Your location:Tech News>OS>Windows Sever>Win2000 server security setting skills

Latest News

Win2000 server security setting skills

Author:fsadmin

Views:

1. How to close port 445 under Windows 2000?
Modify the registry and add a key value

Hive: HKEY_LOCAL_MACHINE  

Key: System\\Controlset\\Services\\NetBT\\Parameters  

Name: SMBDeviceEnabled

Type: REG_DWORD  

value: 0  

After the modification restart the machine and run \u0026ldquo;netstat -an\u0026rdquo; you will find that your 445 port has been Not listening anymore. 

2. How to use IPSec to protect my network communication?
IPSec terminology
Before following the instructions below make sure you know the meaning of the following terms:
Authentication: The process of determining whether a computer’s identity is legitimate. Windows 2000 IPSec supports three types of authentication: Kerberos certificates and pre-shared keys. Kerberos authentication is only valid when both endpoints (computers) are in the same Windows 2000 domain. This type of authentication is the preferred method. If the computers are in different domains or at least one computer is not in a domain you must use a certificate or pre-shared key. The certificate is valid only when each endpoint contains a certificate signed by an authority trusted by the other endpoint. Pre-shared keys have the same problems as passwords. They will not maintain confidentiality for a long period of time. If the endpoint is not in the same domain and a certificate cannot be obtained the pre-shared key is the only authentication option. 

Encryption: The process of making the data to be transmitted between two endpoints illegible. By using fully tested algorithms each endpoint creates and exchanges keys. This process ensures that only these endpoints know the keys and if any key exchange sequence is intercepted the interceptor will not get any valuable content. 

Filter: The description of Internet Protocol (IP) addresses and protocols can trigger the establishment of IPSec security associations. 

Filter operation: Security requirements which can be enabled when the communication matches the filter in the filter list. 

Filter list: A collection of filters. 

Internet Protocol Security Policy: A set of rules that describe how the communication between computers is protected. 

Rule: the link between the filter list and the filter operation. When the communication matches the filter list the corresponding filter operation can be triggered. An IPSec policy can contain multiple rules. 

Security Association: The set of authentication and encryption methods negotiated by the endpoint to establish a secure session. 

Find IPSec in the Microsoft Management Console
Configure IPSec by using the Microsoft Management Console (MMC). Windows 2000 creates an MMC with an IPSec snap-in during the installation process. To find IPSec click Start point to Programs click Administrative Tools and then click Local Security Policy. In the left pane of the opened MMC click IP Security Policy on the local computer. MMC will display the existing default policies in the right pane.

Change the IP address computer name and user name
For the purpose of this example assume that Alice is a computer user. The computer name is \u0026quot;Alicepc\u0026quot; the IP address is 172.16.98.231 and Bob’s The computer name is \u0026quot;Bobslap\u0026quot; and the IP address is 172.31.67.244. They use the Abczz program to connect to their computers. 

When connecting to each other by using the Abczz program Alice and Bob must ensure that the communication is encrypted. When Abczz establishes its connection the initiator uses a random high port on itself and connects (for the purpose of this example) to a target on port 6667/TCP or 6668/TCP (where TCP is \u0026quot;Transmission Control Protocol \u0026quot; abbreviation). Generally these ports are used for Internet multi-line chat (IRC). Because either Alice or Bob can initiate a connection the policy must exist on both ends. 

Create a filter list
By right-clicking on the IP security policy in the MMC console you can access the menu for creating IPSec policies. The first menu item is 'Create IP Security Policy'. Although this menu appears to be the place to start it should not start from this position. Before you can create a policy and its related rules you need to define the filter list and filter actions which are required components of any IPSec policy. Click Manage IP filter table and filter operation to start working. 

A dialog box with two tabs will be displayed: one for the filter list and the other for filter operations. First open the Manage IP Filter List tab. There are already two predefined filter lists and you will not use them. Instead you can create a specific filter list that corresponds to the other computers you want to connect to. 

Suppose you create a policy on Alice's computer:
Click Add to create a new filter list. Name the list \u0026quot;Abczz to Bob's PC\u0026quot;.  

Click Add to add a new filter. A wizard will start.  

Click my IP address as the source Address.  

Click a specific IP address as the target address and then enter the IP address of Bob’s computer (172.31.67.244). Or if Bob’s computer is already in the Domain Name System (DNS) or Windows Internet Register in the name service (WINS) you can select a specific DNS name and then enter Bob's computer name Bobslap.  

Abczz uses TCP for communication so click TCP as the protocol type.  

For the IP protocol port click from any port. Click to this port type: 6667 and then click Finish to complete the wizard.  

