Using IPSec to Lock Down TCP Port 25

  • Article

 

Only certain systems in an environment listen and respond to requests on TCP port 25. In a Microsoft environment, only servers running Internet Information Services (IIS), domain controllers, and Exchange servers typically use TCP port 25. When you block the listening of TCP port 25 on all other systems, you help to increase the security of your environment by removing one attack vector that malicious code can use.

This section provides a generic set of procedures for setting up Internet Protocol security (IPSec) to block TCP port 25. IPSec is a set of technologies included in the Windows Server operating system that allows administrators to run specific actions such as authentication, block traffic, and encrypt traffic based on filters ("all traffic on TCP 25").

The procedures are based on the architecture defined in the Windows Server 2003 Security Guide and the Exchange Server 2003 Security Hardening Guide. Additionally, these procedures also assume that all workstations are in a central organizational unit (named Workstations) within a domain. If your architecture is not configured according to the recommended deployments in the Windows Server 2003 Security Guide and the Exchange Server 2003 Security Hardening Guide, use this procedure as a foundation for testing and building your own IPSec policies. In either case, complete testing is recommended before you deploy the IPSec policies.

It is important to recognize the potential impact that deploying the policy may have in your organization. Implemented as described, the policy blocks all SMTP traffic to and from all the computers in the Workstation organizational unit. If your organization uses IMAP or POP for e-mail, these clients will not work. Additionally, any other applications, such as line-of-business tools and automated mailers may also fail if SMTP is blocked.

Note

IPSec policies through Group Policy are inheritable, but they do not merge. Where more than one IPSec Group Policy is applied, the last Group Policy applied to a computer takes effect.

For detailed steps explaining how to use IPSec to block SMTP traffic on TCP port 25, see How to Create a Block TCP 25 IPSec Policy.

Resources

Although the procedures provided in How to Create a Block TCP 25 IPSec Policy will accomplish the basic lockdown of TCP port 25 using IPSec, it is recommended that you become familiar with IPSec and the other services, like authentication and encryption, that can be provided by IPSec. The following documents are introductory in scope: