windowsnerd.com

notes from an admin for himself. you can read it if you want.

Entries Comments


Custom Search






IPsec to limit access to a computer

IPsec is overlooked too often by windows admins. The EASIEST way to secure a windows server is to limit who can talk to it and on what port. In this lesson I will teach you how to secure a simple file server. Then we will move on to importing and exporting ipsec templates so you can move this to every server you run. If a virus or hacker with a stolen credential can’t talk to your server, they can’t compromise it.

Here is a diagram of the test network our ipsec rule will work for:

ipsec example network1

click the thumbnail for a bigger picture.

The first step in ipsec rules is to write a list of objectives. Later I’ll give you an excel worksheet to plan and document.

1. We will call the file server “files”

2. Deny all traffic to files. (We have to start with deny all on all rules then start punching holes)

3. Allow all traffic to Active Directory. (please comment on common ports)

4. Allow traffic from FILES to DNS on port 53

5. Allow RPC traffic from FILES to desktops (192.168.0.10-16)

6. Allow RPC traffic to all wireless addresses on subnet 192.168.1.1

Next> starting up the MMC to edit these rules

Write a comment