Exercise Use Netsh to Manage IPSec

Any task you can perform with the IP Security Policy snap-in and the IP Security Monitor snap-in, you can do with the Netsh command. You can also perform tasks with Netsh that you cannot do from a console, such as the following: instituting computer startup security, performing computer startup traffic exemptions, running diagnostics, performing default traffic exemptions, performing strong certificate revocation list (CRL) checking, performing IKE (Oakley) logging, modifying logging intervals, and creating a persistent policy.

You create policies by configuring IKE parameters and adding rules that are composed of filter lists, filter actions, and other configuration parameters. In the following exercise, the commands create an IPSec policy to negotiate telnet security between Computer1 and Computer2 and to block telnet from any computer other than Computer2. You must create a policy at both Computer1 and Computer2. You can do so, as the exercise suggests, one command at a time. Alternatively, you could build a batch file and run it to implement the policy.

When using the Netsh command, this method, of course, would be the preferred way to do so in the real world. Each command in the step-by-step exercise is followed by pressing the Enter key. Figure 11-42 shows the commands to create the policy on

Computer2 (steps 2 through 5), as entered at the Netsh IPSec Static command line. If you receive an error message, correct your syntax. If you need to start all over again, you can delete the policy with the command Delete Policy Name=Telnet.

Figure 11-42 Creating a policy with Netsh

1. Enter the Netsh IPSec Static context by entering the following commands: Netsh

Netsh>ipsec static

2. Create a policy on Computer1 by entering the following command: Add policy name="telnet"

description="only allow negotiated telnet from computer2 to computerl" activatedefaultrule=no mmsecmethods="3DES-MD5-3"

This policy needs two rules. One blocks all telnet communications and the other negotiates telnet from Computer2 to Computer! To add the rules, you must first add the filter list, its filters, and a filter action. If you create a filter for a filter list that does not exist, the filter list is created.

3. To create a filter list with one filter that triggers on telnet and a source IP address of 192.168.0.2 (Computer2), type the following command:

Add filter filterlist="telnet computer2"

srcaddr=192.168.0.2 dstaddr=Me description="computer2 telnet to computerl" protocol=TCP mirrored=yes srcmask=32 dstmask=32 srcport=0 dstport=23

4. Type the following command to add a filter action to negotiate telnet from Computer2 to Computerl:

Add filteraction name="negotiate computer2 telnet"

qmpfs=no inpass=no soft=no action=negotiate qmsecmethods="ESP[3DES,MD5]"

5. Add the rule that will manage telnet negotiation by typing this command:

Add rule name="telnetN" policy="telnet" filterlist="telnet computer2" filteraction="negotiate computer2 telnet"

Kerberos=yes description="this rule negotiates telnet if the source computer is computer2"

Note that the rule ties the filter list and the filter action and selects the authentication method. If no authentication method is specified, Kerberos is used by default.

6. Prepare the filter list and filter action for the second rule. Create a filter list with one filter that triggers on telnet and blocks telnet from all computers:

Add filter filterlist="blocktelnet"

srcaddr=Any dstaddr=Me description="all telnet to computerl" protocol=TCP mirrored=yes srcmask=24 dstmask=24 srcport=0 dstport=23

7. Add a filter action to block all telnet communications:

Add filteraction name="block all telnet" inpass=yes action=block

8. Add a rule that will manage this telnet negotiation:

Add rule name="telnetN" policy="telnet" filterlist="blocktelnet" filteraction="block all telnet"

Kerberos=yes description="this rule negotiates telnet if the source computer is computer2"

9. Assign the policy: set policy name=telnet assign=yes

On Computer2, log on as Administrator and open a command prompt. Open Netsh.

On Computer2, a single filter list, filter, and filter action are necessary. You are providing it with the means to negotiate the telnet connection with Computer! First, create the policy.

Type the following command:

Add policy name="telnet"

description="only allow negotiated telnet to computerl from computer2" activatedefaultrule=no mmsecmethods="3DES-MD5-3"

13. Next, create the filter list:

Add filter filterlist="telnet computerl"

srcaddr=Me dstaddr=192.168.0.2 description="computer2 telnet to computerl" protocol=TCP mirrored=yes srcmask=32 dstmask=32 srcport=0 dstport=23

14. Next, create the filter action:

Add filteraction name="negotiate computer2 telnet" qmpfs=no inpass=no soft=no action=negotiate

15. Then add the rule that will manage telnet negotiation:

Add rule name="telnetN" policy="telnet" filterlist = "telnet computerl" filteraction="negotiate computer2 telnet"

Kerberos=yes description="this rule negotiates telnet to computerl"

16. Finally, assign the policy. Remember, only one policy can be active at a time. You must run this command at both computers.

set policy name=telnet assign=yes

17. Close Netsh.

Was this article helpful?

0 0
Computer Hard Drive Data Recovery

Computer Hard Drive Data Recovery

Learn How To Recover Your Hard Drive Data After A Computer Failure.

Get My Free Ebook


Post a comment