOCK -f 053UDP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"WINS_replication_udp" -n BLOCK -f 042UDP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"WINS_replication_tcp" -n BLOCK -f 042TCP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"DNS_tcp" -n BLOCK -f 053TCP - ipsecpol -x -w REG -p "FireWallPolicy" -r "WWW"
-n BLOCK -f 080TCP
17
Server
- ipsecpol -x -w REG -p "FireWallPolicy" -r
"Kerberos_udp" -n BLOCK -f 088UDP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"Kerberos_tcp" -n BLOCK -f 088TCP - ipsecpol -x -w REG -p "FireWallPolicy" -r "RPC"
-n BLOCK -f 0135TCP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"NetBIOS_Name_Service_udp" -n BLOCK -f
0137UDP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"NetBIOS_Name_Service_tcp" -n BLOCK -f
0137TCP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"NetBIOS_Datagram_Service" -n BLOCK -f
0138UDP
18
Server
- ipsecpol -x -w REG -p "FireWallPolicy" -r
"NetBIOS_Session_Service" -n BLOCK -f
0139TCP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"LDAP_udp" -n BLOCK -f 0389UDP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"LDAP_tcp" -n BLOCK -f 0389TCP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"HTTPoverSSL" -n BLOCK -f 0443TCP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"SMB_udp" -n BLOCK -f 0445UDP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"SMB_tcp" -n BLOCK -f 0445TCP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"Kerberos_kpasswd_udp" -n BLOCK -f 0464UDP
19
Server
- ipsecpol -x -w REG -p "FireWallPolicy" -r
"Kerberos_kpasswd_tcp" -n BLOCK -f 0464TCP - ipsecpol -x -w REG -p "FireWallPolicy" -r "IKE"
-n BLOCK -f 0500UDP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"RealStream" -n BLOCK -f 0554TCP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"HTTP_RPC" -n BLOCK -f 0593TCP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"LDAP_SSL" -n BLOCK -f 0636TCP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"WINS_resol_udp" -n BLOCK -f 01512UDP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"NFS-orIIS" -n BLOCK -f 01025TCP
20
Server
- ipsecpol -x -w REG -p "FireWallPolicy" -r
"iad2" -n BLOCK -f 01031TCP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"pptp" -n BLOCK -f 01723TCP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"mysql" -n BLOCK -f 03306TCP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"msdtc" -n BLOCK -f 03372TCP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"WINS_resol_tcp" -n BLOCK -f 01512TCP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"SQL_Server" -n BLOCK -f 01433TCP
21
Server
- ipsecpol -x -w REG -p "FireWallPolicy" -r
"AD_GLobal_Catalog" -n BLOCK -f 03268TCP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"AD_Global_Catalog_ssl" -n BLOCK -f
03269TCP - ipsecpol -x -w REG -p "FireWallPolicy" -r "ssh"
-n BLOCK -f 022TCP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"ssh_udp" -n BLOCK -f 022UDP - ipsecpol -x -w REG -p "FireWallPolicy" -r
"Windows_Terminal_Service" -n BLOCK -f
03389TCP
22
References
- Good overview IPSec setuphttp//www.microsoft.com
/serviceproviders/columns/using_ipsec.asp - List of portshttp//www.microsoft.com/windows200
0/techinfo/reskit/samplechapters/cnfc/cnfc_por_sim
w.asphttp//www.microsoft.com/technet/treeview/de
fault.asp?url/technet/ittasks/tasks/adrepfir.asp - Current scanning activityhttp//www.cert.org/curr
ent/scanning.html
23
References continued
- Nmap (good for testing your configuration)http//
www.insecure.org/nmap/nmap_download.html - More on IPSec IEFT standardhttp//rr.sans.org/win
2000/ipsec_w2k.php - Security Sites
- http//www.ntsecurity.net/
- http//project.honeynet.org
- http//www.cert.org/nav/index_main.html
- http//www.ciac.org/ciac/
Recommended
CrystalGraphics Presentations
