How to block specific network protocols and ports by using IPSec (813878)
The information in this article applies to:
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows Server 2003, Datacenter Edition
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Standard Edition
- Microsoft Windows Server 2003, Web Edition
- Microsoft Windows XP Home Edition
- Microsoft Windows XP Professional
SUMMARYInternet Protocol security (IPSec) filtering rules can be
used to help protect Windows 2000-based, Windows XP-based, and Windows Server 2003-based computers from network-based attacks
from threats such as viruses and worms. This article describes how to filter a
particular protocol and port combination for both inbound and outbound network
traffic. It includes steps to whether there are any IPSec policies
currently assigned to a Windows 2000-based, Windows XP-based, or Windows Server 2003-based computer, steps to create and assign
a new IPSec policy, and steps to unassign and delete an IPSec
policy.MORE INFORMATIONIPSec policies can be applied locally or be applied to a
member of a domain as part of that domain's group policies. Local IPSec
policies can be static (persistent after restarts) or dynamic (volatile). Static IPSec policies are written to the local
registry and persist after the operating system is restarted. Dynamic IPSec
policies are not permanently written to the registry and are removed if the
operating system or the IPSec Policy Agent service is restarted. Important This article contains information about editing the registry by
using Ipsecpol.exe. Before editing the registry, make sure you understand how
to restore it if a problem occurs. For information about how to back up,
restore, and edit the registry, click the following article number to view the
article in the Microsoft Knowledge Base:
256986 Description of the Microsoft
Windows Registry
Note IPSec filter rules can cause network programs to lose data and to
stop responding to network requests, including failure to authenticate users.
Use IPSec filter rules as a defensive measure of last resort and only after you
have a clear understanding of the impact that blocking specific ports will have
in your environment. If an IPSec policy that you create by using the steps that
are listed in this article has unwanted effects on your network programs, see
the "Unassign and Delete an IPSec Policy" section later in this article for
instructions about how to immediately disable and delete the policy. Determine whether an IPSec policy is assignedWindows Server 2003-based computersBefore you create or assign any new IPSec policies to a Windows
Server 2003-based computer, determine whether any IPSec policies are being
applied from the local registry or through a Group Policy object (GPO). To do this, follow these steps:
- Install Netdiag.exe from the Windows Server 2003 CD by running
Suptools.msi from the Support\Tools folder.
- Open a command prompt, and then set the working folder to
C:\Program Files\Support Tools.
- Run the following command to verify that there is not an
existing IPSec policy already assigned to the computer: If no policy is assigned, you receive the following
message: IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.
Windows XP-based computersBefore you create or assign any new IPSec policies to a Windows
XP-based computer, determine whether any IPSec policies are being
applied from the local registry or through a GPO. To do
this, follow these steps:
- Install Netdiag.exe from the Windows XP CD by running
Setup.exe from the Support\Tools folder.
- Open a command prompt, and then set the working folder to
C:\Program Files\Support Tools.
- Run the following command to verify that there is not an
existing IPSec policy already assigned to the computer: If no policy is assigned, you receive the following
message: IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.
Windows 2000-based computersBefore you create or assign any new IPSec policies to a Windows
2000-based computer, determine whether any IPSec policies are being
applied from the local registry or through a GPO. To do this, follow these steps:
- Install Netdiag.exe from the Windows 2000 CD by running
Setup.exe from the Support\Tools folder.
- Open a command prompt, and then set the working folder to
C:\Program Files\Support Tools.
- Run the following command to verify that there is not an
existing IPSec policy already assigned to the computer: If no policy is assigned, you receive the following
message: IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.
Create a static policy to block trafficWindows Server 2003-based and Windows XP-based computersFor systems that do not have a locally defined IPSec policy enabled, create a new local static policy to block traffic that is
directed to a specific protocol and a specific port on Windows Server 2003-based and Windows XP based computers. To do this, follow these steps: - Verify that the IPSec Policy Agent service is enabled and
started in the Services MMC snap-in.
- Install IPSeccmd.exe. IPSeccmd.exe is part of Windows XP Service Pack 2 (SP2) Support Tools.
Note IPSeccmd.exe will run on Windows XP and Windows Server 2003 operating systems, but the tool is only available from the Windows XP SP2 Support Tools package.
