Shulou(Shulou.com)06/02 Report--

Restrict fixed IP access by setting IP security policy

Description:

(1) take the XP environment as an example, step: disable all IP first, and then allow fixed IP access.

(2) in the process of configuration, many step diagrams are repeated, and some worthless diagrams are omitted.

(3) if you just watch it, you may get dizzy if you repeat the configuration of security rules and IP filter module, but there is no problem with configuring it according to this step:

Process combing: first configure security policies-- then configure the list of IP filters-- and finally specify IP filters for these security policies and specify filter actions.

(4) after the setting is completed, note that the IPSEC service must be "started" and the startup type must be set to "automatic", otherwise it will not work after the machine is restarted.

(5) expansion: see the end of the article.

1. Create a security policy

(1) Control Panel-Management tools-Local Security Policy

-"

(2) right-select "IP Security Policy"-create an IP security policy

(3) enter the setup wizard: set the name of the IP security policy to "restrict fixed IP remote access"-select "Yes" in the warning box, and everything else remains default, as shown in the following figure.

two。 Set a filter to block any IP access

(1) the security rule attribute added for the newly added IP security rule (same as the first step of adding the rule)

(2) add a new filter: select-add-enter filter name-add in the ip filter list

(3) after entering the wizard: first set to prohibit all IP access-source address: any IP address-destination address: my IP address-protocol: TCP-- to this port input: 3389 (3389 for windows remote access port), the rest can remain default, see the following figure.

(4) after completion, you will see the added information in the IP filter list. As shown in the following picture.

(5) configure the actions allowed by the IP filter: after the point is determined-select the configured "block all IP remote access", the next step-add-select "block"-finally determine, as shown in the following figure.

Note: there is no default "block". There are only three options: request security, need security, and allow.

(6) Select the filter action "block", and the next step is done, and all the settings for "block all IP remote access" are configured.

3. Add a list of IP filters allowed to be accessed

(1) for example, 165.154, where the source address needs to select "a specific IP address", and the filter operation selects "allow", as shown below.

(2) after the point is determined, go back to the "restrict fixed IP remote access" window, and the following window will appear. At this time, you need to configure a new IP security rule, that is, a security rule that allows 165.154 access, and set the filter action, as shown in the following figure.

4. Verify that the filled rules are correct

Take 165.154 as an example. Select "allow 165.154 remote access", select "Edit"-in the IP filter window, select allow 165.154 access, select "Edit"-select the configured record in the IP filter window, select "Edit", as shown in the following figure, you can see the configured rules and filter actions. Other rules can be verified and modified by this method.

5. Apply configured IP security rules

(1) the final result of the final configuration is as follows

(2) assign this security rule: right-click "restrict fixed IP remote access"-select "assign", and all work configuration is completed.

Extend:

(1) this article is limited to a fixed IP or a certain network segment. When configuring the source address, you only need to select "a specific IP subnet".

Then the configuration information is (take 165 network segment as an example):

IP address: 192.168.165.0

Subnet mask: 255.255.255.0

(2) this article can also be extended to an IP or IP segment that restricts access to a port, service, etc., of the server.

(3) win7, win 2003 and win2008 are still suitable for this method.

If you have any questions or better suggestions, please reply or contact qq:1095419633. Thank you.

If you feel troublesome, you can download some files of 2008 ip security policy here, and the above functions can be supplemented by yourself.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.