Shulou(Shulou.com)06/03 Report--

1. Overview

Previously published to prevent PLSQL detour login database control method, there is project feedback, users can release CRT through the graphical fortress, manually connect to other hosts, resulting in bypassing the character fortress. I wanted to follow the previous routine to modify the menu of CRT, but it was found that it was not feasible. What was written in the menu file was binary and could not be matched at all. After testing, you can use the windows firewall outbound policy to control the CRT in the specified directory to connect only the specified port of the specified IP (such as the port of the hyphen fortress only). If the project team needs to manually connect other IP and ports with CRT when testing, you can simply copy a CRT to another directory without restrictions (Graphics Fortress requires 2008 or more operating systems, and all graphics bastions CRT directories are the same).

two。 Step 2.1. Force the graphics fortress to turn on the firewall through domain group policy

Group Policy: computer configuration → Policy → Windows Settings → Security Settings → Advanced Security windows Firewall → Advanced Security windows Firewall, click "windows Firewall Properties" on the right

Domain profile, exclusive profile, public profile, firewall status in three places, select enable (recommended)

Before configuring this item, you need to make sure that the firewall is turned on and the inbound policy is configured. Otherwise, turning on the firewall may cause the client to be unable to connect to the port of the graphics fortress and affect the normal use of the graphics fortress.

2.2. Configure outbound policy through domain group policy to limit access to fortress ports

Group Policy: computer configuration → Policy → Windows Settings → Security Settings → Advanced Security windows Firewall → Advanced Security windows Firewall → outbound Policy, right-click New Rule, select Custom, and click next

Set the CRT program path and click next.

Select "TCP" for the protocol type, select "specific port" for the remote port, and set other ports except the port of the character fortress. For example, if the character fortress port is TCP2200, then the remote port will enter "0-2199, 2201-65535", and click next.

Apply IP to the rule. Select "any IP address" by default, and click next.

The operation mode is "Block connection" by default, and click next.

Apply the rules in all three places by default, and click next.

Give a name, such as permitTCP2200, and click finish.

2.3. Configure outbound policy through domain group policy to restrict access to Fortress IP

The steps are about the same as before, except that this time the IP address range is set, but two rules need to be set. For example, if the address of the character fortress is 10.1.1.1" 10.1.1.10, then set two rules. The first rule address range is 0.0.0.01mm 10.1.1.0, and the second rule address range is 10.1.1.11" 255.255.255.255.255.

Take the creation of the ip address range rule before 10.1.1.1 as an example to illustrate the steps:

Group Policy: computer configuration → Policy → Windows Settings → Security Settings → Advanced Security windows Firewall → Advanced Security windows Firewall → outbound Policy, right-click New Rule, select Custom, and click next

Set the CRT program path and click next.

Port and protocol, by default, any protocol, click next

The local IP is "any IP", the target IP selects "the following IP", and click add to the right.

Select "this IP address range", enter from 0.0.0.0 to 10.1.1.0, click OK, and return

Click next, press the default "block connection", and click next.

Apply the rules in all three places by default, and click next.

Give a name, such as before10.1.1.1, and click finish.

3. Note:

1. If you need to be a little more relaxed, you can choose only one of the second and third steps.

The priority of 2.windows firewall rules is not in the order of rules.

3. Do not try to configure an allow rule, and then configure a deny all rule, because the reject rule takes precedence.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.