PacketFilters SMTPBastionHost CMD


REM (c) Microsoft Corporation 1997-2003

REM Packet Fileters for Server Hardening
REM
REM Name: PacketFilters-SMTPBastionHost.CMD
REM Version: 1.0

REM This CMD file provides the proper NETSH syntax for creating an IPSec Policy
REM that blocks all network traffic to an SMTP Bastion Host except for what is
REM explicitly allowed as described in the Windows 2003 Server Solution Guide.
REM Please read the entire guide before using this CMD file.

REM Revision History
REM 0000 - Original March 21, 2003
REM 0001 - Original April 16, 2003

:IPSec Policy Definition
netsh ipsec static add policy name="Packet Filters
SMTP Bastion Host" description="Server Hardening Policy" assign=no

:IPSec Filter List Definitions
netsh ipsec static add filterlist name="SMTP Server" description="Server Hardening"
netsh ipsec static add filterlist name="DNS Client" description="Server Hardening"
netsh ipsec static add filterlist name="ALL Inbound Traffic" description="Server Hardening"

:IPSec Filter Action Definitions
netsh ipsec static add filteraction name=SecPermit description="Allows Traffic to Pass" action=permit
netsh ipsec static add filteraction name=Block description="Blocks Traffic" action=block

:IPSec Filter Definitions
netsh ipsec static add filter filterlist="SMTP Server" srcaddr=any dstaddr=me description="SMTP Traffic" protocol=TCP srcport=0 dstport=25
netsh ipsec static add filter filterlist="ALL Inbound Traffic" srcaddr=any dstaddr=me description="ALL Inbound Traffic" protocol=any srcport=0 dstport=0

REM NOTE: IP Address of a DNS server or servers must be specified for each of the DNS Client Filters defined below:
netsh ipsec static add filter filterlist="DNS Client" srcaddr=me dstaddr= description="DNS Client Traffic TCP" protocol=TCP srcport=0 dstport=53
netsh ipsec static add filter filterlist="DNS Client" srcaddr=me dstaddr= description="DNS Client Traffic UDP" protocol=UDP srcport=0 dstport=53

:IPSec Rule Definitions
netsh ipsec static add rule name="DNS Client Rule" policy="Packet Filters
SMTP Bastion Host" filterlist="DNS Client" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="SMTP Server Rule" policy="Packet Filters
SMTP Bastion Host" filterlist="SMTP Server" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="ALL Inbound Traffic Rule" "Packet Filters
SMTP Bastion Host" filterlist="ALL Inbound Traffic" kerberos=yes filteraction=Block


Wyszukiwarka