REM (c) Microsoft Corporation 1997-2003

REM Packet Filters for Server Hardening
REM
REM Name:        PacketFilter-DC.CMD
REM Version:     1.0

REM This CMD file provides the proper NETSH syntax for creating an IPSec Policy 
REM that blocks all network traffic to a Domain Controller except for what is 
REM explicitly allowed as described in the Windows 2003 Server Solution Guide.  
REM Please read the entire guide before using this CMD file.

REM Revision History
REM 0000	-	Original	February 05, 2003
REM 0001				April 04, 2003

:IPSec Policy Definition
netsh ipsec static add policy name="Packet Filters - DC" description="Server Hardening Policy" assign=no

:IPSec Filter List Definitions
netsh ipsec static add filterlist name="CIFS/SMB Server" description="Server Hardening"
netsh ipsec static add filterlist name="DNS Server" description="Server Hardening"
netsh ipsec static add filterlist name="LDAP Server" description="Server Hardening"
netsh ipsec static add filterlist name="GC Server" description="Server Hardening"
netsh ipsec static add filterlist name="Kerberos Server" description="Server Hardening"
netsh ipsec static add filterlist name="NetBIOS Server" description="Server Hardening"
netsh ipsec static add filterlist name="NTP Server" description="Server Hardening"
netsh ipsec static add filterlist name="RPC Server" description="Server Hardening"
netsh ipsec static add filterlist name="Predefined RPC Range Server" description="Server Hardening"
netsh ipsec static add filterlist name="Terminal Server" description="Server Hardening"
netsh ipsec static add filterlist name="DC Communications" description="Server Hardening"
netsh ipsec static add filterlist name="ICMP" description="Server Hardening"
netsh ipsec static add filterlist name="Monitoring" description="Server Hardening"
netsh ipsec static add filterlist name="ALL Inbound Traffic" description="Server Hardening"

:IPSec Filter Action Definitions
netsh ipsec static add filteraction name=SecPermit description="Allows Traffic to Pass" action=permit
netsh ipsec static add filteraction name=Block description="Blocks Traffic" action=block

:IPSec Filter Definitions
netsh ipsec static add filter filterlist="CIFS/SMB Server" srcaddr=any dstaddr=me description="CIFS/SMB Server Traffic" protocol=TCP srcport=0 dstport=445
netsh ipsec static add filter filterlist="CIFS/SMB Server" srcaddr=any dstaddr=me description="CIFS/SMB Server Traffic" protocol=UDP srcport=0 dstport=445
netsh ipsec static add filter filterlist="DNS Server" srcaddr=any dstaddr=me description="DNS Server Traffic" protocol=TCP srcport=0 dstport=53
netsh ipsec static add filter filterlist="DNS Server" srcaddr=any dstaddr=me description="DNS Server Traffic" protocol=UDP srcport=0 dstport=53
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57901
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57902
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57903
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57904
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57905
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57906
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57907
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57908
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57909
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57910
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57911
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57912
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57913
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57914
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57915
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57916
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57917
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57918
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57919
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57920
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57921
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57922
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57923
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57924
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57925
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57926
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57927
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57928
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57929
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57930
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57931
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57932
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57933
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57934
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57935
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57936
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57937
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57938
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57939
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57940
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57941
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57942
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57943
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57944
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57945
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57946
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57947
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57948
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57949
netsh ipsec static add filter filterlist="Predefined RPC Range Server" srcaddr=any dstaddr=me description="RPC Ports IN" protocol=TCP srcport=0 dstport=57950
netsh ipsec static add filter filterlist="GC Server" srcaddr=any dstaddr=me description="GC Server Traffic" protocol=TCP srcport=0 dstport=3268
netsh ipsec static add filter filterlist="GC Server" srcaddr=any dstaddr=me description="GC Server Traffic" protocol=TCP srcport=0 dstport=3269
netsh ipsec static add filter filterlist="Kerberos Server" srcaddr=any dstaddr=me description="Kerberos Server Traffic" protocol=TCP srcport=0 dstport=88
netsh ipsec static add filter filterlist="Kerberos Server" srcaddr=any dstaddr=me description="Kerberos Server Traffic" protocol=UDP srcport=0 dstport=88
netsh ipsec static add filter filterlist="LDAP Server" srcaddr=any dstaddr=me description="LDAP Server Traffic" protocol=TCP srcport=0 dstport=389
netsh ipsec static add filter filterlist="LDAP Server" srcaddr=any dstaddr=me description="LDAP Server Traffic" protocol=UDP srcport=0 dstport=389
netsh ipsec static add filter filterlist="LDAP Server" srcaddr=any dstaddr=me description="LDAP Server Traffic" protocol=TCP srcport=0 dstport=636
netsh ipsec static add filter filterlist="LDAP Server" srcaddr=any dstaddr=me description="LDAP Server Traffic" protocol=UDP srcport=0 dstport=636
netsh ipsec static add filter filterlist="NetBIOS Server" srcaddr=any dstaddr=me description="NetBIOS Server Traffic" protocol=TCP srcport=0 dstport=137
netsh ipsec static add filter filterlist="NetBIOS Server" srcaddr=any dstaddr=me description="NetBIOS Server Traffic" protocol=UDP srcport=0 dstport=137
netsh ipsec static add filter filterlist="NetBIOS Server" srcaddr=any dstaddr=me description="NetBIOS Server Traffic" protocol=TCP srcport=0 dstport=138
netsh ipsec static add filter filterlist="NetBIOS Server" srcaddr=any dstaddr=me description="NetBIOS Server Traffic" protocol=UDP srcport=0 dstport=138
netsh ipsec static add filter filterlist="NetBIOS Server" srcaddr=any dstaddr=me description="NetBIOS Server Traffic" protocol=TCP srcport=0 dstport=139
netsh ipsec static add filter filterlist="NetBIOS Server" srcaddr=any dstaddr=me description="NetBIOS Server Traffic" protocol=UDP srcport=0 dstport=139
netsh ipsec static add filter filterlist="NTP Server" srcaddr=any dstaddr=me description="NTP Server Traffic" protocol=TCP srcport=0 dstport=123
netsh ipsec static add filter filterlist="NTP Server" srcaddr=any dstaddr=me description="NTP Server Traffic" protocol=UDP srcport=0 dstport=123
netsh ipsec static add filter filterlist="RPC Server" srcaddr=any dstaddr=me description="RPC Server Traffic" protocol=TCP srcport=0 dstport=135
netsh ipsec static add filter filterlist="RPC Server" srcaddr=any dstaddr=me description="RPC Server Traffic" protocol=UDP srcport=0 dstport=135
netsh ipsec static add filter filterlist="Terminal Server" srcaddr=any dstaddr=me description="Terminal Server Traffic" protocol=TCP srcport=0 dstport=3389
netsh ipsec static add filter filterlist="ICMP" srcaddr=any dstaddr=me description="ICMP Traffic" protocol=ICMP srcport=0 dstport=0
netsh ipsec static add filter filterlist="ALL Inbound Traffic" srcaddr=any dstaddr=me description="ALL Inbound Traffic" protocol=any srcport=0 dstport=0

