XP system uses ipseccmd, and ipsecpol is used under 2000. Unfortunately, none of them come with the system. ipseccmd is in SUPPORT\TOOLS\ of the xp system installation disk, and ipsecpol is in the 2000 Resource Kit. Moreover, to use ipsecpol, you must bring two other files: and. Three files total 119KB.
IPSec can be controlled through group policy, but I searched all MSDN and couldn't find the syntax for the corresponding security template. The configured IPSec policy cannot be exported as a template either. Therefore, the Group Policy path is not working. The settings of IPSec are saved in the registry (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local). In theory, IPSec can be configured by modifying the registry. But a lot of information is stored in binary form, and it is difficult to read and modify. In contrast, uploading command line tools is more convenient.
There are many information about ipsecpol and ipseccmd on the Internet, so this article will not go into details, just list some practical examples.
In terms of setting the IPSec policy, the syntax of the ipseccmd command is almost exactly the same as that of ipsecpol, so just take ipsecpol as an example:
1. Defense against rpc-dcom attacks
ipsecpol -p myfirewall -r rpc-dcom -f *+0:135:tcp *+0:135:udp *+0:137:udp *+0:138:udp *+0:139:tcp *+0:445:tcp *+0:445:udp -n BLOCK -w reg -x
This command closes the TCP135, 139, 445 and udp135, 137, 138, 445 ports of the local host.
The specific meanings are as follows:
-p myfirewall Specify the policy name as myfirewall
-r rpc-dcom Specify the rule name is rpc-dcom
-f .... Create 7 filters. * indicates any address (source); 0 indicates the local address (destination); + indicates mirror (bidirectional) filtering. For detailed syntax, see ipsecpol-?
-n BLOCK Specifies that the filtering operation is "blocking". Note that BLOCK must be in capitalization.
-w reg Write the configuration to the registry and remains valid after restart.
-x Activate the strategy immediately.
2. Prevent ping
ipsecpol -p myfirewall -r antiping -f *+0::icmp -n BLOCK -w reg -x
If a policy named myfirewall already exists, an antiping rule is added to it.
Note that this rule also prevents the host from pinging others.
3. Constrain IPs on the backdoor
Suppose you have DameWare Mini Remote Control installed on a host. To protect it from rupture of passwords or overflowing by others, access to its service port 6129 should be restricted.
ipsecpol -p myfw -r dwmrc_block_all -f *+0:6129:tcp -n BLOCK -w reg
ipsecpol -p myfw -r dwmrc_pass_me -f 123.45.67.89+0:6129:tcp -n PASS -w reg -x
In this way, only 123.45.67.89 can access the 6129 port of the host.
If you are a dynamic IP, you should set rules based on the range of IP allocation. for example:
ipsecpol -p myfw -r dwmrc_block_all -f *+0:6129:tcp -n BLOCK -w reg
ipsecpol -p myfw -r dwmrc_pass_me -f 123.45.67.*+0:6129:tcp -n PASS -w reg -x
This allows IPs from 123.45.67.1 to 123.45.67.254 to access port 6129.
When writing rules, you should be very careful not to block yourself. If you are not sure whether the effect of a certain rule is the same as expected, you can first use the planned task to "leave a way out". For example:
c:\>net start schedule
The Task Scheduler service is starting..
The Task Scheduler service has been started successfully.
c:\>time /t
12:34
c:\>at 12:39 ipsecpol -p myfw -y -w reg
A new assignment has been added, its assignment ID = 1
Then you have 5 minutes to set up a myfw policy and test it. The plan task will stop the strategy after 5 minutes.
If the test results are not ideal, delete the policy.
c:\>ipsecpol -p myfw -o -w reg
Note that you must make sure that it has stopped before deleting the policy. If you don't stop it, even the deletion will continue to take effect for a period of time. The duration depends on the refresh time of the policy, and the default is 180 minutes.
If the test passes, then enable it.
c:\>ipsecpol -p myfw -x -w reg
Finally, let’s talk about how to check the IPSec policy.
It's very simple for XP, one command can be done--ipseccmd show filters
ipsecpol does not have the function of querying. Need to use another command line tool netdiag. It is located in SUPPORT\TOOLS\ of the 2000 system installation disk. (Three files have been uploaded, so I don’t care about one more. ^_^)
netdiag requires support from the RemoteRegistry service. So start the service first:
net start remoteregistry
If you don't start RemoteRegistry, you will get an error:
[FATAL] Failed to get system information of this machine.
The netdiag tool has very powerful functions and can be obtained with network-related information! However, the output information is sometimes too detailed, exceeding the output cache of the command line console, rather than being paging with the more command per remote cmd shell.
The command to view the ipsec policy is:
netdiag /debug /test:ipsec
Then there is a long list of output information. The IPSec policy is at the end.
Software installation
The installation process of a software/tool generally only does two things: copying files to a specific directory and modifying the registry. As long as you understand the specific content, you can implement it yourself on the command line. (Not considering the need to register and activate after installation)
WinPcap is a very common tool, but it must be installed under the window interface. You can also find versions that do not use GUI (but there is still a copyright page), but we can actually make one ourselves.
Take WinPcap 3.0a as an example. It is easy to understand the entire installation process by comparing file system and registry snapshots before and after installation.
Remove the anti-installation part, there are three key files: and. The first two files are located in the system32 directory, and the third one is located in the system32\drivers. The registry changes are the addition of a system service NPF. Note that it is the system service (i.e., driver) not the Win32 service.
As a system service, not only should we add the primary key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, but also add the primary key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root. The latter can only be modified by default. Fortunately, it doesn't need to be added manually, winpcap will be automatically done when it is called. There is no need to manually modify the registry at all. Winpcap will do everything by itself. You only need to copy three files to the appropriate location.
As an example, let’s demonstrate how to modify the registry: use the inf file mentioned above to implement it.
[Version]
Signature="$WINDOWS NT$"
[]
AddService=NPF,,winpcap_svr
[winpcap_svr]
DisplayName=Netgroup Packet Filter
ServiceType=0x1
StartType=3
ErrorControl=1
ServiceBinary=%12%\
Save the above contents as _wpcap_.inf file.
Write another batch_wpcap_.bat:
Previous page123Next pageRead the full text