Using IPSec on Windows Server 2003 to block list of IPs

I need help with a Server 2003 Standard install.
 
Regarding Firewall Setup
 
Using IPSec, I need to setup a filter, where I could enter many IP ranges to be blocked from all inbound access.
 
<< solicitation removed by Humeniuk PE >>
 
Thanks,
Greg Schipper
 
gregsschipperAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KCrackCommented:
Hi Greg,

I'm new here too!  I'm not a security expert, but I may be able to offer some advice based on my own experience.  Here's the IPSec policy I use (link below).  Go all the way down to the Jacques' post (he has the green icon).  There's a clickable link "here" in the post a few lines down.  The other IPSec download in the first post is a dead link, and I didn't care it.  It's a series of .bat files that don't seem to install properly.

http://forums.servermatrix.com/viewtopic.php?t=13803

This IPSec policy is set up for hosting at The Planet (Server Matrix--the low end neighborhood of The Planet), but it's very easy to install, understand, and implement.   Just follow Jacques' instructions in the post.  Once you become familiar with it, it's very intuitive and easy to understand.  You will be able to add your own custom rules to this policy.  The policy will appear in the Local Security Policies, IPSec Rules.  As Jacques mentions, this policy will not become active, until you activate the policy by ticking the check box, so you won't have to worry about getting locked out of your server.  *Note: some hosts may charge admin time, if you get locked out by IPSec and they disable it.  For some reason, many hosts view IPSec lockouts differently than Zone Alarm lockouts.  Strange, huh?

A few notes:

These rules are set up for hosting at The Planet.  The "SM" (Server Matrix) rule contains the IPs The Planet requires for access to client servers.  You will have to change the IP ranges (and may be the subnet masks) in this rule to match your own web host's IPs.  All web hosts require unrestricted access to clients' servers through specific IP ranges.  You must contact your host to find the specific IPs they require for admin.  Keep in mind this is a known security risk, and you can expect to pick up some cracking/hacking through it, but it's required for hosting.  So you may still want to employ a lockout policy, and you will certainly want Brute Force Detection to alert you to network cracking (BDF is really just email notifications of events in Windows logging, such as failed logins or account lockouts beyond certain thresholds).  BDF software used to monitor Windows logging can also threshold by users, event IDs....

Jacques' "SciBit" rule is for unrestricted access to the server for his own company.  Rename this rule after your own company or your own name, and change his IPs to your own IPs, or you'll be locked out of your server, when you activate the policy.  You can add as many IPs or IP ranges to this rule, in case you have mulitiple ISPs you use to access your server.  Later, you'll have to add the IPs of web developers and system admins you hire.  But this is very easy.  Just add their IPs to the "SM" rule (you may want to rename this rule to the name of your own web host).

Also note he mentions you must disable the Windows Internet Connection Firewall or these rule may not work correctly.  And I haven't tried the Spirus rule, so I can't say how well it works.

I haven't thought much about blocking many IPs before, because it's not worth the effort.  But it wouldn't be too hard to block most of the world through IPSec, if that's what you really want :0   But note that, if you block IPs through IPSec, the garbage will still hit your firewall (router or software firewall) first.  I use a SnapGear SME 575 and BlackIce, and the blocked IPs show up in one firewall report or the other, depending upon where they were blocked.  So don't be alarmed, if blocked IPs show in your firewall reports.

Greg, good luck and I hope this helps,
KC

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gregsschipperAuthor Commented:
Thanks KCrack, your answer was super.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.