Windows 2000/XP Internet Protocol Security IPSec - PowerPoint PPT Presentation

About This Presentation
Title:

Windows 2000/XP Internet Protocol Security IPSec

Description:

Windows 2000/XP Internet Protocol Security IPSec Mike Chirico M.S. souptonuts.sourceforge.net/chirico/ mchirico_at_comcast.net December 18, 2003 What would you do if you ... – PowerPoint PPT presentation

Number of Views:84
Avg rating:3.0/5.0
Slides: 24
Provided by: MikeCh
Category:

less

Transcript and Presenter's Notes

Title: Windows 2000/XP Internet Protocol Security IPSec


1
Windows 2000/XPInternet Protocol Security IPSec
  • Mike Chirico M.S.
  • souptonuts.sourceforge.net/chirico/
  • mchirico_at_comcast.net
  • December 18, 2003

2
What would you do if you had less than 5 minutes
to lockdown a Windows 2000/XP computer?
3
IPSec vs. TCP/IP filtering
  • Target specific addresses and interfaces
  • Immediate (no reboot required)
  • Silently discards blocked traffic
  • Multiple Policies
  • Blocks ICMP echo requests ping
  • Ipseccmd (Audit logging)

4
Windows 2000 and Window XPDifferent commands
  • Windows 2000 uses ipsecpol
  • Windows XP uses ipseccmd (also all changes are
    static and supports audit logging)

5
Basic Windows 2000 ipsecpol
  • ipsecpol -w REG -p FireWallPolicy -o
  • ipsecpol -x -w REG -p FireWallPolicy -r RPC -n
    BLOCK -f 0135TCP
  • ipsecpol -x -w REG -p FireWallPolicy -r RPCudp
    -n BLOCK -f 0135UDP
  • ipsecpol -x -w Reg -p FireWallPolicy -r
    NetBIOSnameService -n BLOCK -f 0137UDP
  • ipsecpol -x -w Reg -p FireWallPolicy -r
    NetBIOSdatagrServe -n BLOCK -f 0138UDP
  • ipsecpol -x -w Reg -p FireWallPolicy -r
    NetBIOSsessionService -n BLOCK -f 0139TCP
  • ipsecpol -x -w Reg -p FireWallPolicy -r SMBtcp
    -n BLOCK -f 0445TCP
  • ipsecpol -x -w Reg -p FireWallPolicy -r SMBudp
    -n BLOCK -f 0445UDP
  • ipsecpol -x -w Reg -p FireWallPolicy -r
    SQLserver -n BLOCK -f 01433TCP
  • ipsecpol -x -w Reg -p FireWallPolicy -r
    SQLserver -n BLOCK -f 01434TCP
  • ipsecpol -x -w Reg -p FireWallPolicy -r FTP -n
    BLOCK -f 021TCP
  • ipsecpol -x -w Reg -p FireWallPolicy -r Telnet
    -n BLOCK -f 023TCP
  • ipsecpol -x -w Reg -p FireWallPolicy -r HTTP
    -n BLOCK -f 080TCP
  • ipsecpol -x -w Reg -p FireWallPolicy -r HTTPs
    -n BLOCK -f 0443TCP
  • ipsecpol -x -w Reg -p FireWallPolicy -r
    HTTPrpc -n BLOCK -f 0593TCP
  • ipsecpol -x -w Reg -p FireWallPolicy -r DNStcp
    -n BLOCK -f 053TCP
  • ipsecpol -x -w Reg -p FireWallPolicy -r DNSudp
    -n BLOCK -f 053UDP

  • Download ipsecpol
    (or run secpol.msc ) (-x assign, -w write to
    registry, -p policy, -r ruleName, -f filter)

