IPSEC on Win2k3 - block all default/except for a few ports

Hello All,

I've searched high and wide, and can't get this to work. I want to enable
within IPSEC on Windows 2003 Server to block all ports by default unless
specified (e.g. port 80, 443, 1723, 3389, etc). Once I enable a filter action
of block all within IPSEC, it disables everything, except ICMP traffic. Any
ideas?

If I look at IPSEC Monitor, I noticed what under Quick Mode->Generic
Filters->Block is the default, not sure why though.

Source - ANY
Destination - My IP
Protocol - ANY
IP Filter - All
Filter Actions - Block

IPSEC Rules
- RDP - Allow
- ICMP - Allow
- All - Block
- Dynamic - Default Response (Preshared Key)

Thanks,
-Ben

Steven
Tue May 03 11:52:46 CDT 2005

Your best bet is to start off with a rule with a mirrored filter for all IP
traffic with a block filter action. Then create another rule with the
exceptions for permit. Make sure you are selecting the right protocol for
the exceptions which would be tcp for what you have listed below. The link
below may help as it is a primer on building ipsec filtering policy. The
free Windows 2003 Server Security Guide also has examples on ipsec
filtering. --- Steve

http://www.securityfocus.com/infocus/1559 -- works the same for Windows
2003
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx


"Ben Serebin" <Ben Serebin@discussions.microsoft.com> wrote in message
news:62273F5E-8FC3-450C-BA10-E98D4918F97C@microsoft.com...
> Hello All,
>
> I've searched high and wide, and can't get this to work. I want to enable
> within IPSEC on Windows 2003 Server to block all ports by default unless
> specified (e.g. port 80, 443, 1723, 3389, etc). Once I enable a filter
> action
> of block all within IPSEC, it disables everything, except ICMP traffic.
> Any
> ideas?
>
> If I look at IPSEC Monitor, I noticed what under Quick Mode->Generic
> Filters->Block is the default, not sure why though.
>
> Source - ANY
> Destination - My IP
> Protocol - ANY
> IP Filter - All
> Filter Actions - Block
>
> IPSEC Rules
> - RDP - Allow
> - ICMP - Allow
> - All - Block
> - Dynamic - Default Response (Preshared Key)
>
> Thanks,
> -Ben

Ben
Tue May 03 21:46:52 CDT 2005

Hello Steven,

THANK YOU. You have no idea how much time I've spent on this. The trick was
to start with a block all filter rule, and then add exemptions. Why isn't
this stated everywhere!!! I've setup dozens of firewalls and have never run
into this. Damn Microsoft. I did go through everything you suggested, but in
the end your tip was on the money. Bottom line, Microsoft needs to spend more
time on UI and implementation development on IPSEC.

FYI: the URL for securityfocus you gave is 404. I found the correct
articles. I read part 1, 2, and 3 of the IPSEC intro. Way too basic for me.
Here they are for your future references.

SecurityFocus IPSEC URLs for overall explanation
http://www.securityfocus.com/infocus/1519
http://www.securityfocus.com/infocus/1526
http://www.securityfocus.com/infocus/1528

Microsoft URL was better with real world examples... but in the end I looked
through some of the code samples, and decided to try your tip before I
attempt there IIS IPSEC sample.

Thanks again,
-Ben

P.S. If you have an Amazon wish list, let me know....

"Steven L Umbach" wrote:

> Your best bet is to start off with a rule with a mirrored filter for all IP
> traffic with a block filter action. Then create another rule with the
> exceptions for permit. Make sure you are selecting the right protocol for
> the exceptions which would be tcp for what you have listed below. The link
> below may help as it is a primer on building ipsec filtering policy. The
> free Windows 2003 Server Security Guide also has examples on ipsec
> filtering. --- Steve
>
> http://www.securityfocus.com/infocus/1559 -- works the same for Windows
> 2003
> http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx
>
>
> "Ben Serebin" <Ben Serebin@discussions.microsoft.com> wrote in message
> news:62273F5E-8FC3-450C-BA10-E98D4918F97C@microsoft.com...
> > Hello All,
> >
> > I've searched high and wide, and can't get this to work. I want to enable
> > within IPSEC on Windows 2003 Server to block all ports by default unless
> > specified (e.g. port 80, 443, 1723, 3389, etc). Once I enable a filter
> > action
> > of block all within IPSEC, it disables everything, except ICMP traffic.
> > Any
> > ideas?
> >
> > If I look at IPSEC Monitor, I noticed what under Quick Mode->Generic
> > Filters->Block is the default, not sure why though.
> >
> > Source - ANY
> > Destination - My IP
> > Protocol - ANY
> > IP Filter - All
> > Filter Actions - Block
> >
> > IPSEC Rules
> > - RDP - Allow
> > - ICMP - Allow
> > - All - Block
> > - Dynamic - Default Response (Preshared Key)
> >
> > Thanks,
> > -Ben
>
>
>

