Part 3: Blocking Bad Hosts - Blocking Them, Easily (CLI Edition)

In part two, I showed you how to use the Local Secu­ri­ty Pol­i­cy GUI to block the bad guys. There were a lot of pret­ty pic­tures for those that pre­fer the GUI. In this ver­sion, I’ll show you how to accom­plish the same thing from the com­mand line. This is my pre­ferred method.  It is much sim­pler to auto­mate and explain.

By fol­low­ing the steps below, you will be able to cre­ate a new pol­i­cy and man­age the fil­ter lists and actions. The goal here will be to put all these pieces togeth­er into a nice tidy pack­age that is ful­ly auto­mat­ed.

The pol­i­cy you cre­ate in this tuto­r­i­al will not be applied to the sys­tem until you “Assign” the pol­i­cy in Step 6. As long as the pol­i­cy is not assigned, you can safe­ly edit, add, remove, etc. rules and sets to the pol­i­cy with­out affect­ing the sys­tem. Note: dou­ble and triple check your sets to ensure you do not block legit­i­mate traf­fic before assign­ing the pol­i­cy.

To begin this tuto­r­i­al, open the com­mand prompt. If you don’t know how, you prob­a­bly shouldn’t be doing this. All com­mands meant to be typed are in ital­ics.

Step 1: Create IP Security Policy

netsh ipsec sta­t­ic add pol­i­cy description=“This pol­i­cy blocks all traf­fic to hosts/nets asso­ci­at­ed with it.”

Step 2: Create an IP Filter List

netsh ipsec sta­t­ic add fil­terlist description=“This fil­ter list con­tains hosts and net­works known to host mal­ware, crim­i­nal activ­i­ty, etc.”

Step 3: Create IP Filters and Associate them with the Filter List (Repeat this step until all hosts you wish to block have been entered)

Sin­gle IP (10.254.254.254/32)

netsh ipsec sta­t­ic add fil­ter filterlist=“Bad Hosts” srcaddr=10.254.254.254 dstaddr=any description=“John Smith. 12/31/2015. Brute force logon attempts to: SERVER01

Sub­net (10.254.254.0/24)

netsh ipsec sta­t­ic add fil­ter filterlist=“Bad Hosts” srcaddr=10.254.254.0 dstaddr=any srcmask=24 description=“John Smith. 12/31/2015. Brute force logon attempts to: SERVER01

Net­work Range (10.254.254.2-10)

netsh ipsec sta­t­ic add fil­ter filterlist=“Bad Hosts” srcaddr=10.254.254.2-10.254.254.15 dstaddr=any description=“John Smith. 12/31/2015. Brute force logon attempts to: SERVER01

Step 4: Create a Filter Action

netsh ipsec sta­t­ic add fil­ter­ac­tion description=“This action blocks all traf­fic.” action=block

Step 5: Create Policy Rule to apply Filter Action to Filter List

netsh ipsec sta­t­ic add rule policy=“Blocked Traf­fic” filterlist=“Bad Hosts” filteraction=“Block All Traf­fic” activate=yes

Step 6: Assigning (and un-assigning) the Policy

This step will apply all the set­tings you have cre­at­ed up to this point. Dou­ble and triple check that you did not enter a valid host or net­work or it will be blocked. If fact, if you have any doubts in your mind, do not do this step until anoth­er per­son (who knows what they are doing) looks over your work too! Note: This is one place MS will not give you a lit­tle “are you sure you want to do this” type of warn­ing. As soon as you assign the pol­i­cy, it is done.

Assign

netsh ipsec sta­t­ic set pol­i­cy name=“Blocked Traf­fic” assign=yes

Un-assign

netsh ipsec sta­t­ic set pol­i­cy assign=no

2 comments

  1. Hi Andrew,

    Thank you very much for shar­ing.
    I’ve been search­ing for some­thing like this.

    On a 2008R2 / Win7 box you need to give a name with step 1
    name=“Blocked Traf­fic” but I assume you knew that 😉

Comments are closed.