Part 2: Blocking Bad Hosts - Blocking Them, Easily (GUI Edition)

In part two, I want to show how you can quick­ly set­up an ipsec pol­i­cy to block the bad hosts you iden­ti­fied in part one. While many meth­ods can be used to block hosts, using the Local Secu­ri­ty Pol­i­cy (secpol.msc) and ipsec is a sim­ple method which can be ful­ly auto­mat­ed.

By fol­low­ing the steps below, you will be able to cre­ate a new pol­i­cy and man­age the fil­ter lists and actions. In part three, I will explain how this can be done from the com­mand line for all you CLI war­riors. This tuto­r­i­al should be accu­rate for: Win­dows XP, Vista, 7 and Serv­er 2003, 2008, 2008R2 (pos­si­bly even 2000)

The pol­i­cy you cre­ate in this tuto­r­i­al will not be applied to the sys­tem until you “Assign” the pol­i­cy in Step 6. As long as the pol­i­cy is not assigned, you can safe­ly edit, add, remove, etc. rules and sets to the pol­i­cy with­out affect­ing the sys­tem. Note: dou­ble and triple check your sets to ensure you do not block legit­i­mate traf­fic before assign­ing the pol­i­cy.

To begin this tuto­r­i­al, open the Local Secu­ri­ty Pol­i­cy by:

  • Con­trol Pan­el → Admin­is­tra­tive Tools → Local Secu­ri­ty Pol­i­cy
  • Start → Run → secpol.msc

Step 1: Create IP Security Policy

  1. Right click “IP Secu­ri­ty Poli­cies on Local Com­put­er”
  2. Select “Cre­ate IP Secu­ri­ty Pol­i­cy…”
  3. IP Secu­ri­ty Pol­i­cy Wiz­ard
    • Wel­come Screen → Next
    • IP Secu­ri­ty Pol­i­cy Name → Give a descrip­tive name and descrip­tion → Next
    • Requests for Secure Com­mu­ni­ca­tion → Do Not Check “Acti­vate the default response rule” → Next
    • Wiz­ard Com­ple­tion → Do Not Check “Edit Prop­er­ties” → Fin­ish

Step 2: Create an IP Filter List

  1. Dou­ble click your new pol­i­cy (or, right click and select prop­er­ties)
  2. On the Rules Tab → Uncheck “Use Add Wiz­ard” → Click “Add…”
  3. Cre­ate an IP Fil­ter List
    • On the “IP Fil­ter List” Tab → Click “Add…”
    • In the “IP Fil­ter List” Win­dow → Enter a descrip­tive name and descrip­tion → Uncheck “Use Add Wiz­ard” → Click “Add…”

Step 3: Create IP Filters and Associate them with the Filter List (Repeat this step until all hosts you wish to block have been entered)

  1. Address Tab
    • Change Source Address to → “A spe­cif­ic IP Address or Sub­net”
    • Enter the IP Address and/or sub­net in the text box (Use CIDR syn­tax for defin­ing sub­nets (e.g. 10.10.10.0/24)
    • Check “Mir­rored”
  2. Pro­to­col Tab → Ensure pro­to­col type is set to “Any”
  3. Descrip­tion Tab → Enter a descrip­tion. It is typ­i­cal­ly use­ful to iden­ti­fy the cre­ator of the rule, why it was added and a date/time when the rule was cre­at­ed.
  4. Click “OK
  5. Repeat step 3 until all the hosts/networks you wish to block are entered. Once com­plet­ed, press “OK”.

Step 4: Create a Filter Action

  1. On the “Fil­ter Action” Tab → Uncheck “Use Add Wiz­ard” → Click “Add…”
  2. On the “Secu­ri­ty Meth­ods” Tab → Select the “Block” radio but­ton (All oth­er options on this tab will become greyed out)
  3. On the “Gen­er­al” Tab → Enter a descrip­tive name and descrip­tion → Press “OK

Step 5: Create Policy Rule to apply Filter Action to Filter List

  1. On the “Fil­ter Action” Tab, ensure the new fil­ter action you cre­at­ed is select­ed.
  2. On the “IP Fil­ter List” Tab, ensure the new fil­ter list you cre­at­ed is select­ed.
  3. Press “OK
  4. On the new pol­i­cy prop­er­ties win­dow, ensure the new list and action are enabled.
  5. Press “OK

Step 6: Assigning (and un-assigning) the Policy

This step will apply all the set­tings you have cre­at­ed up to this point. Dou­ble and triple check that you did not enter a valid host or net­work or it will be blocked. If fact, if you have any doubts in your mind, do not do this step until anoth­er per­son (who knows what they are doing) looks over your work too! Note: This is one place MS will not give you a lit­tle “are you sure you want to do this” type of warn­ing. As soon as you assign the pol­i­cy, it is done.

  1. Right click your new pol­i­cy → Select “Assign” → Done (It real­ly is that easy)
    • To un-assign, just do the same thing except select “Un-assign” instead.

In part 3, I will cov­er how to do all this direct­ly from the com­mand line.

1 comment

  1. What should I do if my ISP assigns a new IP to my modem every time I con­nect to the broad­band?
    I tried sub­net masks like 115.135.77.0/24 and it works fine but only as long as my IP is between 115.135.77.0 and 115.135.77.255,
    If it changes to say 115.135.88.125 I can­not get through the IPSec!

    Any ideas how to go about it?

Comments are closed.