REM (c) Microsoft Corporation 1997-2003 REM Packet Filters for Server Hardening REM REM Name: PacketFilter-IIS.CMD REM Version: 1.0 REM This CMD file provides the proper NETSH syntax for creating an IPSec Policy REM that blocks all network traffic to an IIS Server except for what is REM explicitly allowed as described in the Windows 2003 Server Solution Guide. REM Please read the entire guide before using this CMD file. REM Revision History REM 0000 - Original February 05, 2003 REM 0001 April 06, 2003 :IPSec Policy Definition netsh ipsec static add policy name="Packet Filters - IIS" description="Server Hardening Policy" assign=no :IPSec Filter List Definitions netsh ipsec static add filterlist name="HTTP Server" description="Server Hardening" netsh ipsec static add filterlist name="HTTPS Server" description="Server Hardening" netsh ipsec static add filterlist name="Terminal Server" description="Server Hardening" netsh ipsec static add filterlist name="Domain Member" description="Server Hardening" netsh ipsec static add filterlist name="Monitoring" description="Server Hardening" netsh ipsec static add filterlist name="ALL Inbound Traffic" description="Server Hardening" :IPSec Filter Action Definitions netsh ipsec static add filteraction name=SecPermit description="Allows Traffic to Pass" action=permit netsh ipsec static add filteraction name=Block description="Blocks Traffic" action=block :IPSec Filter Definitions netsh ipsec static add filter filterlist="HTTP Server" srcaddr=any dstaddr=me description="HTTP Traffic" protocol=TCP srcport=0 dstport=80 netsh ipsec static add filter filterlist="HTTPS Server" srcaddr=any dstaddr=me description="HTTPS Traffic" protocol=TCP srcport=0 dstport=443 netsh ipsec static add filter filterlist="Terminal Server" srcaddr=any dstaddr=me description="Terminal Server Traffic" protocol=TCP srcport=0 dstport=3389 netsh ipsec static add filter filterlist="ALL Inbound Traffic" srcaddr=any dstaddr=me description="ALL Inbound Traffic" protocol=any srcport=0 dstport=0 REM NOTE: IP Address or server names of Domain Controllers must be hardcoded into the dstaddr of the Domain Member filters defined below netsh ipsec static add filter filterlist="Domain Member" srcaddr=me dstaddr= description="Traffic to Domain Controller" protocol=any srcport=0 dstport=0 netsh ipsec static add filter filterlist="Domain Member" srcaddr=me dstaddr= description="Traffic to Domain Controller" protocol=any srcport=0 dstport=0 REM NOTE: IP Address or server name of Monitoring server must be hardcoded into the dstaddr of Monitoring filter defined below netsh ipsec static add filter filterlist="Monitoring" srcaddr=me dstaddr= description="Monitoring Traffic" protocol=any srcport=0 dstport=0 :IPSec Rule Definitions netsh ipsec static add rule name="HTTP Server Rule" policy="Packet Filters - IIS" filterlist="HTTP Server" kerberos=yes filteraction=SecPermit netsh ipsec static add rule name="HTTPS Server Rule" policy="Packet Filters - IIS" filterlist="HTTPS Server" kerberos=yes filteraction=SecPermit netsh ipsec static add rule name="Terminal Server Rule" policy="Packet Filters - IIS" filterlist="Terminal Server" kerberos=yes filteraction=SecPermit netsh ipsec static add rule name="Domain Member Rule" policy="Packet Filters - IIS" filterlist="Domain Member" kerberos=yes filteraction=SecPermit netsh ipsec static add rule name="Monitoring Rule" policy="Packet Filters - IIS" filterlist="Monitoring" kerberos=yes filteraction=SecPermit netsh ipsec static add rule name="ALL Inbound Traffic Rule" policy="Packet Filters - IIS" filterlist="ALL Inbound Traffic" kerberos=yes filteraction=Block