PacketFilters DC CMD


REM (c) Microsoft Corporation 1997-2003

REM Packet Filters for Server Hardening
REM
REM Name: PacketFilter-DC.CMD
REM Version: 1.0

REM This CMD file provides the proper NETSH syntax for creating an IPSec Policy
REM that blocks all network traffic to a Domain Controller except for what is
REM explicitly allowed as described in the Windows 2003 Server Solution Guide.
REM Please read the entire guide before using this CMD file.

REM Revision History
REM 0000 - Original February 05, 2003
REM 0001 April 04, 2003

:IPSec Policy Definition
netsh ipsec static add policy name="Packet Filters - DC" description="Server Hardening Policy" assign=no

:IPSec Filter List Definitions
netsh ipsec static add filterlist name="CIFS/SMB Server" description="Server Hardening"
netsh ipsec static add filterlist name="DNS Server" description="Server Hardening"
netsh ipsec static add filterlist name="LDAP Server" description="Server Hardening"
netsh ipsec static add filterlist name="GC Server" description="Server Hardening"
netsh ipsec static add filterlist name="Kerberos Server" description="Server Hardening"
netsh ipsec static add filterlist name="NetBIOS Server" description="Server Hardening"
netsh ipsec static add filterlist name="NTP Server" description="Server Hardening"
netsh ipsec static add filterlist name="RPC Server" description="Server Hardening"
netsh ipsec static add filterlist name="Static AD Replication Server" description="Server Hardening"
netsh ipsec static add filterlist name="Terminal Server" description="Server Hardening"
netsh ipsec static add filterlist name="DC Communications" description="Server Hardening"
netsh ipsec static add filterlist name="ICMP" description="Server Hardening"
netsh ipsec static add filterlist name="Monitoring" description="Server Hardening"
netsh ipsec static add filterlist name="ALL Inbound Traffic" description="Server Hardening"

:IPSec Filter Action Definitions
netsh ipsec static add filteraction name=SecPermit description="Allows Traffic to Pass" action=permit
netsh ipsec static add filteraction name=Block description="Blocks Traffic" action=block

:IPSec Filter Definitions
netsh ipsec static add filter filterlist="CIFS/SMB Server" srcaddr=any dstaddr=me description="CIFS/SMB Server Traffic" protocol=TCP srcport=0 dstport=445
netsh ipsec static add filter filterlist="CIFS/SMB Server" srcaddr=any dstaddr=me description="CIFS/SMB Server Traffic" protocol=UDP srcport=0 dstport=445
netsh ipsec static add filter filterlist="DNS Server" srcaddr=any dstaddr=me description="DNS Server Traffic" protocol=TCP srcport=0 dstport=53
netsh ipsec static add filter filterlist="DNS Server" srcaddr=any dstaddr=me description="DNS Server Traffic" protocol=UDP srcport=0 dstport=53
netsh ipsec static add filter filterlist="Static AD Replication Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57952
netsh ipsec static add filter filterlist="GC Server" srcaddr=any dstaddr=me description="GC Server Traffic" protocol=TCP srcport=0 dstport=3268
netsh ipsec static add filter filterlist="GC Server" srcaddr=any dstaddr=me description="GC Server Traffic" protocol=TCP srcport=0 dstport=3269
netsh ipsec static add filter filterlist="Kerberos Server" srcaddr=any dstaddr=me description="Kerberos Server Traffic" protocol=TCP srcport=0 dstport=88
netsh ipsec static add filter filterlist="Kerberos Server" srcaddr=any dstaddr=me description="Kerberos Server Traffic" protocol=UDP srcport=0 dstport=88
netsh ipsec static add filter filterlist="LDAP Server" srcaddr=any dstaddr=me description="LDAP Server Traffic" protocol=TCP srcport=0 dstport=389
netsh ipsec static add filter filterlist="LDAP Server" srcaddr=any dstaddr=me description="LDAP Server Traffic" protocol=UDP srcport=0 dstport=389
netsh ipsec static add filter filterlist="LDAP Server" srcaddr=any dstaddr=me description="LDAP Server Traffic" protocol=TCP srcport=0 dstport=636
netsh ipsec static add filter filterlist="LDAP Server" srcaddr=any dstaddr=me description="LDAP Server Traffic" protocol=UDP srcport=0 dstport=636
netsh ipsec static add filter filterlist="NetBIOS Server" srcaddr=any dstaddr=me description="NetBIOS Server Traffic" protocol=TCP srcport=0 dstport=137
netsh ipsec static add filter filterlist="NetBIOS Server" srcaddr=any dstaddr=me description="NetBIOS Server Traffic" protocol=UDP srcport=0 dstport=137
netsh ipsec static add filter filterlist="NetBIOS Server" srcaddr=any dstaddr=me description="NetBIOS Server Traffic" protocol=TCP srcport=0 dstport=138
netsh ipsec static add filter filterlist="NetBIOS Server" srcaddr=any dstaddr=me description="NetBIOS Server Traffic" protocol=UDP srcport=0 dstport=138
netsh ipsec static add filter filterlist="NetBIOS Server" srcaddr=any dstaddr=me description="NetBIOS Server Traffic" protocol=TCP srcport=0 dstport=139
netsh ipsec static add filter filterlist="NetBIOS Server" srcaddr=any dstaddr=me description="NetBIOS Server Traffic" protocol=UDP srcport=0 dstport=139
netsh ipsec static add filter filterlist="NTP Server" srcaddr=any dstaddr=me description="NTP Server Traffic" protocol=TCP srcport=0 dstport=123
netsh ipsec static add filter filterlist="NTP Server" srcaddr=any dstaddr=me description="NTP Server Traffic" protocol=UDP srcport=0 dstport=123
netsh ipsec static add filter filterlist="RPC Server" srcaddr=any dstaddr=me description="RPC Server Traffic" protocol=TCP srcport=0 dstport=135
netsh ipsec static add filter filterlist="RPC Server" srcaddr=any dstaddr=me description="RPC Server Traffic" protocol=UDP srcport=0 dstport=135
netsh ipsec static add filter filterlist="Terminal Server" srcaddr=any dstaddr=me description="Terminal Server Traffic" protocol=TCP srcport=0 dstport=3389
netsh ipsec static add filter filterlist="ICMP" srcaddr=any dstaddr=me description="ICMP Traffic" protocol=ICMP srcport=0 dstport=0
netsh ipsec static add filter filterlist="ALL Inbound Traffic" srcaddr=any dstaddr=me description="ALL Inbound Traffic" protocol=any srcport=0 dstport=0