REM NOTE: IP Address or server names of Domain Controllers must be hardcoded into the dstaddr of the Domain Member filters defined below
netsh ipsec static add filter filterlist="DC Communications" srcaddr=me dstaddr=<Insert DC #1> description="Traffic to Domain Controller" protocol=any srcport=0 dstport=0
netsh ipsec static add filter filterlist="DC Communications" srcaddr=me dstaddr=<Insert DC #2> description="Traffic to Domain Controller" protocol=any srcport=0 dstport=0

REM NOTE: IP Address or server name of Monitoring server must be hardcoded into Monitoring filter defined below
netsh ipsec static add filter filterlist="Monitoring" srcaddr=<Insert MOM Server> dstaddr=me description="Monitoring Traffic" protocol=any srcport=0 dstport=0

:IPSec Rule Definitions
netsh ipsec static add rule name="CIFS/SMB Server" policy="Packet Filters - DC" filterlist="CIFS/SMB Server" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="DNS Server Rule" policy="Packet Filters - DC" filterlist="DNS Server" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="GC Server Rule" policy="Packet Filters - DC" filterlist="GC Server" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="Kerberos Server Rule" policy="Packet Filters - DC" filterlist="Kerberos Server" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="LDAP Server Rule" policy="Packet Filters - DC" filterlist="LDAP Server" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="NetBIOS Server Rule" policy="Packet Filters - DC" filterlist="NetBIOS Server" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="NTP Server Rule" policy="Packet Filters - DC" filterlist="NTP Server" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="RPC Server" policy="Packet Filters - DC" filterlist="RPC Server" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="Predefined RPC Range Server Rule" policy="Packet Filters - DC" filterlist="Predefined RPC Range Server" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="Terminal Server Rule" policy="Packet Filters - DC" filterlist="Terminal Server" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="DC Communications Rule" policy="Packet Filters - DC" filterlist="DC Communications" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="ICMP Rule" policy="Packet Filters - DC" filterlist="ICMP" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="Monitoring Rule" policy="Packet Filters - DC" filterlist="Monitoring" kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="ALL Inbound Traffic Rule" policy="Packet Filters - DC" filterlist="ALL Inbound Traffic" kerberos=yes filteraction=Block