REM (c) Microsoft Corporation 1997-2003 REM Packet Filters for Server Hardening REM REM Name: WINSPacketFilter.CMD REM Version: 1.0 REM This CMD file provides the proper NETSH syntax for creating an IPSec Policy REM that blocks all network traffic to a WINS Server except for what is REM explicitly allowed as described in the Windows 2003 Server Solution Guide. REM Please read the entire guide before using this CMD file. REM Revision History REM 0000 - Original February 05, 2003 REM 0001 - Original April 03, 2003 :IPSec Policy Definition netsh ipsec static add policy name="Packet Filters - WINS" description="Server Hardening Policy" assign=no :IPSec Filter List Definitions netsh ipsec static add filterlist name="WINS Resolution Server" description="Server Hardening" netsh ipsec static add filterlist name="WINS Replication Client" description="Server Hardening" netsh ipsec static add filterlist name="WINS Replication Server" description="Server Hardening" netsh ipsec static add filterlist name="Terminal Server" description="Server Hardening" netsh ipsec static add filterlist name="Domain Member" description="Server Hardening" netsh ipsec static add filterlist name="Monitoring" description="Server Hardening" netsh ipsec static add filterlist name="ALL Inbound Traffic" description="Server Hardening" :IPSec Filter Action Definitions netsh ipsec static add filteraction name=SecPermit description="Allows Traffic to Pass" action=permit netsh ipsec static add filteraction name=Block description="Blocks Traffic" action=block :IPSec Filter Definitions netsh ipsec static add filter filterlist="Terminal Server" srcaddr=any dstaddr=me description="Terminal Server Traffic" protocol=TCP srcport=0 dstport=3389 netsh ipsec static add filter filterlist="WINS Resolution Server" srcaddr=any dstaddr=me description="WINS Resolution Traffic" protocol=TCP srcport=0 dstport=1512 netsh ipsec static add filter filterlist="WINS Resolution Server" srcaddr=any dstaddr=me description="WINS Resolution Traffic" protocol=UDP srcport=0 dstport=1512 netsh ipsec static add filter filterlist="WINS Replication Client" srcaddr=me dstaddr=any description="WINS Replication Traffic" protocol=TCP srcport=0 dstport=42 netsh ipsec static add filter filterlist="WINS Replication Client" srcaddr=me dstaddr=any description="WINS Replication Traffic" protocol=UDP srcport=0 dstport=42 netsh ipsec static add filter filterlist="WINS Replication Server" srcaddr=any dstaddr=me description="WINS Replication Traffic" protocol=TCP srcport=0 dstport=42 netsh ipsec static add filter filterlist="WINS Replication Server" srcaddr=any dstaddr=me description="WINS Replication Traffic" protocol=UDP srcport=0 dstport=42 netsh ipsec static add filter filterlist="ALL Inbound Traffic" srcaddr=any dstaddr=me description="ALL Inbound Traffic" protocol=any srcport=0 dstport=0 REM NOTE: IP Address or server names of Domain Controllers must be hardcoded into the dstaddr of the Domain Member filters defined below netsh ipsec static add filter filterlist="Domain Member" srcaddr=me dstaddr= description="Traffic to Domain Controller" protocol=any srcport=0 dstport=0 netsh ipsec static add filter filterlist="Domain Member" srcaddr=me dstaddr= description="Traffic to Domain Controller" protocol=any srcport=0 dstport=0 REM NOTE: IP Address or server name of Monitoring server must be hardcoded into the dstaddr of the Monitoring filter defined below netsh ipsec static add filter filterlist="Monitoring" srcaddr=me dstaddr= description="Monitoring Traffic" protocol=any srcport=0 dstport=0 :IPSec Rule Definitions netsh ipsec static add rule name="WINS Resolution Rule" policy="Packet Filters - WINS" filterlist="WINS Resolution Server" kerberos=yes filteraction=SecPermit netsh ipsec static add rule name="WINS Replication Client Rule" policy="Packet Filters - WINS" filterlist="WINS Replication Client" kerberos=yes filteraction=SecPermit netsh ipsec static add rule name="WINS Replication Server Rule" policy="Packet Filters - WINS" filterlist="WINS Replication Server" kerberos=yes filteraction=SecPermit netsh ipsec static add rule name="Terminal Server Rule" policy="Packet Filters - WINS" filterlist="Terminal Server" kerberos=yes filteraction=SecPermit netsh ipsec static add rule name="Domain Member Rule" policy="Packet Filters - WINS" filterlist="Domain Member" kerberos=yes filteraction=SecPermit netsh ipsec static add rule name="Monitoring Rule" policy="Packet Filters - WINS" filterlist="Monitoring" kerberos=yes filteraction=SecPermit netsh ipsec static add rule name="ALL Inbound Traffic RUle" policy="Packet Filters - WINS" filterlist="ALL Inbound Traffic" kerberos=yes filteraction=Block