home gallery about blog links search    -dev- login
you are here: Skip Navigation Linkshome > blog

HostingAbc Logo

Show all posts.
Implementing a firewall using IPSEC in Windows Server 2003
Recently my list of purchased software was extended with Microsoft Windows Server 2003 Web Edition - which is the low price version of Windows Server 2003 Standard. Until SP2 was released the Web Edition was capable of handling 2GBs of memory but Microsoft decided with SP2 that a web server might need the use 4GBs of memory :) so with the low price they've included support for 4GBs... Unfortunatelly what they did NOT include is the Windows Firewall. I'm not really sure why would Microsoft consider that a web server needs less security - probably the low price means lower security at Microsoft :S ...

So I had to make a decision whether to install the free firewall from Comodo or to use IPSec. While IPSec was not designed specifically for this task, it can be used very well and it reminds me of iptables or ipchains on linux where I had absolute control of how my IP traffic is filtered.

So the first step was to launch Start->Administrative Tools->Local Security Policy where we can find IP Security Policies.


My advice is to play with these settings ONLY ON THE CONSOLE as there is a really good chance that we are going to face the unlikely event of locking out ourselves if we are logged in remotely through terminal services :) ... so just carefully :).
Now what we have to understand is that IPSec can match types of IP traffic - based on protocol, traffic direction and traffic source/destination. For instance let's say that an administrator would like to allow outsiders to use the locally installed SMTP server. This means that we have to identify the INCOMING traffic on port 25 and to ALLOW this traffic. This is achieved by creating a filter set rule that permits the traffic for a filter that matches traffic on TCP destination port 25 where the source IP address is anything and the destination is 'my ip address' :)
Basically this is what you have to do for each type of traffic you want to allow, but here are some screenshots, check them out, and what you should really do is to download from the bottom of this article my exported IPSec policies and import them to your computer and have an insight look on the filters.


One last word on IPSec policies: they are enabled on the machine only after right clicking the policy and choosing "Assing" from the context menu and that they can be modified from the command line as well using the "netsh ipsec static ..." commands.
And finally here are my IPSec policies, hope it helps you out hours of googling ;) ...

Download: FirewallWithIPSec.zip

Update {10/25/2007} : in the Enhanced version of Web Edition there IS a firewall. I've just installed the bits received from my MS reseller - and Web Edition does have the Windows Firewall. However I still consider that IPSec is better than Windows Firewall as there is no possibility to filter outgoing traffic with WF.
add link
szacsabridgetgiantIceCatinline.utcaKocsma KommandokocsmaleltárKorisokNojacskaskizoSkillz Blogjami a Mano?Szokelizerwchk.rofb2pitcsodazolkaWegorIngyen Hostingtootles blogjaNapirajz :-)Elim Brass BandSaintDog - My BrokoordinátaVenemo's BlogiUploadMusicPeterVaradiDomain Name SearchKocsma kereső
The last comments:moszinet says:amugy: bluetooth, wifi van, irda nincs. 13.3 inches trubright kepernyo, 1 SD kartyaolvaso, taska nincs, eger normalis usb (ize .. csunya fekete ...), dvd iro van, floppy nincs. 150e ft -ot kerek erte. toshiba U30011V - novemberben vettem, nemzetkX says:mi van még rajta? bluetooth, irda, wifi? milyen a képernyő? kártyaolvasók; hány darab mit lehet beledugni? táska; egér; milyen színű? ugye van rajta dvd író? floppy? mennyit kérsz értgaba says:tök jó tipp, köszi, ez még jól jöehet! meken annyival egyszerűbb, hogy az address bookban eleve vannak csoportok, és azzal szinkronizálmoszinet says:eaposztrof: szerintem nem érdemes flash-re alapozni - sem java-ra. Ha megnézed a mobil alkalmazások zöme native. Standard UI, megszokott kezelhetőség. Nekem legalábbis ezek számítanak.Sanyi.NET says:You are now being upgraded from TRAITOR to ARCHITRAITOR. Congratulations! +10 skill points to SNOBBERY and +5 skill point to MAC_ADDICT. :))eaposztrof says:nem kell.. ime egy post ahonnan tovabb informalodhatsz a temaban: http://blog.meetup.hu/2008/10/23/novemberi-videok/ minden iphone kepes flasht futtatni, erre erdemes alapozni..Sanyi.NET says:nem csak áruló, hanem bűnöző is! telefonokat feltörtni - bűncselekmény!!! amugy tök jó teló :)))))))))
Copyright (C) 2003, Molnar Szilveszter m@il me
Sofisto, egypt, egipt, egyiptom, moszi, Molnar Szilveszter, Moszi, pagina personala, weboldal, aswan, cairo, piramide, pyramid, piramis, piramisok, auto, masina, opel corsa, sfantu gheorghe, sepsiszentgyorgy, st george, saint george, timisoara, romania, ungaria, Kefren, temesvar, magyarorszag, hungary, Chefren, Cheops, Keops, SMS, HURGHADA, Kartago Tours, photo, digital,