|
How can I
configure a Windows 2000/XP/2003
computer to block Ping packets?
Windows
2000/XP/2003 machines have a built-in IP
security mechanism called IPSec (IP
Security). IPSec is a protocol that’s
designed to protect individual TCP/IP
packets traveling across your network by
using public key encryption. In a nut
shell, the source PC encapsulates the
normal IP packet inside of an encrypted
IPSec packet. This packet then remains
encrypted until it arrives at the
destination PC.
This is
not the place for a more detailed intro
to the IPSec features, but know that
besides encryption, IPSec will also let
you protect and configure your
server/workstation with a firewall-like
mechanism.
How can
you protect your computer with IPSec?
Simply by creating a policy element that
will tell the computer to block all the
specific IP traffic that is configured
by those rules.
Block PING
on a single computer
To block
all PING traffic to and from a computer
you need to create an IPSec policy that
will block all ICMP traffic.
Check to
see if the computer responds to PING
requests by pinging it:
To
configure a single computer follow these
steps:
Configuring IP Filter
Lists and Filter actions
-
Open
an MMC window (Start > Run > MMC).
-
Add
the IP Security and Policy
Management Snap-In.
-
In the
Select which computer this policy
will manage window select the local
computer (or any other policy
depending upon your needs). Click
Close then click Ok.
-
Right-click IP Security Policies in
the left pane of the MMC console.
Select Manage IP Filter Lists and
Filter Actions.
-
You do not need to
configure a specific IP Filter for
ICMP (the protocol used by PING)
because such a filter already exists
by default - All ICMP Traffic.
However you might
want to configure a more specific IP
Filter for ICMP. For example, lets
say you wish to prevent a server
from answering all PINGS except for
specific PINGs sent by a specific
computer used by the Help Desk
department. In that case you should
add a new IP Filter and use your
defined source and Destination IP
Addresses, and the ICMP protocol.
See Block Web Browsing but Allow
Intranet Traffic with IPSec for
examples on how to create IP
Filters.
-
In the Manage IP
Filter Lists and Filter actions
review your filters and if all are
set, click on the Manage Filter
Actions tab. Now we need to add a
filter action that will block our
designated traffic, so click Add.
-
In the Welcome screen
click Next.
-
In the Filter Action
Name type Block and click Next.
-
In the Filter Action
General Options click Block then
click on Next.
-
Back in the Manage IP
Filter Lists and Filter actions
review your filters and if all are
set, click on the Close button. You
can add Filters and Filter Actions
at any time.
Next step is to configure
the IPSec Policy and to assign it. |
