Re: [ActiveDir] TCP/IP Filtering in Windows server 2000/ 2003
Medeiros, Jose wrote: Hello everyone, Is there a way I can restrict accepting TCP/IP packets from a specific address in Windows 2000 / 2003 server? I do not see this option in the TCP/IP Filtering menu? No, You can't do that - use IPSec filtering instead of TCP\IP: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/207E34C8-F715-4AA8-8F26-E06BD1ECA808.mspx http://support.microsoft.com/kb/313190 http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/904d3234-18e1-45b3-b7c0-73e6586ea159.mspx -- Tomasz Onyszko http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] TCP/IP Filtering in Windows server 2000/ 2003
May be of interest, but in addition to IPSec, which in no way am I denigrating :0), there are a couple of interesting packet filtering alternatives that perform a similar function as well, particularly on Win2K http://sourceforge.net/projects/pktfilter/ http://force.coresecurity.com/index.php?module=basepage=factsheet#IDAAUZS I've not used CoreForce but I have used pktfilter under Win2K.. useful if you already know IPFilter. If you're on Win2k3 then you're probably best off with IPSec since it's much improved ... Regards, Mylo Tomasz Onyszko wrote: Medeiros, Jose wrote: Hello everyone, Is there a way I can restrict accepting TCP/IP packets from a specific address in Windows 2000 / 2003 server? I do not see this option in the TCP/IP Filtering menu? No, You can't do that - use IPSec filtering instead of TCP\IP: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/207E34C8-F715-4AA8-8F26-E06BD1ECA808.mspx http://support.microsoft.com/kb/313190 http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/904d3234-18e1-45b3-b7c0-73e6586ea159.mspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] TCP/IP Filtering in Windows server 2000/ 2003
If you are talking about restricting access on a DC, you can use the little known feature in AD called the IP Deny List. It was documented in W2K, and still works in WS2K3. Essentially, it is a list of IP addresses and subnets that the DC will not accept AD connections from. You can set the IP Deny list using the W2k of NTDSUTIL, or you can use ADSIEdit and add the strings in hex (yucky). Or write some code, if you're so inclined. The IP deny list is maintained in the lDAPIPDenyList attribute of the queryPolicy object. If you want to deny access to ALL DCs from specified addresses, you can add the lDAPIPDenyList attribute to the CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=your root domain here object. Otherwise, create a new queryPolicy object and attach it to the DCs you are concerned about. The syntax of the lDAPIPDenyList attribute is octet string, but the data is stored as text. So for instance, to deny access from IP address 1.2.3.4, you would add the value 0x31 0x2e 0x32 0x2e 0x33 0x2e 0x34, one address per value. You can also deny access from entire subnets by doing something like 1.2.3.4/24 (in hex). Probably its easier to make the change from a W2K machine. The W2K version of NTDSUTIL doesn't run on a WS2K3 DC AFAIK. I haven't determined if this is supported or not. It seems it would be, since you can make the change to a WS2K3 DC from a W2K machine. But it does work quite well. But of course this doesn't work generically, just on DCs. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Monday, December 12, 2005 3:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] TCP/IP Filtering in Windows server 2000/ 2003 May be of interest, but in addition to IPSec, which in no way am I denigrating :0), there are a couple of interesting packet filtering alternatives that perform a similar function as well, particularly on Win2K http://sourceforge.net/projects/pktfilter/ http://force.coresecurity.com/index.php?module=basepage=factsheet#IDAAU ZS I've not used CoreForce but I have used pktfilter under Win2K.. useful if you already know IPFilter. If you're on Win2k3 then you're probably best off with IPSec since it's much improved ... Regards, Mylo Tomasz Onyszko wrote: Medeiros, Jose wrote: Hello everyone, Is there a way I can restrict accepting TCP/IP packets from a specific address in Windows 2000 / 2003 server? I do not see this option in the TCP/IP Filtering menu? No, You can't do that - use IPSec filtering instead of TCP\IP: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/207E34C8-F715-4AA8-8F26-E06BD1ECA808.mspx http://support.microsoft.com/kb/313190 http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/I IS/904d3234-18e1-45b3-b7c0-73e6586ea159.mspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] TCP/IP Filtering in Windows server 2000/ 2003
Thank you, Although it is not a DC, I was unaware that this feature existed. Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gil Kirkpatrick Sent: Monday, December 12, 2005 3:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] TCP/IP Filtering in Windows server 2000/ 2003 If you are talking about restricting access on a DC, you can use the little known feature in AD called the IP Deny List. It was documented in W2K, and still works in WS2K3. Essentially, it is a list of IP addresses and subnets that the DC will not accept AD connections from. You can set the IP Deny list using the W2k of NTDSUTIL, or you can use ADSIEdit and add the strings in hex (yucky). Or write some code, if you're so inclined. The IP deny list is maintained in the lDAPIPDenyList attribute of the queryPolicy object. If you want to deny access to ALL DCs from specified addresses, you can add the lDAPIPDenyList attribute to the CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=your root domain here object. Otherwise, create a new queryPolicy object and attach it to the DCs you are concerned about. The syntax of the lDAPIPDenyList attribute is octet string, but the data is stored as text. So for instance, to deny access from IP address 1.2.3.4, you would add the value 0x31 0x2e 0x32 0x2e 0x33 0x2e 0x34, one address per value. You can also deny access from entire subnets by doing something like 1.2.3.4/24 (in hex). Probably its easier to make the change from a W2K machine. The W2K version of NTDSUTIL doesn't run on a WS2K3 DC AFAIK. I haven't determined if this is supported or not. It seems it would be, since you can make the change to a WS2K3 DC from a W2K machine. But it does work quite well. But of course this doesn't work generically, just on DCs. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Monday, December 12, 2005 3:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] TCP/IP Filtering in Windows server 2000/ 2003 May be of interest, but in addition to IPSec, which in no way am I denigrating :0), there are a couple of interesting packet filtering alternatives that perform a similar function as well, particularly on Win2K http://sourceforge.net/projects/pktfilter/ http://force.coresecurity.com/index.php?module=basepage=factsheet#IDAAU ZS I've not used CoreForce but I have used pktfilter under Win2K.. useful if you already know IPFilter. If you're on Win2k3 then you're probably best off with IPSec since it's much improved ... Regards, Mylo Tomasz Onyszko wrote: Medeiros, Jose wrote: Hello everyone, Is there a way I can restrict accepting TCP/IP packets from a specific address in Windows 2000 / 2003 server? I do not see this option in the TCP/IP Filtering menu? No, You can't do that - use IPSec filtering instead of TCP\IP: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/207E34C8-F715-4AA8-8F26-E06BD1ECA808.mspx http://support.microsoft.com/kb/313190 http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/I IS/904d3234-18e1-45b3-b7c0-73e6586ea159.mspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