Repeat the above steps but this time type: 6668 as Port number and click Close.  

Your filter list contains two filters: one on port 6667 (belonging to Bob) for communication from Alice to Bob and the other on port 6668 (Belongs to Bob). (Bob sets up two ports 6667 and 6668 on his computer: one port is used for outgoing communication and the other is used for incoming communication.) These filters are mirrored each time This is usually required when creating an IPSec filter. For each filter that has been mirrored the list can contain (but not display) the exact opposite filter (that is the filter opposite to the destination and source addresses). If there is no mirror Filters IPSec communications are usually unsuccessful.  

Create filter operations
You have defined the types of communications that must be protected. Now you must specify the security mechanism. Click Manage filter operations Tab. Three default operations are listed. Do not use operations that require security you must create a new stricter operation.  

To create a new operation please:
Click Add to create a new Filter operation. Start a wizard. Name the operation \u0026quot;Encrypt Abczz\u0026quot;.  

For general options click Negotiate Security and then click Do not communicate with computers that do not support IPsec.  

Click the IP communication security is high option and then click Finish to close the wizard.  

Double-click the new filter operation (named earlier \u0026quot;Encrypt Abczz\u0026quot;).  

Click Clear to accept insecure communication but always respond with IPSec to check frame. This step ensures that the computer must negotiate IPSec before sending Abczz packets. 

Click the session key to keep it completely forward to ensure that the key material is not reused click OK and then click Close. 

Create an IPSec policy
You have obtained the policy elements. Now you can create the strategy itself. Right-click the right pane of MMC and then click Create IP Security Policy. When the wizard starts:
Name the policy \u0026quot;Alice's IPSec\u0026quot;.  

Click to clear the Activate default response rule check box.  

Click to edit Properties (if not selected) and then complete the wizard. The properties dialog of the policy will open.  

In order for an IPSec policy to be effective it must contain at least one link that links the filter list to the filter operation Rules.  

To specify a rule in the properties dialog box please:
Click Add to create a new rule. After starting the wizard click this rule to not specify a tunnel.  

< p>Click Local Area Network (LAN) as the network type.  

If Alice and Bob's computers are in the same Windows 2000 domain click the Windows 2000 default (Kerberos V5 protocol) as the authentication method. If If you are not in a domain click Use this string to protect the key exchange (pre-shared key) and then enter the string (use a long string that you can remember and don’t make any typing mistakes).  

Select the filter list created earlier. In this example the filter list is \u0026quot;Abczz to Bob's PC\u0026quot;. Then select the filter action created earlier. In this example the filter action is \u0026quot;Encrypt Abczz\u0026quot;. 

Complete the wizard and click Close. 

Configure other endpoints
Repeat all the steps above for Alice’s computer on Bob’s computer. Obviously some necessary changes need to be made for example \u0026quot;Abczz to Bob's PC\u0026quot; must be changed to \u0026quot;Abczz to Alice's PC\u0026quot;. 

Assign policy
You have defined policies on both endpoints. Now they must be assigned:
In the local security settings MMC right-click the policy (Abczz in this example). 

Click Assign. 

Only one IPSec policy can be assigned at a time but one policy can have multiple rules as needed. For example if Alice also needs to protect the communication with Eve by using a different protocol you must create a corresponding filter list and operation and add a rule to IPSec (belonging to Alice) so that the specific filter list and filter Operations are linked. Click Use a different shared key for this rule. Alice's strategy now has two rules: one for Abczz communication with Bob and the other for communication with Eve. Because Bob and Eve do not need to communicate securely with each other no rule is added to Bob's policy and Eve's policy contains a rule for communicating with Alice. 

Troubleshooting
Using IPSecMon test strategy
Windows 2000 includes a utility (IPSecMon.exe) which can be used to test whether the IPSec security association has been successfully established. To start IPSecMon:
Click Start and then click Run. 

Type: ipsecmon and then press ENTER. 

Click Options. 

Change the refresh interval to 1. 

Communication must be established between different endpoints. There may be a delay because it takes several seconds for the endpoints to exchange encrypted information and complete the security association. This behavior can be observed in IPSecMon. When these two endpoints have established their security associations an entry showing this behavior can be observed in IPSecMon. 

If the desired security negotiation is not established go back and check the list of filters on each endpoint. When you conveniently reverse the source and destination addresses or ports make sure you have received the correct definition of the protocol used. You might want to consider creating a new filter list that specifies all communications. Similarly you can add a new rule to the policy that uses this filter list and then disable the existing rule. Perform these steps on both endpoints. Then

Recommend article

Relate article