Part 3: Blocking Bad Hosts - Blocking Them, Easily (CLI Edition)

In part two, I showed you how to use the Local Secu­ri­ty Pol­i­cy GUI to block the bad guys. There were a lot of pret­ty pic­tures for those that pre­fer the GUI. In this ver­sion, I’ll show you how to accom­plish the same thing from the com­mand line. This is my pre­ferred method.  It is much sim­pler to auto­mate and explain.

By fol­low­ing the steps below, you will be able to cre­ate a new pol­i­cy and man­age the fil­ter lists and actions. The goal here will be to put all these pieces togeth­er into a nice tidy pack­age that is ful­ly auto­mat­ed. Read More

Part 2: Blocking Bad Hosts - Blocking Them, Easily (GUI Edition)

In part two, I want to show how you can quick­ly set­up an ipsec pol­i­cy to block the bad hosts you iden­ti­fied in part one. While many meth­ods can be used to block hosts, using the Local Secu­ri­ty Pol­i­cy (secpol.msc) and ipsec is a sim­ple method which can be ful­ly auto­mat­ed.

By fol­low­ing the steps below, you will be able to cre­ate a new pol­i­cy and man­age the fil­ter lists and actions. In part three, I will explain how this can be done from the com­mand line for all you CLI war­riors. This tuto­r­i­al should be accu­rate for: Win­dows XP, Vista, 7 and Serv­er 2003, 2008, 2008R2 (pos­si­bly even 2000) Read More

Part 1: Blocking Bad Hosts - Finding Them, Easily

Down­load Script: get-bad-hosts.zip

While trou­bleshoot­ing some issues on an OWA Front-End serv­er, I went over to the secu­ri­ty log to see if the authen­ti­ca­tion attempts were get­ting past this box. The prob­lem I found was the log was so full of failed logon attempts it was dif­fi­cult to fil­ter out what I was look­ing for. In a twelve hour peri­od, there were thou­sands of 529 events in the secu­ri­ty log. Now, I know this is noth­ing new, but I found a few pat­terns. I man­u­al­ly export­ed the log to a CSV, parsed out all the source ip address­es and opened it up in Excel. What I found was that 98.7% of failed logon attempts were made by just four dif­fer­ent ip address­es.  (I rec­om­mend using MaxMind’s GeoIP Address Loca­tor for help in deter­min­ing where the source address­es are locat­ed.) Read More