Steven
Wed May 04 12:58:49 CDT 2005

OK. Glad you got it to work. Yes ipsec policies are a bit different to
configure. One thing that throws a lot of people off is that the order of
the rules makes no difference. They are weighted with "specific" rules
overriding "general" rules. Thanks for the links. -- Steve


"Ben Serebin" <Ben Serebin@discussions.microsoft.com> wrote in message
news:362C05FD-C3BB-4F06-B269-D1120292AC8D@microsoft.com...
> Hello Steven,
>
> THANK YOU. You have no idea how much time I've spent on this. The trick
> was
> to start with a block all filter rule, and then add exemptions. Why isn't
> this stated everywhere!!! I've setup dozens of firewalls and have never
> run
> into this. Damn Microsoft. I did go through everything you suggested, but
> in
> the end your tip was on the money. Bottom line, Microsoft needs to spend
> more
> time on UI and implementation development on IPSEC.
>
> FYI: the URL for securityfocus you gave is 404. I found the correct
> articles. I read part 1, 2, and 3 of the IPSEC intro. Way too basic for
> me.
> Here they are for your future references.
>
> SecurityFocus IPSEC URLs for overall explanation
> http://www.securityfocus.com/infocus/1519
> http://www.securityfocus.com/infocus/1526
> http://www.securityfocus.com/infocus/1528
>
> Microsoft URL was better with real world examples... but in the end I
> looked
> through some of the code samples, and decided to try your tip before I
> attempt there IIS IPSEC sample.
>
> Thanks again,
> -Ben
>
> P.S. If you have an Amazon wish list, let me know....
>
> "Steven L Umbach" wrote:
>
>> Your best bet is to start off with a rule with a mirrored filter for all
>> IP
>> traffic with a block filter action. Then create another rule with the
>> exceptions for permit. Make sure you are selecting the right protocol for
>> the exceptions which would be tcp for what you have listed below. The
>> link
>> below may help as it is a primer on building ipsec filtering policy. The
>> free Windows 2003 Server Security Guide also has examples on ipsec
>> filtering. --- Steve
>>
>> http://www.securityfocus.com/infocus/1559 -- works the same for Windows
>> 2003
>> http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx
>>
>>
>> "Ben Serebin" <Ben Serebin@discussions.microsoft.com> wrote in message
>> news:62273F5E-8FC3-450C-BA10-E98D4918F97C@microsoft.com...
>> > Hello All,
>> >
>> > I've searched high and wide, and can't get this to work. I want to
>> > enable
>> > within IPSEC on Windows 2003 Server to block all ports by default
>> > unless
>> > specified (e.g. port 80, 443, 1723, 3389, etc). Once I enable a filter
>> > action
>> > of block all within IPSEC, it disables everything, except ICMP traffic.
>> > Any
>> > ideas?
>> >
>> > If I look at IPSEC Monitor, I noticed what under Quick Mode->Generic
>> > Filters->Block is the default, not sure why though.
>> >
>> > Source - ANY
>> > Destination - My IP
>> > Protocol - ANY
>> > IP Filter - All
>> > Filter Actions - Block
>> >
>> > IPSEC Rules
>> > - RDP - Allow
>> > - ICMP - Allow
>> > - All - Block
>> > - Dynamic - Default Response (Preshared Key)
>> >
>> > Thanks,
>> > -Ben
>>
>>
>>

BenSerebin
Thu May 05 09:26:05 CDT 2005

Hello Steven,

Just want to clarify this for others... THE ORDER OF THE IPSEC RULES MAKES A
BIG DIFFERENCE. The way you stated it, makes it seem otherwise.

