snowdog_2112
asked on
Use IPSec policy in GPO to block outbound SMTP from workstations
I realize a *decent* router/firewall would probably do this, but I have to work with the tools available (i.e. customer too cheap to spring for a decent router).
Problem: A single public IP NAT'd to internal network with an Exchange Server on the inside. Workstation(s) get infected and spew spam to the Internet and get the IP blacklisted, so the Exchange server can't send legitimate client mail.
Question: Is there any overwhelmeing reason *not* to use an IPSec policy in GPO to deny workstations from making TCP connections to destination port 25?
My thought is that even if the workstations get infected, they won't get the public IP blacklisted because they can't spam directly to the Internet. While that doesn't solve the problem of the infection, it buys me time to identify and clean the machine without having to clean them off RBL's so they can send legitimate mail.
I apply the GPO at the OU where the workstation accounts are, so it only applies to the workstations and not the server.
Problem: A single public IP NAT'd to internal network with an Exchange Server on the inside. Workstation(s) get infected and spew spam to the Internet and get the IP blacklisted, so the Exchange server can't send legitimate client mail.
Question: Is there any overwhelmeing reason *not* to use an IPSec policy in GPO to deny workstations from making TCP connections to destination port 25?
My thought is that even if the workstations get infected, they won't get the public IP blacklisted because they can't spam directly to the Internet. While that doesn't solve the problem of the infection, it buys me time to identify and clean the machine without having to clean them off RBL's so they can send legitimate mail.
I apply the GPO at the OU where the workstation accounts are, so it only applies to the workstations and not the server.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
This does actually work. With the IPSec policy in place, the workstations are unable to make 25/tcp connections.
It may not be the bestor cleanest solution, but it might be helpful to someone.
It may not be the bestor cleanest solution, but it might be helpful to someone.
Does your client only have one public IP available? If not, it might be worthwhile to give the exchange server its own IP address on the internet, and then you can just shutdown port 25 on the NAT altogether.