|
論壇說明 | 標記討論區已讀 |
歡迎您來到『史萊姆論壇』 ^___^ 您目前正以訪客的身份瀏覽本論壇,訪客所擁有的權限將受到限制,您可以瀏覽本論壇大部份的版區與文章,但您將無法參與任何討論或是使用私人訊息與其他會員交流。若您希望擁有完整的使用權限,請註冊成為我們的一份子,註冊的程序十分簡單、快速,而且最重要的是--註冊是完全免費的! 請點擊這裡:『註冊成為我們的一份子!』 |
|
主題工具 | 顯示模式 |
2003-12-28, 11:37 PM | #1 |
榮譽會員
|
教你如何利用Windows自身的IPsec和Firewall功能。功能比網路內容中的TCP/IP Filter強
summary: Installing Windows 2000/XP IPsec Firewall Filters
last updated: Thursday, January 22, 2003 prepared by: rev, jtk test hardware: Gateway E3200, Gateway MD-200STM test OS: XP professional version 2002, Windows 2000 -------- Overview -------- Operating systems, and in particular recent versions of Microsoft operating systems, have been compromised due to vulernabilities in remotely accessible services that are enabled by the default install. Many operating systems today come with host-based firewalls that can be used to help limit accessibility of services from untrusted or unwanted remote systems. In recent versions of Microsoft operating systems, including Windows 2000 and Windows XP, bundled with the system is a implementation of the IP Security Protocol (IPsec). IPsec is used to provide authentication and privacy of IP datagrams between communicating hosts through the use of payload encryption and digital signatures. Microsoft's IPsec implementation includes rudimentary packet level filtering capabilities that can be used to provide some minimal host-based firewall protection. While not as flexible as other available firewall toolkits, Microsoft's IPsec toolkit does provide enough functionality that it can significantly increase the security of a host by prohibiting potentially dangerous services from being accessible to untrusted or unwanted remote hosts. This document details a practical implementation for a set of IPsec filters appropriate for an internal DePaul Windows client. ------------ Requirements ------------ Windows XP systems require the IPSECCMD.EXE command line utility. This can be installed from a Windows XP installation CD. Run SETUP.EXE from the SUPPORT\TOOLS directory to install. Windows 2000 systems must install the IPSECPOL.EXE command line utility. This tool may be downloaded from Microsoft's web site: <http://www.microsoft.com/windows2000...ipsecpol-o.asp> Local copies of these tools are located on the NTG R&D software page: <http://ntg.depaul.edu/rd/software/> The IPSECCMD.EXE or IPSECPOL.EXE utilities must be run from their installation directory or located in the system path. We recommend placing the appropriate utility in the WINNT\SYSTEM32 directory. The IPsec policy service must be running on the system. Administrator privileges will be required to install IPsec policies. ------------- Configuration ------------- The XP and 2000 utilities while different, use the same syntax. The XP tool IPSECCMD.EXE is used in the examples below. All commands start with the following syntax in these examples: ipseccmd -w REG -p "DPU Local Filter" Be sure to replace <command> below with the syntax above. 1. Clear existing IPsec policies: <command> -o 2. Block TCP port 20 (FTP-DATA): <command> -r "Block TCP/20" -f *+0:20:TCP -n BLOCK 3. Block TCP port 21 (FTP): <command> -r "Block TCP/21" -f *+0:21:TCP -n BLOCK 4. Block TCP port 25 (SMTP): <command> -r "Block TCP/25" -f *+0:25:TCP -n BLOCK 5. Block TCP port 80 (HTTP): <command> -r "Block TCP/80" -f *+0:80:TCP -n BLOCK 6. Limit TCP port 135 (EPMAP): <command> -r "Limit TCP/135" -f 140.192.0.0/255.255.0.0+0:135:TCP -n PASS <command> -r "Block TCP/135" -f *+0:135:TCP -n BLOCK 7. Limit TCP port 137 (NETBIOS-NS): <command> -r "Limit TCP/137" -f 140.192.0.0/255.255.0.0+0:137:TCP -n PASS <command> -r "Block TCP/137" -f *+0:137:TCP -n BLOCK 8. Limit TCP port 138 (NETBIOS-DGM): <command> -r "Limit TCP/138" -f 140.192.0.0/255.255.0.0+0:138:TCP -n PASS <command> -r "Block TCP/138" -f *+0:138:TCP -n BLOCK 9. Limit TCP port 139 (NETBIOS-SSN): <command> -r "Limit TCP/139" -f 140.192.0.0/255.255.0.0+0:139:TCP -n PASS <command> -r "Block TCP/139" -f *+0:139:TCP -n BLOCK 10. Limit TCP port 427 (SVRLOC): <command> -r "Limit TCP/427" -f 140.192.0.0/255.255.0.0+0:427:TCP -n PASS <command> -r "Block TCP/427" -f *+0:427:TCP -n BLOCK 11. Block TCP port 443 (HTTPS): <command> -r "Block TCP/443" -f *+0:443:TCP -n BLOCK 12. Limit TCP port 445 (MICROSOFT-DS): <command> -r "Limit TCP/445" -f 140.192.0.0/255.255.0.0+0:445:TCP -n PASS <command> -r "Block TCP/445" -f *+0:445:TCP -n BLOCK 13. Limit UDP port 68 (BOOTPC): <command> -r "Limit UDP/68" -f 140.192.0.0/255.255.0.0+0:68:UDP -n PASS <command> -r "Block UDP/68" -f *+0:68:UDP -n BLOCK 14. Block UDP port 69 (TFTP): <command> -r "Block UDP/69" -f *+0:69:UDP -n BLOCK 15. Block UDP port 111 (RPC): <command> -r "Block UDP/111" -f *+0:111:UDP -n BLOCK 16. Limit UDP port 135 (EPMAP): <command> -r "Limit UDP/135" -f 140.192.0.0/255.255.0.0+0:135:UDP -n PASS <command> -r "Block UDP/135" -f *+0:135:UDP -n BLOCK 17. Limit UDP port 137 (NETBIOS-NS): <command> -r "Limit UDP/137" -f 140.192.0.0/255.255.0.0+0:137:UDP -n PASS <command> -r "Block UDP/137" -f *+0:137:UDP -n BLOCK 18. Limit UDP port 138 (NETBIOS-DGM): <command> -r "Limit UDP/138" -f 140.192.0.0/255.255.0.0+0:138:UDP -n PASS <command> -r "Block UDP/138" -f *+0:138:UDP -n BLOCK 19. Limit UDP port 139 (NETBIOS-SSN): <command> -r "Limit UDP/139" -f 140.192.0.0/255.255.0.0+0:139:UDP -n PASS <command> -r "Block UDP/139" -f *+0:139:UDP -n BLOCK 20. Block UDP port 161 (SNMP): <command> -r "Block UDP/161" -f *+0:161:UDP -n BLOCK 21. Limit UDP port 427 (SRVLOC): <command> -r "Limit UDP/427" -f 140.192.0.0/255.255.0.0+0:427:UDP -n PASS <command> -r "Block UDP/427" -f *+0:427:UDP -n BLOCK 22. Limit UDP port 445 (MICROSOFT-DS): <command> -r "Limit UDP/445" -f 140.192.0.0/255.255.0.0+0:445:UDP -n PASS <command> -r "Block UDP/445" -f *+0:445:UDP -n BLOCK 23. Apply the new IPsec policy: <command> -x --------------- Troubleshooting --------------- There is limited ability to troubleshoot IPsec policies within Windows 2000 and XP. IPsec filters do not log blocked or passed packets, so it is difficult to determine exactly what the IPsec filter rules are doing. We recommend exhausting all other areas of troubleshooting before changing the IPsec filters, but as a last resort, IPsec filters can be temporarily disabled by running the following command: ipseccmd -w REG -p "DPU Local Filter" -o NOTE: you will need to reapply the entire configuration over again if you disable IPsec filters this way. The IPsec rules should be flexible enough that they will work for most typical user configurations. However, in some instances, it may be required to have some services remotely accessible that are blocked by the filters above. In the majority of cases, it is recommended that standard filters remain intact, and alternative, more secure means of communication be used . Many of the filter rules above are there to protect against very common problems with Windows vulnerabilities and disabling any of them may put a system at greater risk. ----- Notes ----- The filter rules above are designed for locally connected DePaul University client Windows hosts. If for example the host being protected is a laptop, BOOTP/DHCP (UDP port 68) may need to be open to other networks (probably by not even configuring the the BOOTPC rule at all). Hosts used primarily as servers or those requiring access to services blocked or limited above may need significantly different IPsec rules than those presented here. IPsec policies can be centrally managed if Windows hosts are part of a Windows