For additional information about downloading and installing Windows XP Service Pack 2 Support Tools, click the following article number to view the article in the Microsoft Knowledge Base:
838079
Windows XP Service Pack 2 Support Tools
- Open a command prompt, and then set the working folder to the
folder where you installed the Windows XP Service Pack 2 Support Tools.
Note The default folder for Windows XP SP2 Support Tools is C:\Program Files\Support Tools. - To create a new local IPSec policy and filtering rule that
applies to network traffic from any IP address to the IP address of the Windows Server 2003-based or Windows XP-based computer that you are configuring, use the following command.
Note In the following command, Protocol and PortNumber are
variables.
IPSeccmd.exe -w REG -p "Block ProtocolPortNumber Filter" -r
"Block Inbound ProtocolPortNumber Rule" -f *=0:PortNumber:Protocol -n BLOCK -x For example, to block network traffic from any IP
address and any source port to destination port UDP 1434 on a Windows Server 2003-based or Windows XP-based computer, type the following. This policy is sufficient to help protect
computers that run Microsoft SQL Server 2000 from the "Slammer" worm. IPSeccmd.exe -w REG -p "Block UDP
1434 Filter" -r "Block Inbound UDP 1434 Rule" -f *=0:1434:UDP -n BLOCK
-x The following example blocks inbound access to TCP
port 80 but still allows outbound TCP 80 access. This policy is sufficient to
help protect computers that run Microsoft Internet Information Services (IIS) 5.0
from the "Code Red" worm and the "Nimda" worm. IPSeccmd.exe -w REG -p "Block TCP 80 Filter" -r "Block Inbound TCP
80 Rule" -f *=0:80:TCP -n BLOCK -x Note The -x switch assigns the policy immediately. If you enter this command,
the "Block UDP 1434 Filter" policy is unassigned and the "Block TCP 80 Filter"
is assigned. To add the policy but not assign the policy, type the command without the -x switch at the end. - To add an additional filtering rule to the existing "Block
UDP 1434 Filter" policy that blocks network traffic that originates from your Windows Server 2003-based or Windows XP-based computer to any IP address, use the
following command.
Note In this command, Protocol and
PortNumber are variables: IPSeccmd.exe -w REG -p "Block ProtocolPortNumber
Filter" -r "Block Outbound ProtocolPortNumber Rule" -f
*0=:PortNumber:Protocol -n BLOCK For example, to block any network traffic that
originates from your Windows Server 2003-based or Windows XP-based computer that is directed to UDP 1434
on any other host, type the following. This policy is sufficient to help prevent
computers that run SQL Server 2000 from spreading the "Slammer" worm. IPSeccmd.exe -w REG -p "Block UDP
1434 Filter" -r "Block Outbound UDP 1434 Rule" -f 0=*:1434:UDP -n
BLOCK Note You can add as many filtering rules to a policy as you want by
using this command. For example, you can use this command to block multiple ports by using the same
policy. - The policy in step 5 will now be in effect and will persist
every time that the computer is restarted. However, if a domain-based IPSec policy is
assigned to the computer later, this local policy will be overridden and will
no longer apply.
To verify the successful assignment of your filtering rule, set the working folder to C:\Program Files\Support Tools at
the command prompt,
and then type the following command: netdiag /test:ipsec /debug If policies for both inbound
and outbound traffic are assigned as in these examples, you will receive the following message:
IP Security test . . . . . . . . . : Passed Local
IPSec Policy Active: 'Block UDP 1434 Filter' IP Security Policy Path:
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{D239C599-F945-47A3-A4E3-B37BC12826B9}
There are 2 filters No Name Filter Id:
{5EC1FD53-EA98-4C1B-A99F-6D2A0FF94592} Policy Id:
{509492EA-1214-4F50-BF43-9CAC2B538518} Src Addr : 0.0.0.0 Src Mask :
0.0.0.0 Dest Addr : 192.168.1.1 Dest Mask : 255.255.255.255 Tunnel
Addr : 0.0.0.0 Src Port : 0 Dest Port : 1434 Protocol : 17 TunnelFilter:
No Flags : Inbound Block No Name Filter Id:
{9B4144A6-774F-4AE5-B23A-51331E67BAB2} Policy Id:
{2DEB01BD-9830-4067-B58A-AADFC8659BE5} Src Addr : 192.168.1.1 Src Mask :
255.255.255.255 Dest Addr : 0.0.0.0 Dest Mask : 0.0.0.0 Tunnel Addr
: 0.0.0.0 Src Port : 0 Dest Port : 1434 Protocol : 17 TunnelFilter: No
Flags : Outbound BlockNote The IP addresses and graphical user interface (GUID) numbers will
be different based on your Windows Server 2003-based or Windows XP-based computer.
