Creating an IPsec Policy to Restrict Ports

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

Internet Protocol security (IPsec) is designed to encrypt data as it travels between two computers, protecting it from modification and interpretation. To use IPsec, you must define how computers that attempt to connect will trust each other and how the computers will secure their traffic. To implement these specifications, create and apply an IPsec policy. IPsec policies support policy-based stateful packet filtering rules that can be used with IPsec authentication and encryption to provide robust end-to-end security.

Example: Creating an IPsec Policy

This section provides step-by-step instructions for creating an example IPsec policy that allows inbound requests to connect only to ports 80 and 443. Port 80 is the default port for HTTP requests, and port 443 is the default port for HTTPS requests. The policy blocks requests for all other ports on the server.

In contrast with typical firewall or packet filtering rules, there is no way to order the list of rules in an IPsec policy. The rule engine matches traffic with rules according to specificity. If a packet matches more than one rule, the engine will apply the most specific rule to the packet. In the following example, packets that match the filter list that allows connections to port 80 also match the filter list that blocks all incoming traffic. Because the former list is more specific, the rule engine uses that list to make its decision. Therefore, traffic that connects to port 80 or port 443 is passed to the server, while everything else is blocked. You need to create multiple filter lists to make the policy effective.

There are several steps to creating an IPsec policy:

  1. Create IPsec filter lists. Filter lists include ports, protocols, and directions and trigger a decision when traffic matches an item in the list. This example requires you to create three filter lists. The first two filter lists apply to inbound traffic that attempts to connect to port 80 or 443, and the third filter list applies to all ports.

  2. Set filter actions. Filter actions are the required response when traffic matches a filter list. This example uses only permit and block actions for its IIS IPsec policy.

  3. Create the IPsec policy. The IPsec policy is a collection of rules, which are the correlation of a filter list with a filter action. You can have only one active, or assigned, policy at any particular time.

The following steps are for creating IPsec policies using the Local Security Settings snap-in in Windows Server 2003. You can also create IPsec policies using the Netsh commands for IPsec. For more information about Netsh commands for IPsec, see IPsec.

To create IPsec filter lists, begin by changing the security settings on the local computer.

To create the IPsec filter lists

  1. From the Start menu, point to All Programs, point to Administrative Tools, and then select Local Security Policy.

  2. In the Local Security Settings dialog box, click IP Security Policies on Local Computer. The right pane displays the default Windows Server 2003 policies.

  3. Right-click the right pane, and then click Manage IP filter lists and filter actions.

  4. In the Manage IP filter lists and filter actions dialog box, on the Manage IP Filter Lists tab, click Add.

  5. In the IP Filter List dialog box, in the Name box, type a name for your filter list, such as Inbound HTTP, and type a description if you want one. This is the filter list that applies to all inbound HTTP connections.

  6. Click Add. The IP Filter Wizard appears. Create a filter list with the following specifications:

    • Description: Optional.

    • Source address: Any IP Address.

    • Destination address: My IP Address. Or click A specific IP address, and then type the IP address of the interface that is connected to the Internet.

    • Protocol type: TCP.

    • Protocol Port: From any port.

    • To this port: 80.

  7. In the Completing the IP Filter Wizard screen, clear the Edit properties check box, and then click Finish.

  8. In the IP Filter List dialog box, click OK.

  9. Repeat steps 1 through 8, this time to create a filter list that applies to destination port 443 for HTTPS connections. Name the filter list Inbound HTTPS, or something similar.

  10. Repeat steps 1 through 8, this time to create a filter list that applies to all destination ports. This filter list will apply to the policy that blocks all inbound traffic. Name the filter list All Inbound, or something similar.

After you create the IPsec filter list, you must create a filter action that will occur when incoming traffic matches the criteria in your filter lists. For this example, two actions are necessary. The first is a permit action for allowing requests to connect to ports 80 and 443. The action to permit traffic is an existing default, so you do not need to create it. You must create the second action, which is to block traffic to all other ports.

To set the filter actions

  1. After you create the filter lists, in the Local Security Settings dialog box, right-click the right pane, and then click Manage IP filter lists and filter actions.

  2. In the Manage IP filter lists and filter actions dialog box, click the Manage Filter Actions tab, and then click Add. The Filter Action Wizard appears.

  3. Create a filter action with the following specifications:

    • Name: Block

    • Description: Optional

    • Filter Action General Options: Block

  4. In the Completing the IP Security Filter Action Wizard screen, clear the Edit properties check box, and then click Finish.

  5. In the Manage IP filter lists and filter actions dialog box, click Close.

After you create the IPsec filter lists and filter actions, you must create the IPsec policies and define the rules that link the lists to the actions.

To create the IPsec policies

  1. After you set the filter actions, in the Local Security Settings dialog box, right-click the right pane, and then select Create IP Security Policy. The IP Security Policy Wizard appears.

  2. Create a policy with the following specifications:

    • Name: Packet Filter

    • Description: Optional

  3. In the Requests for Secure Communication screen, clear the Activate the default response rule check box, and then click Next.

  4. In the Completing the IP Security Policy Wizard screen, make sure that the Edit properties check box is selected, and then click Finish. The New IP Security Policy Properties dialog box appears. Do not close this dialog box.

After you create the IPsec filter lists, filter actions, and IPsec policies, you must add rules to the policy and associate the IPsec filter lists that you created with the rules.

To add rules to the policy

  1. After you create the IPsec policies, in the New IP Security Policy Properties dialog box, click Add. The Security Rule Wizard appears.

  2. Create a rule with the following specifications:

    • Tunnel endpoint: This rule does not specify a tunnel.

    • Network type: All network connections.

    • IP filter lists: All Inbound (or the name of your filter list that applies to inbound traffic on any port).

    • Filter Action: Block.

  3. In the Completing the Security Rule Wizard screen, clear the Edit properties check box, and then click Finish.

  4. In the New IP Security Policy Properties dialog box, click Close.

  5. Repeat steps 1 through 4 to create rules that apply to the Inbound HTTP and Inbound HTTPS filter lists. For these rules, choose the Permit filter action.

After you create the IPsec filter lists, filter actions, and policies and add rules to the policy and associate the IPsec filter lists with rules, you must assign the IPsec policy to the server. Only one policy can be assigned at any time.

To assign the IPsec policy

  • In the Local Security Settings dialog box, right-click the policy you created, and click Assign.

The policy is applied immediately, and IPsec starts processing packets according to the rules in the policy. You do not need to reboot the server. To stop the policy, right-click the policy in the Local Security Settings dialog box, and click Un-assign.