Windows XP comes with its own software firewall that can be used to control what information travels between your customers' PCs and the Internet. You can also control what enters and exits their PCs by using IPsec filtering
IPsec filtering rules are implemented by creating and assigning an IPsec Policy through Group Policy, which allows IPsec settings to be configured at the domain, site or organizational unit level. The first step is to create and define the filtering rules and actions, which control the protocols, ports and IP addresses that are allowed or blocked. These rules will be based on the policies for secure operations as agreed upon with your customer. To manage IPsec policies for domain members using the IP Security Policies snap-in, you will need to select to manage "The Active Directory Domain of which this computer is a member". You can now add, edit and remove filters by right-clicking IP Security Policies in the left pane of the MMC console, and selecting Manage IP Filter Lists and Filter Actions. The next step is to create an IPsec Policy by adding the various IP Filters and Filter Actions to the new Policy. To assign the IPsec Policy to Group Policy, select the Group Policy object to which you want to assign the IPsec Policy. Next, expand the Computer Configuration view and click the IP Security Policies folder, then right-click the Policy you want to assign, and click Assign.
An IPsec Policy can contain several different filter rules and actions, making it very flexible. As well as controlling access to domains and computers, it can be used to block access to certain sites or applications, such as chat rooms. The IPsec protocol can also be used to provide data privacy, integrity and authenticity, but it can't secure all types of network traffic -- see the Microsoft Knowledge Base article 253169 for further details.
A word of caution: when using IPsec filter rules you need to have a clear understanding of the impact of blocking specific ports. For example, blocking port 135 to guard against the DCOM RPC vulnerability can impact the functionality of Active Directory and Microsoft Exchange, which also use port 135. It's important, therefore, to test the filters to ensure that you have accomplished your intended goals. Microsoft Service Pack 2 for XP includes a command line tool IPSeccmd.exe, which can be used to manage IPsec policy and filtering rules, but it's not that intuitive to use. Thankfully, Vista is integrating firewall filtering functions and IPsec protection settings. These will now be managed using a single snap-in called Windows Firewall with Advanced Security. This means it's far less likely that you will set up firewall filters that conflict with IPsec policies and prevent your customer's network traffic from working the way you intend.
About the author
Michael Cobb, CISSP-ISSAP, is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications including SearchSecurity.com.
This was first published in December 2006