Windows 2000-based computersFor systems without a locally defined IPSec policy enabled, follow
these steps to create a new local static policy to block traffic that is
directed to a specific protocol and port on a Windows 2000-based computer
without an existing IPSec Policy assigned:
- Verify that the IPSec Policy Agent service is enabled and
started in the Services MMC snap-in.
- Visit the following Microsoft Web site to download and
install Ipsecpol.exe:
- Open a command prompt and set the working folder to the
folder where you installed Ipsecpol.exe.
Note The default folder for Ipsecpol.exe is C:\Program Files\Resource
Kit. - To create a new local IPSec policy and filtering rule that
applies to network traffic from any IP address to the IP address of the Windows
2000-based computer that you are configuring, use the following command, where
Protocol and PortNumber are
variables:
ipsecpol -w REG -p "Block ProtocolPortNumber Filter" -r
"Block Inbound ProtocolPortNumber Rule" -f *=0:PortNumber:Protocol -n BLOCK -x For example, to block network traffic from any IP
address and any source port to destination port UDP 1434 on a Windows
2000-based computer, type the following. This policy is sufficient to help protect
computers that run Microsoft SQL Server 2000 from the "Slammer" worm. ipsecpol -w REG -p "Block UDP
1434 Filter" -r "Block Inbound UDP 1434 Rule" -f *=0:1434:UDP -n BLOCK
-x The following example blocks inbound access to TCP
port 80 but still allows outbound TCP 80 access. This policy is sufficient to
help protect computers that run Microsoft Internet Information Services (IIS) 5.0
from the "Code Red" and "Nimda" worms. ipsecpol -w REG -p "Block TCP 80 Filter" -r "Block Inbound TCP
80 Rule" -f *=0:80:TCP -n BLOCK -x Note The -x switch assigns the policy immediately. If you enter this command,
the "Block UDP 1434 Filter" policy is unassigned, and the "Block TCP 80 Filter"
is assigned. To add but not assign the policy, type the command without the -x switch at the end . - To add an additional filtering rule to the existing "Block
UDP 1434 Filter" policy that blocks network traffic that originates from your Windows 2000-based computer to any IP address, use the
following command, where Protocol and
PortNumber are variables:
ipsecpol -w REG -p "Block ProtocolPortNumber
Filter" -r "Block Outbound ProtocolPortNumber Rule" -f
*0=:PortNumber:Protocol -n BLOCK For example, to block any network traffic that
originates from your Windows 2000-based computer that is directed to UDP 1434
on any other host, type the following. This policy is sufficient to prevent
computers that run SQL Server 2000 from spreading the "Slammer" worm. ipsecpol -w REG -p "Block UDP
1434 Filter" -r "Block Outbound UDP 1434 Rule" -f 0=*:1434:UDP -n
BLOCK Note You can add as many filtering rules to a policy as you want by
using this command (for example, to block multiple ports by using the same
policy). - The policy in step 5 will now be in effect and will persist
every time that the computer is restarted. However, if a domain-based IPSec policy is
assigned to the computer later, this local policy will be overridden and will
no longer apply. To verify the successful assignment of your filtering rule, at
the command prompt, set the working folder to C:\Program Files\Support Tools,
and then type the following command:
netdiag /test:ipsec /debug If, as in these examples, policies for both inbound
and outbound traffic are assigned, you will receive the following message:
IP Security test . . . . . . . . . : Passed Local
IPSec Policy Active: 'Block UDP 1434 Filter' IP Security Policy Path:
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{D239C599-F945-47A3-A4E3-B37BC12826B9}
There are 2 filters No Name Filter Id:
{5EC1FD53-EA98-4C1B-A99F-6D2A0FF94592} Policy Id:
{509492EA-1214-4F50-BF43-9CAC2B538518} Src Addr : 0.0.0.0 Src Mask :
0.0.0.0 Dest Addr : 192.168.1.1 Dest Mask : 255.255.255.255 Tunnel
Addr : 0.0.0.0 Src Port : 0 Dest Port : 1434 Protocol : 17 TunnelFilter:
No Flags : Inbound Block No Name Filter Id:
{9B4144A6-774F-4AE5-B23A-51331E67BAB2} Policy Id:
{2DEB01BD-9830-4067-B58A-AADFC8659BE5} Src Addr : 192.168.1.1 Src Mask :
255.255.255.255 Dest Addr : 0.0.0.0 Dest Mask : 0.0.0.0 Tunnel Addr
: 0.0.0.0 Src Port : 0 Dest Port : 1434 Protocol : 17 TunnelFilter: No
Flags : Outbound BlockNote The IP addresses and graphical user interface (GUID) numbers will
be different. They will reflect those of your Windows 2000-based computer.