REM NOTE: IP Address or server names of Domain Controllers must be hardcoded into the dstaddr of the Domain Member filters defined below
netsh ipsec static add filter filterlist="DC Communications" srcaddr=me dstaddr= description="Traffic to Domain Controller" protocol=any srcport=0 dstport=0
netsh ipsec static add filter filterlist="DC Communications" srcaddr=me dstaddr= description="Traffic to Domain Controller" protocol=any srcport=0 dstport=0

REM NOTE: IP Address or server name of Monitoring server must be hardcoded into Monitoring filter defined below
netsh ipsec static add filter filterlist="Monitoring" srcaddr= dstaddr=me description="Monitoring Traffic" protocol=any srcport=0 dstport=0

:IPSec Rule Definitions
netsh ipsec static add rule name="CIFS/SMB Server" policy="Packet Filters - DC" filterlist="CIFS/SMB Server" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="DNS Server Rule" policy="Packet Filters - DC" filterlist="DNS Server" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="GC Server Rule" policy="Packet Filters - DC" filterlist="GC Server" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="Kerberos Server Rule" policy="Packet Filters - DC" filterlist="Kerberos Server" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="LDAP Server Rule" policy="Packet Filters - DC" filterlist="LDAP Server" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="NetBIOS Server Rule" policy="Packet Filters - DC" filterlist="NetBIOS Server" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="NTP Server Rule" policy="Packet Filters - DC" filterlist="NTP Server" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="RPC Server" policy="Packet Filters - DC" filterlist="RPC Server" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="Static AD Replication Server Rule" policy="Packet Filters - DC" filterlist="Static AD Replication Server" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="Terminal Server Rule" policy="Packet Filters - DC" filterlist="Terminal Server" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="DC Communications Rule" policy="Packet Filters - DC" filterlist="DC Communications" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="ICMP Rule" policy="Packet Filters - DC" filterlist="ICMP" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="Monitoring Rule" policy="Packet Filters - DC" filterlist="Monitoring" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="ALL Inbound Traffic Rule" policy="Packet Filters - DC" filterlist="ALL Inbound Traffic" kerberos=yes filteraction=Block


Wyszukiwarka

Podobne podstrony:
PacketFilters File CMD
PacketFilters Print CMD
PacketFilters SMTPBastionHost CMD
PacketFilters WINS CMD
PacketFilters IIS CMD
PacketFilters DHCP CMD
cmd intF
cmd=hrk praca&serwis=1
cmd intVlan
washington dc district
cmd=pytanie jedno,26&serwis=7
cmd intE
Instrukcja obsługi Przenośna uniwersalna ładowarka USB Nokia DC 18
cmd routeMap
cmd intBri
10 2 DC Analiza dyskryminacyjnaid278
cmd intLoopBack
cmd global
cmd=kom jedno,80&serwis=1

więcej podobnych podstron