6
Basic Windows XPipseccmd
  • ipseccmd -w REG -p FireWallPolicy -o
  • ipseccmd -x -w REG -p FireWallPolicy -r RPC -n
    BLOCK -f 0135TCP
  • ipseccmd -x -w REG -p FireWallPolicy -r RPCudp
    -n BLOCK -f 0135UDP
  • ipseccmd -x -w Reg -p FireWallPolicy -r
    NetBIOSnameService -n BLOCK -f 0137UDP
  • ipseccmd -x -w Reg -p FireWallPolicy -r
    NetBIOSdatagrServe -n BLOCK -f 0138UDP
  • ipseccmd -x -w Reg -p FireWallPolicy -r
    NetBIOSsessionService -n BLOCK -f 0139TCP
  • ipseccmd -x -w Reg -p FireWallPolicy -r SMBtcp
    -n BLOCK -f 0445TCP
  • ipseccmd -x -w Reg -p FireWallPolicy -r SMBudp
    -n BLOCK -f 0445UDP
  • ipseccmd -x -w Reg -p FireWallPolicy -r
    SQLserver -n BLOCK -f 01433TCP
  • ipseccmd -x -w Reg -p FireWallPolicy -r
    SQLserver -n BLOCK -f 01434TCP
  • ipseccmd -x -w Reg -p FireWallPolicy -r FTP -n
    BLOCK -f 021TCP
  • ipseccmd -x -w Reg -p FireWallPolicy -r Telnet
    -n BLOCK -f 023TCP
  • ipseccmd -x -w Reg -p FireWallPolicy -r HTTP
    -n BLOCK -f 080TCP
  • ipseccmd -x -w Reg -p FireWallPolicy -r HTTPs
    -n BLOCK -f 0443TCP
  • ipseccmd -x -w Reg -p FireWallPolicy -r
    HTTPrpc -n BLOCK -f 0593TCP
  • ipseccmd -x -w Reg -p FireWallPolicy -r DNStcp
    -n BLOCK -f 053TCP
  • ipseccmd -x -w Reg -p FireWallPolicy -r DNSudp
    -n BLOCK -f 053UDP
  • (-x assign, -w write to registry, -p policy, -r
    ruleName, -f filter)

7
IPSec remotely (Windows 2000)
  • net use x \\192.168.0.70\c /useradministrator
  • ipsecpol \\192.168.0.70 -w REG -p
    FireWallPolicy -o
  • ipsecpol \\192.168.0.70 -x -w REG -p
    FireWallPolicy -r AllowMe -n PASS -f
    0192.168.0.71
  • ipsecpol \\192.168.0.70 -x -w REG -p
    FireWallPolicy -r BlockAll -n BLOCK -f 0

8
C\netstat -na
  • Proto Local Address Foreign Address
    State
  • TCP 0.0.0.080 0.0.0.00
    LISTENING
  • TCP 0.0.0.0135 0.0.0.00
    LISTENING
  • TCP 0.0.0.0443 0.0.0.00
    LISTENING
  • TCP 0.0.0.0445 0.0.0.00
    LISTENING
  • ..
  • TCP 192.168.0.711644 192.168.0.70139
    ESTABLISHED
  • .

9
Will this work?
  • ipsecpol -x -w Reg -p FireWallPolicy -r
    AllUDP137 -n BLOCK -f 0137UDP
  • ipsecpol -x -w Reg -p FireWallPolicy -r
    AllUDP138 -n BLOCK -f 0138UDP
  • ipsecpol -x -w Reg -p FireWallPolicy -r
    AllTCP139 -n BLOCK -f 0139TCP
  • ipsecpol -x -w Reg -p FireWallPolicy -r
    AllTCP445 -n BLOCK -f 0445TCP
  • ipsecpol -x -w Reg -p FireWallPolicy -r
    AllUDP445 -n BLOCK -f 0445UDP
  • ipsecpol -x -w Reg -p FireWallPolicy -r All1433
    -n BLOCK -f 01433TCP
  • ipsecpol -x -w Reg -p FireWallPolicy -r AllFTP
    -n BLOCK -f 021TCP

10
(No Transcript)
11
(No Transcript)
12
(No Transcript)
13
(No Transcript)
14
  • 172.31.0.0/255.255.0.080157.0.0.0/255.0.0.080T
    CP
  • will filter all TCP traffic from the first
    subnet, port 80 to the second subnet, port 80
  • 128... is same as 128.0.0.0/255.0.0.0
  • 128.. is the same as above
  • 128. is the same as above
  • 144.92.. is same as 144.92.0.0/255.255.0.0