Add a block rule for a specific protocol and portWindows Server 2003-based and Windows XP-based computersTo add a block rule for a specific protocol and port on a Windows
Server 2003-based or Windows XP-based computer that has an existing locally-assigned static IPSec policy,
follow these steps:
- Install IPSeccmd.exe. IPSeccmd.exe is part of Windows XP SP2 Support Tools.
For additional information about downloading and installing Windows XP Service Pack 2 Support Tools, click the following article number to view the article in the Microsoft Knowledge Base:
838079
Windows XP Service Pack 2 Support Tools
- Identify the name of the currently assigned IPSec policy.
To do this, type the following at a command prompt:If a policy is assigned, you will receive a message
that is similar to the following:IP Security test . . . . . . .
. . : Passed
Local IPSec Policy Active: 'Block UDP 1434
Filter' - If there is an IPSec policy already assigned to the
computer (local or domain), use the following command to add an additional BLOCK Filter Rule to the existing IPSec policy.
Note
In this command, Existing_IPSec_Policy_Name,
Protocol, and PortNumber are
variables. IPSeccmd.exe -p "Existing_IPSec_Policy_Name" -w REG -r "Block
ProtocolPortNumber Rule" -f *=0:PortNumber:Protocol -n
BLOCK For example, to add a Filter Rule to block inbound
access to TCP port 80 to the existing Block UDP 1434 Filter, type the following
command: IPSeccmd.exe -p
"Block UDP 1434 Filter" -w REG -r "Block Inbound TCP 80 Rule" -f *=0:80:TCP -n
BLOCK
Windows
2000-based computersTo add a block rule for a specific protocol and port on a Windows
2000-based computer with an existing locally-assigned static IPSec policy,
follow these steps:
- Visit the following Microsoft Web site to download and
install Ipsecpol.exe:
- Identify the name of the currently assigned IPSec policy.
To do this, type the following at a command prompt:If a policy is assigned, you will receive a message
that is similar to the following:IP Security test . . . . . . .
. . : Passed
Local IPSec Policy Active: 'Block UDP 1434
Filter' - If there is an IPSec policy already assigned to the
computer (local or domain), use the following command to add an additional BLOCK
filtering rule to the existing IPSec policy, where
Existing_IPSec_Policy_Name,
Protocol, and PortNumber are
variables:
ipsecpol -p "Existing_IPSec_Policy_Name" -w REG -r "Block
ProtocolPortNumber Rule" -f *=0:PortNumber:Protocol -n
BLOCK For example, to add a Filter Rule to block inbound
access to TCP port 80 to the existing Block UDP 1434 Filter, type the following
command: ipsecpol -p
"Block UDP 1434 Filter" -w REG -r "Block Inbound TCP 80 Rule" -f *=0:80:TCP -n
BLOCK
Add a dynamic block policy for a specific protocol and portWindows Server 2003 and Windows XP-based computersYou may want to temporarily block access to a specific port. For example, you may want to block a specific port until you can install a hotfix or if a domain-based
IPSec policy is already assigned to the computer. To temporarily block access
to a port on a Windows Server 2003-based or Windows XP-based computer by using IPSec policy, follow these
steps: - Install IPSeccmd.exe. IPSeccmd.exe is part of Windows XP Service Pack 2 Support Tools.
Note IPSeccmd.exe will run on Windows XP and Windows Server 2003 operating systems, but the tool is only available from the Windows XP SP2 Support Tools package.
