RE: [ActiveDir] TCP Port Blocking

[Roger Seielstad]

Our remote users have always been domain members - its part of our security policy.   You're correct that an incorrect IPSec policy could cause issues, but the parts I left off were what I thought were obvious - only block what you know you can block, and include exclusion rules for things like either domain controllers and internal services boxes (like AV servers) or at least for the company's internal IP ranges.   Roger -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.   From: Lee, Wook [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 6:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] TCP Port Blocking The problem with trying to patch remote systems via GP is that simple things like ICMP blocking can prevent GP from applying. And it only works for W2K and XP clients that are members of the forest. It's not uncommon for remote users to be on systems that are just workgroup members.   Wook From: Roger Seielstad Sent: Thu 5/13/2004 1:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] TCP Port Blocking I've not done it directly, but its possible to use IPSec policies to block specific ports, which would do exactly what you're trying to do.   Roger -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.   From: Mike Hogenauer [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 4:14 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] TCP Port Blocking Sorry for the newbie sounding question.   How can I use Group Policy to block certain ports in all workstation in a certain OU? Ex: for the SASSER virus it’s recommended to block TCP 5554 9996. I have remote users that I wanted apply a GP to that will block these ports.   Thanks   Mike   Mike Hogenauer blocked::mailto:[EMAIL PROTECTED] Rendition Networks, Inc. 10735 Willows Rd NE, Suite 150 Redmond, WA 98052 425.636.2115 | Fax: 425.497.1149