REM (c) Microsoft Corporation 1997-2003
REM Packet Filters for Server Hardening
REM
REM Name: PacketFilter-File.CMD
REM Version: 1.0
REM This CMD file provides the proper NETSH syntax for creating an IPSec Policy
REM that blocks all network traffic to a File Server except for what is
REM explicitly allowed as described in the Windows 2003 Server Solution Guide.
REM Please read the entire guide before using this CMD file.
REM Revision History
REM 0000 - Original February 05, 2003
REM 0000 - Original April 03, 2003
:IPSec Policy Definition
netsh ipsec static add policy name="Packet Filters - File" description="Server Hardening Policy" assign=no
:IPSec Filter List Definitions
netsh ipsec static add filterlist name="CIFS/SMB Server" description="Server Hardening"
netsh ipsec static add filterlist name="NetBIOS Server" description="Server Hardening"
netsh ipsec static add filterlist name="Terminal Server" description="Server Hardening"
netsh ipsec static add filterlist name="Domain Member" description="Server Hardening"
netsh ipsec static add filterlist name="Monitoring" description="Server Hardening"
netsh ipsec static add filterlist name="ALL Inbound Traffic" description="Server Hardening"
:IPSec Filter Action Definitions
netsh ipsec static add filteraction name=SecPermit description="Allows Traffic to Pass" action=permit
netsh ipsec static add filteraction name=Block description="Blocks Traffic" action=block
:IPSec Filter Definitions
netsh ipsec static add filter filterlist="CIFS/SMB Server" srcaddr=any dstaddr=me description="CIFS/SMB Server Traffic" protocol=TCP srcport=0 dstport=445
netsh ipsec static add filter filterlist="CIFS/SMB Server" srcaddr=any dstaddr=me description="CIFS/SMB Server Traffic" protocol=UDP srcport=0 dstport=445
netsh ipsec static add filter filterlist="NetBIOS Server" srcaddr=any dstaddr=me description="NetBIOS Server Traffic" protocol=TCP srcport=0 dstport=137
netsh ipsec static add filter filterlist="NetBIOS Server" srcaddr=any dstaddr=me description="NetBIOS Server Traffic" protocol=UDP srcport=0 dstport=137
netsh ipsec static add filter filterlist="NetBIOS Server" srcaddr=any dstaddr=me description="NetBIOS Server Traffic" protocol=UDP srcport=0 dstport=138
netsh ipsec static add filter filterlist="NetBIOS Server" srcaddr=any dstaddr=me description="NetBIOS Server Traffic" protocol=TCP srcport=0 dstport=139
netsh ipsec static add filter filterlist="Terminal Server" srcaddr=any dstaddr=me description="Terminal Server Traffic" protocol=TCP srcport=0 dstport=3389
netsh ipsec static add filter filterlist="ALL Inbound Traffic" srcaddr=any dstaddr=me description="ALL Inbound Traffic" protocol=any srcport=0 dstport=0
REM NOTE: IP Address or server names of Domain Controllers must be hardcoded into the dstaddr of the Domain Member filters defined below
netsh ipsec static add filter filterlist="Domain Member" srcaddr=me dstaddr=
description="Traffic to Domain Controller" protocol=any srcport=0 dstport=0
netsh ipsec static add filter filterlist="Domain Member" srcaddr=me dstaddr= description="Traffic to Domain Controller" protocol=any srcport=0 dstport=0
REM NOTE: IP Address or server name of Monitoring server must be hardcoded into the dstaddr of Monitoring filter defined below
netsh ipsec static add filter filterlist="Monitoring" srcaddr=me dstaddr= description="Monitoring Traffic" protocol=any srcport=0 dstport=0
:IPSec Rule Definitions
netsh ipsec static add rule name="CIFS/SMB Server" policy="Packet Filters - File" filterlist="CIFS/SMB Server" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="NetBIOS Server Rule" policy="Packet Filters - File" filterlist="NetBIOS Server" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="Terminal Server Rule" policy="Packet Filters - File" filterlist="Terminal Server" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="Domain Member Rule" policy="Packet Filters - File" filterlist="Domain Member" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="Monitoring Rule" policy="Packet Filters - File" filterlist="Monitoring" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="ALL Inbound Traffic Rule" policy="Packet Filters - File" filterlist="ALL Inbound Traffic" kerberos=yes filteraction=Block
Wyszukiwarka
Podobne podstrony:
PacketFilters DC CMD
PacketFilters Print CMD
PacketFilters SMTPBastionHost CMD
PacketFilters WINS CMD
PacketFilters IIS CMD
PacketFilters DHCP CMD
cmd intF
file�8885
cmd=hrk praca&serwis=1
cmd intVlan
file D Download Polki Wirtualna Polska8
cmd=pytanie jedno,26&serwis=7
cmd intE
file�8872
cmd routeMap
cmd intBri
file�4518
cmd intLoopBack
więcej podobnych podstron