[unisog] IPSEC filter to protect IIS ;-)

Gary Flynn flynngn at jmu.edu
Mon Jan 19 15:36:53 GMT 2004



Steve Bernard wrote:
> This is Microsoft's recommended way of using IPSEC filters to protect IIS
> from various worms. What a great concept! ;)
> 
> "The following example blocks inbound access to TCP port 80 but still allows
> outbound TCP 80 access. This policy is sufficient to protect computers that
> run Microsoft Internet Information Services (IIS) 5.0 from the "Code Red"
> and "Nimda" worms.
> 
> ipsecpol -w REG -p "Block TCP 80 Filter" -r "Block Inbound TCP 80 Rule" -f
> *=0:80:TCP -n BLOCK -x"
> 
> 
> Ref. Microsoft Knowledge Base Article - 813878
> http://support.microsoft.com/default.aspx?scid=kb;[LN];813878

I'm working on a user friendly set of scripts I call StartSafe
that includes an HTA based Windows 2000 firewall configurator.
I've got a quick and dirty version up that gives the user the
option of blocking a set of ports (http, netbios, rpc, snmp)
or not blocking them just so they can get patches downloaded.
When the StartSafe program goes live, it will include a
version that lets the user have more options. But if you want
the current version, its under the Windows 2000 instructions
here:

http://www.jmu.edu/computing/security/info/newwin.shtml

A similar HTA based utility allows people to set up
their computer for SUS. Its a bit oriented to JMU but
if you're interested the scripts can be found off this
page:

http://www.jmu.edu/computing/security/sus.shtml

I'm learning as I go as the code shows. If you see glaring
ignorance, please let me know. :)

In StartSafe, I'll be using the same technology to perform
a whole series of automated steps like checking AV settings,
audit settings, password settings, presence of latest updates,
Office settings, etc. The idea is to make an automated
security configuration program the average, non-technical
person can use without going through the long lists of steps
currently offered. Kind of like the CIS programs but done
with scripting so its more easily customized and updated.
I plan to have a "do-it" option and a "guided" option.
The former will make all changes without user interaction.
The latter will guide the user through each step explaining
the process and choices as they go.


-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University




More information about the unisog mailing list