RE: [ActiveDir] TCP Port Blocking

[Fuller, Stuart]

This is something that is probably better handled by an Intrusion Detection system that can detect Sasser traffic and take action against the remote computer if found.  If you had your VPN or remote user access point(s) behind a firewall, you could use the firewall to block the ports.  That way you are not relying on the computers to be members of your domain AND to be able to get/read the GP across what may be a slow link.   VPN in Windows 2003 has the "ability" to force VPN users to run a custom script against the remote workstation before it is allowed on the inside network.  See "Network Access Quarantine Control in Windows Server 2003" - http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx   My take is that you are trying to protect your network from Sasser or "worm 'd jour" and I don't think port blocking by GP is the appropriate hammer.  Look to an IDS, firewall, or other solutions instead of port blocking by GP.  What happens if next time you need to block port 135-9, 389, or 80??   -Stuart From: Lee, Wook [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 4:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] TCP Port Blocking The problem with trying to patch remote systems via GP is that simple things like ICMP blocking can prevent GP from applying. And it only works for W2K and XP clients that are members of the forest. It's not uncommon for remote users to be on systems that are just workgroup members.   Wook From: Roger Seielstad Sent: Thu 5/13/2004 1:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] TCP Port Blocking I've not done it directly, but its possible to use IPSec policies to block specific ports, which would do exactly what you're trying to do.   Roger -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.   From: Mike Hogenauer [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 4:14 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] TCP Port Blocking Sorry for the newbie sounding question.   How can I use Group Policy to block certain ports in all workstation in a certain OU? Ex: for the SASSER virus it's recommended to block TCP 5554 9996. I have remote users that I wanted apply a GP to that will block these ports.   Thanks   Mike   Mike Hogenauer blocked::mailto:[EMAIL PROTECTED] Rendition Networks, Inc. 10735 Willows Rd NE, Suite 150 Redmond, WA 98052 425.636.2115 | Fax: 425.497.1149