Thanks again,
-Ben

"Steven L Umbach" wrote:

> OK. Glad you got it to work. Yes ipsec policies are a bit different to
> configure. One thing that throws a lot of people off is that the order of
> the rules makes no difference. They are weighted with "specific" rules
> overriding "general" rules. Thanks for the links. -- Steve
>
>
> "Ben Serebin" <Ben Serebin@discussions.microsoft.com> wrote in message
> news:362C05FD-C3BB-4F06-B269-D1120292AC8D@microsoft.com...
> > Hello Steven,
> >
> > THANK YOU. You have no idea how much time I've spent on this. The trick
> > was
> > to start with a block all filter rule, and then add exemptions. Why isn't
> > this stated everywhere!!! I've setup dozens of firewalls and have never
> > run
> > into this. Damn Microsoft. I did go through everything you suggested, but
> > in
> > the end your tip was on the money. Bottom line, Microsoft needs to spend
> > more
> > time on UI and implementation development on IPSEC.
> >
> > FYI: the URL for securityfocus you gave is 404. I found the correct
> > articles. I read part 1, 2, and 3 of the IPSEC intro. Way too basic for
> > me.
> > Here they are for your future references.
> >
> > SecurityFocus IPSEC URLs for overall explanation
> > http://www.securityfocus.com/infocus/1519
> > http://www.securityfocus.com/infocus/1526
> > http://www.securityfocus.com/infocus/1528
> >
> > Microsoft URL was better with real world examples... but in the end I
> > looked
> > through some of the code samples, and decided to try your tip before I
> > attempt there IIS IPSEC sample.
> >
> > Thanks again,
> > -Ben
> >
> > P.S. If you have an Amazon wish list, let me know....
> >
> > "Steven L Umbach" wrote:
> >
> >> Your best bet is to start off with a rule with a mirrored filter for all
> >> IP
> >> traffic with a block filter action. Then create another rule with the
> >> exceptions for permit. Make sure you are selecting the right protocol for
> >> the exceptions which would be tcp for what you have listed below. The
> >> link
> >> below may help as it is a primer on building ipsec filtering policy. The
> >> free Windows 2003 Server Security Guide also has examples on ipsec
> >> filtering. --- Steve
> >>
> >> http://www.securityfocus.com/infocus/1559 -- works the same for Windows
> >> 2003
> >> http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx
> >>
> >>
> >> "Ben Serebin" <Ben Serebin@discussions.microsoft.com> wrote in message
> >> news:62273F5E-8FC3-450C-BA10-E98D4918F97C@microsoft.com...
> >> > Hello All,
> >> >
> >> > I've searched high and wide, and can't get this to work. I want to
> >> > enable
> >> > within IPSEC on Windows 2003 Server to block all ports by default
> >> > unless
> >> > specified (e.g. port 80, 443, 1723, 3389, etc). Once I enable a filter
> >> > action
> >> > of block all within IPSEC, it disables everything, except ICMP traffic.
> >> > Any
> >> > ideas?
> >> >
> >> > If I look at IPSEC Monitor, I noticed what under Quick Mode->Generic
> >> > Filters->Block is the default, not sure why though.
> >> >
> >> > Source - ANY
> >> > Destination - My IP
> >> > Protocol - ANY
> >> > IP Filter - All
> >> > Filter Actions - Block
> >> >
> >> > IPSEC Rules
> >> > - RDP - Allow
> >> > - ICMP - Allow
> >> > - All - Block
> >> > - Dynamic - Default Response (Preshared Key)
> >> >
> >> > Thanks,
> >> > -Ben
> >>
> >>
> >>
>
>
>

Steven
Thu May 05 13:09:01 CDT 2005

I have never found that to be the case with numerous ipsec policies I have
configured. The article below explains ipsec weighting. --- Steve

http://www.microsoft.com/technet/community/columns/cableguy/cg0205.mspx

Calculating IPsec Filter Weights

The IPsec filter list is ordered based on a weight value calculated by the
IPsec Policy Agent component, with the highest weight value first. When
processing an incoming or outgoing packet, the IPsec Driver component
searches the IPsec filter list to find a filter that matches the values of
the addresses, ports, and IP Protocol field in the packet. The first IPsec
filter that matches the packet has the action (permit, block, secure) of the
matching IPsec filter applied.


