The so-called security policy is a tool in [Management Tools] | [Local Security Policy] | [IP Security Policy]. In fact, there are many items that can be set under [Local Security Policy], so I won’t go into details. The main topic here is to talk about making an IP security policy. When done, the effect is like a firewall.
The structure of [IP Security Policy] is like this. The entire policy is a filter list; each record in the table is a condition group corresponding to an action; and of course a condition group can contain multiple conditions. . When setting up, first create a condition group (i.e. an IP filter list), and then create an action (i.e. a filter operation). When adding an IP filter list, we need to add one or more filters (that is, conditions in the condition group) to this list. When creating an action, you need to specify a security measure for it, such as blocking or allowing, etc. Okay, the architecture is that simple. Next, I mainly set the IP security policy from the following aspects: 1. Ping; 2. All data packets entering and leaving the server; 3. TCP/UDP filtering.
1. Set whether to ban Ping packets
Add an IP filter list and name it ICMP. You don’t have to name it the same as mine, haha. Then add a filter, the source address is [My IP Address], the destination address is [Any IP Address], check [Mirror], select ICMP for [Protocol Type], write anything in [Description], as long as you As long as you can understand it, I still write icmp.
Add a filter operation and name it Block, which means blocking. Just select Block as a security measure.
Okay, we have matched the ICMP filter list with the Block filtering operation, and completed the setting of banning Ping. If you want your server to be able to ping, you can choose to allow it, or not set this item at all.
2. All data packets entering and exiting the server
Create a new list and name it ALL. As the name suggests, all data packets entering and exiting the server. In the filter, the source address is [My IP Address], the destination address is [Any IP Address], check [Mirror], select any [Protocol Type], and write anything in [Description].
Map this list with the Block operation we just created to filter out all incoming and outgoing traffic. Remember, you must not apply this policy at this time, because all incoming and outgoing data packets are intercepted at this time, and the server is now in the "off the Internet" state. If you log in to the server remotely, 3389 will also be blocked by it. Get rid of it, you can only solve it by going to the computer room!
3. TCP/UDP filtering
Let’s talk about TCP filtering first:
Create a new list and name it 3389. Hey, do you know what it is used for? In the filter, the source address is [Any IP Address], the destination address is [My IP Address], check [Mirror], [Protocol Type] select TCP, [Source Port] is any, [Destination Port] fill in 3389, [Description] ] Just write something casually in it.
Correlate it with the allowed operation. In this way, we configure and open the 3389 connection. Let me mention here that the source address we fill in is [any IP address]. If you want to log in from a fixed IP or IP range, you can adjust the [source address] accordingly to an IP or a subnet.
Similarly, you can configure login web80, ftp21, sql1433, mysql3306, mail25/110, etc.
Let’s talk about UDP filtering:
In principle, it is similar to TCP filtering, except that you select [UDP] for the protocol type. The place where UDP needs to be used is mainly the DNS server, and the udp53 port must be opened.
After completing all operations, check carefully. This step is very important, because even if you are an expert, there will be many mistakes because of the many steps. If the remote connection cannot be connected, it will be very troublesome and embarrassing. You must not lose face. After checking, you can click Assign IP Policy. You're done!
Okay, I also have a rough idea of ??the security strategy. As for how to take advantage of it and make the server as solid as an iron barrel, that is up to you, haha.