For additional information about how to download and install Windows XP Service Pack 2 Support Tools, click the following article number to view the article in the Microsoft Knowledge Base:
838079
Windows XP Service Pack 2 Support Tools
- To add a dynamic BLOCK filter that blocks all packets from
any IP address to your system's IP address and targeted port, type the
following at a command prompt.
Note In the following command, Protocol and
PortNumber are variables. IPSeccmd.exe -f
[*=0:PortNumber:Protocol] Note This command creates the block filter dynamically. The policy remains assigned as long as the IPSec Policy Agent service is running. If
the IPSec Policy Agent service is restarted or the computer is restarted, this policy is lost. If you want to dynamically reassign the IPSec Filtering Rule every
time that the system is restarted, create a startup script to reapply the Filter
Rule. If you want to permanently apply this filter, configure the filter as a
static IPSec policy. The IPSec Policy Management MMC snap-in provides a
graphical user interface for managing IPSec policy configuration. If a
domain-based IPSec policy is already applied, the netdiag /test:ipsec /debug command may only show the filter details if the command is
executed by a user who has domain administrator credentials.
Windows 2000-based computersYou may want to block a specific port
temporarily (for example, until a hotfix can be installed, or if a domain-based
IPSec policy is already assigned to the computer). To temporarily block access
to a port on a Windows 2000-based computer by using IPSec policy, follow these
steps:
- Visit the following Microsoft Web site to download and
install Ipsecpol.exe:
- To add a dynamic BLOCK filter that blocks all packets from
any IP address to your system's IP address and targeted port, type the
following at a command prompt, where Protocol and
PortNumber are variables:
ipsecpol -f
[*=0:PortNumber:Protocol] Note This command creates the block filter dynamically, and the policy
will remain assigned as long as the IPSec Policy Agent service is running. If
the IPSec service is restarted or the computer is rebooted, this setting will
be lost. If you want to dynamically reassign the IPSec Filtering Rule every
time the system is restarted, create a startup script to reapply the Filter
Rule. If you want to permanently apply this filter, configure the filter as a
static IPSec policy. The IPSec Policy Management MMC snap-in provides a
graphical user interface for managing IPSec policy configuration. If a
domain-based IPSec policy is already applied, the netdiag /test:ipsec /debug command may only show the filter details if the command is
executed by a user with domain administrator credentials. An updated version of
Netdiag.exe will be available in Windows 2000 Service Pack 4 that will allow
local administrators to view domain-based IPSec policy.
IPSec filtering rules and Group PolicyFor environments where IPSec policies are assigned by a Group
Policy setting, you have to update the whole domain's policy to block the
particular protocol and port. After you successfully configure the Group Policy
IPSec settings, you must enforce a refresh of the Group Policy settings on all the Windows Server 2003-based, Windows XP-based, and Windows 2000-based computers in the domain. To do this, use the
following command: secedit /refreshpolicy machine_policy
The IPSec policy change will be detected within one
of two different polling intervals. For a newly assigned IPSec policy being
applied to a GPO, the IPSec policy will be applied to the clients within the
time set for the Group Policy polling interval or when the secedit /refreshpolicy machine_policy command is run on the client computers. If IPSec policy is
already assigned to a GPO and new IPSec filters or rules are being added to an
existing policy, the secedit command will not make IPSec recognize changes. In this scenario,
modifications to an existing GPO-based IPSec policy will be detected within
that IPSec policy's own polling interval. This interval is specified on the General tab for that IPSec policy. You can also force a refresh of the
IPSec Policy settings by restarting the IPSec Policy Agent service. If the
IPSec service is stopped or restarted, IPSec-secured communications will be
interrupted and will take several seconds to resume. This may cause program
connections to disconnect, particularly for connections that are actively transferring
large volumes of data. In situations where the IPSec policy is applied only on
the local computer, you do not have to restart the service. Unassign and delete an IPSec policyWindows Server 2003-based and Windows XP-based computers- Computers that have a locally-defined static policy
- Open a command prompt, and then set the working folder
to the folder where you installed Ipsecpol.exe.
