Secure Windows Servers using IPSec Firewall

IPSec (Internet Protocol Security) is a cross-platform protocol for securing IP communications through authentication and encryption. IPSec operated on Layer 3 (Network Layer). Thus makes it a powerful tool for managing how traffic flows over a network.

The IPSec firewall rules are available for download Clicking Here.

IPSec was first introduced within Microsoft products in Windows 2000 and have been improved since. The main purpose for IPSec in Windows Servers 2000/2003/2008 is to secure traffic between clients and domains, domains and domains. However, another great benefit arises for IPSec is the flexibility to act as a software firewall on the Windows platform. Windows 2003 firewall is very weak and inflexible that most of the times it end up being disabled on servers. This is very dangerous for Windows web hosting servers, and more specifically for anyone running DC over the internet with no proper firewall in place.

One of the major falls of the Windows Firewall is its inability to filter out the same port more than once. Thus, if we need to block traffic to port 1433 (MSSQL Port), but allow only two specific IP addresses in two different networks to access the 1433 port, that is not possible within the 2003 version of Windows Firewall.

The second major fall is the inability to differentiate inbound/outbound traffic. For example, we’re unable to filter out connections to a specific external network address on all ports. We experience the same problem when attempting to allow incoming connections on all ports for a specific IP. This is not to mention the numerous times when the firewall caused network traffic issues especially with earlier version of Windows 2003 SP2.

Windows 2008 / 2008 R2 improves on Windows Firewall by adding Inbound and Outbound rules. Also, it now allows to allow specific subnets or IPs full access to all ports. The 2008 version of the Firewall acts almost like an IPSec based firewall. Yet, when we have a mixed environment of 2003/2008 servers, we’ll want to have firewall services running on both servers. Making IPSec becomes the only reliable option.

In this article we’ll describe how to access IPSec as well as provide sample IPSec firewall rules. IPSec can be managed through a GUI (Local Security Policies) or a cmdlet (netsh). For our purpose, the steps are identical for Windows 2000/2003/2008. The 2008 IPSec version has one little difference. You can now copy/paste the IP address into the IP field, while the 2000/2003 requires manually typing the IP address. IPSec firewall can also be setup on Windows XP Professional.

The IPSec Snap-in is available from:
Start -> (Settings) Control Panel -> Administrative Tools -> Local Security Policy

Alternative way to open Local Security Policy is through:
Start -> Run -> type: secpol.msc

This will launch the Local Security Settings/Policies Snap-in. The IPSec rules are available under the section “IP Security Policies” on the left side.

NOTE: On a Domain Controller, you want to utilize IPSec under the Domain Controller Group Policy if you wish to secure your DCs.

IPSec Console Mediumcube

You’ll notice on the right side, IPSec lists the current policies available on a system. You can only have one policy active. If you Right-Click on any of the rules at the right, you’ll notice the option to select “Assign”. Assigning a policy makes it active.

Now, we need to import our sample firewall settings. Note, we can export/import policies by Right-Clicking on the “IP Security Policies” -> All Tasks on the left side of the screen. Importing new policies with different names do not affect our current setup policies. Furthermore, anytime we experience issues with policies, you can restore the IPSec back to the default system policies.

Once we’ve downloaded the firewall rules, unzip them and place them somewhere on our computer. Then head back to the IPSec snap-in,  right click on “IP Security Policies” on the left side -> All Tasks -> Import Policies  and point to the location of the IPSec rules we’ve just unzipped.

The firewall rules are disabled by default, so we need not be concerned being locked out when they are imported. Our IPSec snap-in should look like this:

Mediumcube Hosting

We’ll notice a new rule has been added to our list named “Network Firewall”. If we click on “Network Firewall”, we’ll notice that the policy is not assigned (There are On/Off switches at top for toggling Assigned status)

Double click on the “Network Firewall” rule will bring up the Properties screen:

IPSec Firewal Properties

Notice at the top is “IP Filter List”, click on that tab to sort rules by name. The firewall logic is very simple. It begins by denying all icnoming/outgoing traffic on all ports to any connection. Then we use rules to allow specific Ports and Exemption lists access as desired. The following are brief description of how these rules function:

1-DENY UDP ALL: Denies ALL Inbound and Outbound UDP Connections

2-DENY TCP ALL: Denies ALL Inbound and Outbound TCP Connections

3-DENY BAD IP: Explicitely denies access to IPs/Subnets even to already opened ports (Overwrites the allowed ports rules)

4-EXEMPTIONS: We specify here all IPs/Subnets that we wish to give explicit access to ALL Ports regardless of which ports are blocked. (Overwrites the Deny TCP/UDP Rules)

The rest of the rules are indicative of which ports to open. If there is a check mark next to a rule, it means the rule is active and the port is enabled to everyone except those IPs in the 3-DENY BAD IP list.

If there is no check mark next to a rule, it means the port is blocked to everyone except the 4-EXEMPTIONS list.

We’ll notice some of the rules indicate Server/Client access. This is necessary since we’ve blocked both incoming/outgoing ports. Thus, if we need to connect to SSH server from our Windows machine, we need to enable SSH Client. However, if we need external clients to connect to our Windows server using SSH, we need to enable SSH Server. Basically, Client means allow Outgoing connection while Server means allow incoming connection.

We’ve by default enabled the most popular ports: HTTP/HTTPS, SMTP, POP3, MSSQL, RDP. Please review the firewall lists before deciding to enable the Network Firewall policy.

When we’re ready to activate the Network Firewall. From the IPSec snap-in, right click on the “Network Firewall” rule, and select “Assign”:

Assign Network Firewall IPSec

This will enable the firewall on the current system. If for any reason we wish to disable the firewall, right-click on the “Network Firewall” rule again, and click on “Un-Assign”.

NOTE: The Network Firewall rules are very aggressive and may not be suitable for all situation. By default, the firewall will block all incoming/outgoing traffic except to those explicitely allowed ports/IPs. This may cause some issues with FTP access and connecting to outside networks on special Ports. If we require connecting to certain outgoing ports, we must add a rule within the Network Firewall to allow such connection.

We do not provide any warranties or guarantees for the use of these firewall rules. Use at your own risk. However, we’ve been using them on our network for many years without any issues.

If you have any questions or feedback, feel free to post your comments.