Part 2: Blocking Bad Hosts – Blocking Them, Easily (GUI Edition)

In part two, I want to show how you can quickly setup an ipsec policy to block the bad hosts you identified in part one. While many methods can be used to block hosts, using the Local Security Policy (secpol.msc) and ipsec is a simple method which can be fully automated.

By following the steps below, you will be able to create a new policy and manage the filter lists and actions. In part three, I will explain how this can be done from the command line for all you CLI warriors. This tutorial should be accurate for: Windows XP, Vista, 7 and Server 2003, 2008, 2008R2 (possibly even 2000)

The policy you create in this tutorial will not be applied to the system until you “Assign” the policy in Step 6. As long as the policy is not assigned, you can safely edit, add, remove, etc. rules and sets to the policy without affecting the system. Note: double and triple check your sets to ensure you do not block legitimate traffic before assigning the policy.

To begin this tutorial, open the Local Security Policy by:

  • Control Panel → Administrative Tools → Local Security Policy
  • Start → Run → secpol.msc

Step 1: Create IP Security Policy

  1. Right click “IP Security Policies on Local Computer”
  2. Select “Create IP Security Policy…”
  3. IP Security Policy Wizard
    • Welcome Screen → Next
    • IP Security Policy Name → Give a descriptive name and description → Next
    • Requests for Secure Communication → Do Not Check “Activate the default response rule” → Next
    • Wizard Completion → Do Not Check “Edit Properties” → Finish

Step 2: Create an IP Filter List

  1. Double click your new policy (or, right click and select properties)
  2. On the Rules Tab → Uncheck “Use Add Wizard” → Click “Add…”
  3. Create an IP Filter List
    • On the “IP Filter List” Tab → Click “Add…”
    • In the “IP Filter List” Window → Enter a descriptive name and description → Uncheck “Use Add Wizard” → Click “Add…”

Step 3: Create IP Filters and Associate them with the Filter List (Repeat this step until all hosts you wish to block have been entered)

  1. Address Tab
    • Change Source Address to → “A specific IP Address or Subnet”
    • Enter the IP Address and/or subnet in the text box (Use CIDR syntax for defining subnets (e.g. 10.10.10.0/24)
    • Check “Mirrored”
  2. Protocol Tab → Ensure protocol type is set to “Any”
  3. Description Tab → Enter a description. It is typically useful to identify the creator of the rule, why it was added and a date/time when the rule was created.
  4. Click “OK”
  5. Repeat step 3 until all the hosts/networks you wish to block are entered. Once completed, press “OK”.

Step 4: Create a Filter Action

  1. On the “Filter Action” Tab → Uncheck “Use Add Wizard” → Click “Add…”
  2. On the “Security Methods” Tab → Select the “Block” radio button (All other options on this tab will become greyed out)
  3. On the “General” Tab → Enter a descriptive name and description → Press “OK”

Step 5: Create Policy Rule to apply Filter Action to Filter List

  1. On the “Filter Action” Tab, ensure the new filter action you created is selected.
  2. On the “IP Filter List” Tab, ensure the new filter list you created is selected.
  3. Press “OK”
  4. On the new policy properties window, ensure the new list and action are enabled.
  5. Press “OK”

Step 6: Assigning (and un-assigning) the Policy

This step will apply all the settings you have created up to this point. Double and triple check that you did not enter a valid host or network or it will be blocked. If fact, if you have any doubts in your mind, do not do this step until another person (who knows what they are doing) looks over your work too! Note: This is one place MS will not give you a little “are you sure you want to do this” type of warning. As soon as you assign the policy, it is done.

  1. Right click your new policy → Select “Assign” → Done (It really is that easy)
    • To un-assign, just do the same thing except select “Un-assign” instead.

In part 3, I will cover how to do all this directly from the command line.

1 comment

  1. What should I do if my ISP assigns a new IP to my modem every time I connect to the broadband?
    I tried subnet masks like 115.135.77.0/24 and it works fine but only as long as my IP is between 115.135.77.0 and 115.135.77.255,
    If it changes to say 115.135.88.125 I cannot get through the IPSec!

    Any ideas how to go about it?

Comments are closed.