"Ben Serebin" <BenSerebin@discussions.microsoft.com> wrote in message
news:FAD69056-F13A-4787-A8AB-B86CA5D4F6F8@microsoft.com...
> Hello Steven,
>
> Just want to clarify this for others... THE ORDER OF THE IPSEC RULES MAKES
> A
> BIG DIFFERENCE. The way you stated it, makes it seem otherwise.
>
> Thanks again,
> -Ben
>
> "Steven L Umbach" wrote:
>
>> OK. Glad you got it to work. Yes ipsec policies are a bit different to
>> configure. One thing that throws a lot of people off is that the order of
>> the rules makes no difference. They are weighted with "specific" rules
>> overriding "general" rules. Thanks for the links. -- Steve
>>
>>
>> "Ben Serebin" <Ben Serebin@discussions.microsoft.com> wrote in message
>> news:362C05FD-C3BB-4F06-B269-D1120292AC8D@microsoft.com...
>> > Hello Steven,
>> >
>> > THANK YOU. You have no idea how much time I've spent on this. The trick
>> > was
>> > to start with a block all filter rule, and then add exemptions. Why
>> > isn't
>> > this stated everywhere!!! I've setup dozens of firewalls and have never
>> > run
>> > into this. Damn Microsoft. I did go through everything you suggested,
>> > but
>> > in
>> > the end your tip was on the money. Bottom line, Microsoft needs to
>> > spend
>> > more
>> > time on UI and implementation development on IPSEC.
>> >
>> > FYI: the URL for securityfocus you gave is 404. I found the correct
>> > articles. I read part 1, 2, and 3 of the IPSEC intro. Way too basic for
>> > me.
>> > Here they are for your future references.
>> >
>> > SecurityFocus IPSEC URLs for overall explanation
>> > http://www.securityfocus.com/infocus/1519
>> > http://www.securityfocus.com/infocus/1526
>> > http://www.securityfocus.com/infocus/1528
>> >
>> > Microsoft URL was better with real world examples... but in the end I
>> > looked
>> > through some of the code samples, and decided to try your tip before I
>> > attempt there IIS IPSEC sample.
>> >
>> > Thanks again,
>> > -Ben
>> >
>> > P.S. If you have an Amazon wish list, let me know....
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> Your best bet is to start off with a rule with a mirrored filter for
>> >> all
>> >> IP
>> >> traffic with a block filter action. Then create another rule with the
>> >> exceptions for permit. Make sure you are selecting the right protocol
>> >> for
>> >> the exceptions which would be tcp for what you have listed below. The
>> >> link
>> >> below may help as it is a primer on building ipsec filtering policy.
>> >> The
>> >> free Windows 2003 Server Security Guide also has examples on ipsec
>> >> filtering. --- Steve
>> >>
>> >> http://www.securityfocus.com/infocus/1559 -- works the same for
>> >> Windows
>> >> 2003
>> >> http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx
>> >>
>> >>
>> >> "Ben Serebin" <Ben Serebin@discussions.microsoft.com> wrote in message
>> >> news:62273F5E-8FC3-450C-BA10-E98D4918F97C@microsoft.com...
>> >> > Hello All,
>> >> >
>> >> > I've searched high and wide, and can't get this to work. I want to
>> >> > enable
>> >> > within IPSEC on Windows 2003 Server to block all ports by default
>> >> > unless
>> >> > specified (e.g. port 80, 443, 1723, 3389, etc). Once I enable a
>> >> > filter
>> >> > action
>> >> > of block all within IPSEC, it disables everything, except ICMP
>> >> > traffic.
>> >> > Any
>> >> > ideas?
>> >> >
>> >> > If I look at IPSEC Monitor, I noticed what under Quick Mode->Generic
>> >> > Filters->Block is the default, not sure why though.
>> >> >
>> >> > Source - ANY
>> >> > Destination - My IP
>> >> > Protocol - ANY
>> >> > IP Filter - All
>> >> > Filter Actions - Block
>> >> >
>> >> > IPSEC Rules
>> >> > - RDP - Allow
>> >> > - ICMP - Allow
>> >> > - All - Block
>> >> > - Dynamic - Default Response (Preshared Key)
>> >> >
>> >> > Thanks,
>> >> > -Ben
>> >>
>> >>
>> >>
>>
>>
>>