Domain. Managing IPsec policies are beyond the scope of this document. For further details on managing IPsec policies in this way, see the following Microsoft page: <http://www.microsoft.com/technet/pro...c_tcp_vouk.asp> Windows IPsec policies do not have a user-defined ordering for the filter rules. Instead, filters are evaluated from the most specific to the least specific rule. So for example, if two rules both block TCP port 80, but one specifies a source subnet and the other does not, the more specific filter with the source subnet specified will be evaluated first. This allows you to build filter rules that allow a select group of trusted hosts, but blocks all other IP sources as shown in the rules above. A packet is not explicitly denied should it pass all the filter rules. A default deny can achieved by using a rule such as the following: ipseccmd -w REG -p "policy-name" -r "deny all" -f 0+* -n BLOCK There are some types of packets that the IPsec filters will not act upon. A Windows registry key defines additional types of traffic that may or may not be filtered by default. The registry key is: HKEY_LOCAL_MACHINE\SYTEM\CurrentControlSet\Services\IPSEC\NoDefaultExemmpt The possible values for this key are: 0 - Exempt Kerberos, RSVP and multicast/broadcast packets 1 - Exempt multicast/broadcast (not Kerberos or RSVP) 2 - Exempt Kerberos and RSVP (not multicast/broadcast) - XP/.NET server only 3 - No exemptions (only XP/.NET server) Default values for Windows systems are: 0 - Windows 2000 (Service Pack 3 and earlier) 0 - Windows XP (and Service Pack 1) 1 - Windows 2000 (Service Pack 4) 1 - Windows XP (Service Pack 2) 3 - .NET Server 類型s greater than 1 on Windows 2000 will be ignored and a value of 1 will be used. In addition to the packet types above, Windows IPsec filters also cannot act on IPsec packets nor IPv6 packets. It should be noted from the configuration section above, a trade-off in security for usability with regards to local DePaul University hosts. This stance does not prevent one internal DePaul host from gaining access through a vulnerable service on another DePaul host. While this risk exists, it is a necessary trade-off in order to allow many users the ability to use the popular Microsoft networking protocols within the campus environment. This stance requires continued activity in maintaining up-to-date end systems by applying patches regularly. The default configuration shown above is meant to limit a great deal of the external threat, but not entirely eliminate it. Further enhancements from Microsoft are desired as are increasingly better management and support practices from DePaul staff. In Windows XP, the Internet Connection Firewall (ICF) toolkit is a very good defense mechanism. See the R&D team's technote on the Internet Connection Firewall (ICF) configuration for Windows XP (tn-winxp-icf.txt) for further information. Note, that in some cases, the ICF toolkit cannot be used due to design limitations. ---------- References ---------- Microsoft IPSECCMD tool http://www.microsoft.com/technet/pro...cs/ipsecmd.asp Windows ipsecpol.exe: Internet Protocol Security Policies Tool http://www.microsoft.com/windows2000...ipsecpol-o.asp RFC 2401 Security Architecture for the Internet Protocol http://www.ietf.org/rfc/rfc2401.txt ------- Changes ------- 2003-01-06,jtk: re-done from rev's original document 2003-01-07,jtk: minor edits 2003-01-10,jtk: IPsec limitations, registry setting, management, minor edits 2003-01-22,jtk: minor edits 2003-01-31,jtk: typo 要安裝ipseccmd.exe指令,可以在xp的安裝碟裡SUPPORT\TOOLS 目錄執行setup.exe安裝,win2k要從ms網站上download,http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/ipsecpol-o.asp 上面那篇文章就是解釋執行ipseccmd.exe後的一些指令和用法,感覺和圖形界面的ipsec設定差不多吧? |
送花文章: 3,
|