15
Common commands
  • Rem blocks everything
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "BlockAll" -n BLOCK -f 0
  • Rem blocks ping
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "BlockICMP" -n BLOCK -f 0ICMP

16
Server
  • ipsecpol -w REG -p "FireWallPolicy" -o
  • rem ipsecpol -x -w REG -p "FireWallPolicy" -r
    "BlockAll" -n BLOCK -f 0
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "SMTP" -n BLOCK -f 025TCP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r "FTP"
    -n BLOCK -f 021TCP
  • Ipsecpol -x -w REG p "FireWallPolicy" -r "
    Telnet" -n BLOCK -f 023TCP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "DNS_udp" -n BLOCK -f 053UDP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "WINS_replication_udp" -n BLOCK -f 042UDP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "WINS_replication_tcp" -n BLOCK -f 042TCP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "DNS_tcp" -n BLOCK -f 053TCP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r "WWW"
    -n BLOCK -f 080TCP

17
Server
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "Kerberos_udp" -n BLOCK -f 088UDP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "Kerberos_tcp" -n BLOCK -f 088TCP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r "RPC"
    -n BLOCK -f 0135TCP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "NetBIOS_Name_Service_udp" -n BLOCK -f
    0137UDP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "NetBIOS_Name_Service_tcp" -n BLOCK -f
    0137TCP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "NetBIOS_Datagram_Service" -n BLOCK -f
    0138UDP

18
Server
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "NetBIOS_Session_Service" -n BLOCK -f
    0139TCP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "LDAP_udp" -n BLOCK -f 0389UDP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "LDAP_tcp" -n BLOCK -f 0389TCP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "HTTPoverSSL" -n BLOCK -f 0443TCP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "SMB_udp" -n BLOCK -f 0445UDP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "SMB_tcp" -n BLOCK -f 0445TCP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "Kerberos_kpasswd_udp" -n BLOCK -f 0464UDP

19
Server
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "Kerberos_kpasswd_tcp" -n BLOCK -f 0464TCP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r "IKE"
    -n BLOCK -f 0500UDP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "RealStream" -n BLOCK -f 0554TCP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "HTTP_RPC" -n BLOCK -f 0593TCP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "LDAP_SSL" -n BLOCK -f 0636TCP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "WINS_resol_udp" -n BLOCK -f 01512UDP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "NFS-orIIS" -n BLOCK -f 01025TCP

20
Server
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "iad2" -n BLOCK -f 01031TCP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "pptp" -n BLOCK -f 01723TCP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "mysql" -n BLOCK -f 03306TCP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "msdtc" -n BLOCK -f 03372TCP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "WINS_resol_tcp" -n BLOCK -f 01512TCP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "SQL_Server" -n BLOCK -f 01433TCP

21
Server
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "AD_GLobal_Catalog" -n BLOCK -f 03268TCP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "AD_Global_Catalog_ssl" -n BLOCK -f
    03269TCP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r "ssh"
    -n BLOCK -f 022TCP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "ssh_udp" -n BLOCK -f 022UDP
  • ipsecpol -x -w REG -p "FireWallPolicy" -r
    "Windows_Terminal_Service" -n BLOCK -f
    03389TCP

22
References
  • Good overview IPSec setuphttp//www.microsoft.com
    /serviceproviders/columns/using_ipsec.asp
  • List of portshttp//www.microsoft.com/windows200
    0/techinfo/reskit/samplechapters/cnfc/cnfc_por_sim
    w.asphttp//www.microsoft.com/technet/treeview/de
    fault.asp?url/technet/ittasks/tasks/adrepfir.asp
  • Current scanning activityhttp//www.cert.org/curr
    ent/scanning.html

23
References continued
  • Nmap (good for testing your configuration)http//
    www.insecure.org/nmap/nmap_download.html
  • More on IPSec IEFT standardhttp//rr.sans.org/win
    2000/ipsec_w2k.php
  • Security Sites
  • http//www.ntsecurity.net/
  • http//project.honeynet.org
  • http//www.cert.org/nav/index_main.html
  • http//www.ciac.org/ciac/
Write a Comment
User Comments (0)
About PowerShow.com