- To unassign the filter that you created earlier, use
the following command:
IPSeccmd.exe -w REG -p "Block ProtocolPortNumber Filter" -y For example, to unassign the Block UDP 1434 Filter
that you created earlier, use the following command: IPSeccmd.exe -w REG -p "Block UDP 1434
Filter" -y - To delete the filter that you created, use the
following command:
IPSeccmd.exe -w REG -p "Block ProtocolPortNumber
Filter" -r "Block ProtocolPortNumber Rule" -o For example, to delete the "Block UDP 1434 Filter"
filter and both of the rules that you created, use the following command: IPSeccmd.exe -w REG -p "Block UDP 1434 Filter" -r "Block
Inbound UDP 1434 Rule" -r "Block Outbound UDP 1434 Rule" -o
- Computers that have a locally-defined dynamic policy
Dynamic IPSec policy is unapplied if the IPSec
Policy Agent service is stopped by using the net stop policyagent command. To delete the specific commands that were used without stopping the IPSec Policy Agent service, following these steps:
- Open a command prompt, and then set the working folder
to the folder where you installed Windows XP Service Pack 2 Support Tools.
- Type the following command: Note You can also restart the IPSec Policy Agent service to clear all
dynamically-assigned policies.
Windows 2000-based computers- Computers with a locally-defined static policy
- Open a command prompt, and then set the working folder
to the folder where you installed Ipsecpol.exe.
- To unassign the filter that you created earlier, use
the following command:
ipsecpol -w REG -p "Block ProtocolPortNumber Filter" -y For example, to unassign the Block UDP 1434 Filter
that you created earlier, use the following command: ipsecpol -w REG -p "Block UDP 1434
Filter" -y - To delete the filter that you created, use the
following command:
ipsecpol -w REG -p "Block ProtocolPortNumber
Filter" -r "Block ProtocolPortNumber Rule" -o For example, to delete the "Block UDP 1434 Filter"
filter and both rules that you created earlier, use the following command: ipsecpol -w REG -p "Block UDP 1434 Filter" -r "Block
Inbound UDP 1434 Rule" -r "Block Outbound UDP 1434 Rule" -o
- Computers with a locally-defined dynamic policy
Dynamic IPSec policy will be unapplied if the IPSec
Policy Agent service is stopped (by using the net stop policyagent command). However, to delete the specific commands that were used
earlier without stopping the IPSec Policy Agent service, following these steps:
- Open a command prompt, and then set the working folder
to the folder where you installed Ipsecpol.exe.
- Type the following command: Note You may also restart the IPSec Policy Agent service to clear all
dynamically-assigned policies.
Apply your new filter rule to all protocols and portsBy default in Microsoft Windows 2000 and Microsoft Windows XP,
IPSec exempts Broadcast, Multicast, RSVP, IKE, and Kerberos traffic from all
Filter and Authentication restrictions. For additional information about these
exemptions, click the following article number to view the article in the
Microsoft Knowledge Base: 253169 Traffic
that can--and cannot--be secured by IPSec
Where IPSec is used only to permit and block
traffic, remove the exemptions for Kerberos and RSVP protocols by changing a
registry value. For complete instructions about how to do this, click the
following article number to view the article in the Microsoft Knowledge
Base: 254728 IPSec does not secure Kerberos
traffic between Domain Controllers
By following these instructions, you can help protect UDP
1434 even in cases where attackers may set their source port to the Kerberos
ports of TCP/UDP 88. By removing the Kerberos exemptions, Kerberos packets will
now be matched against all filters in the IPSec policy. Therefore, Kerberos can
be secured inside IPSec, blocked or permitted. Therefore, if IPSec filters
match Kerberos traffic that is going to the domain controller IP addresses, you
may have to change the IPSec policy design to add new filters to permit
Kerberos traffic to each domain controller IP address (if you are not
using IPSec to help secure all traffic between the domain controllers as Knowledge
Base article 254728 describes). Application of IPSec filter rules upon computer restartAll IPSec policies rely on the IPSec Policy Agent service to be
assigned. When a Windows 2000-based computer is in the process of starting up,
the IPSec Policy Agent service is not necessarily the first service to start.
Therefore, there may be a brief moment when the computer's network connection
is vulnerable to virus or worm attacks. This situation only applies in the case
where a potentially vulnerable service has successfully started and is
accepting connection before the IPSec Policy Agent service has completely
started and assigned all policies.
Modification Type: | Major | Last Reviewed: | 11/18/2004 |
---|
Keywords: | kbhowto KB813878 |
---|
|