By following the steps below, you will be able to create a new policy and manage the filter lists and actions. The goal here will be to put all these pieces together into a nice tidy package that is fully automated.

The policy you create in this tutorial will not be applied to the system until you “Assign” the policy in Step 6. As long as the policy is not assigned, you can safely edit, add, remove, etc. rules and sets to the policy without affecting the system. Note: double and triple check your sets to ensure you do not block legitimate traffic before assigning the policy.

To begin this tutorial, open the command prompt. If you don’t know how, you probably shouldn’t be doing this. All commands meant to be typed are in italics.

Step 1: Create IP Security Policy

netsh ipsec static add policy description=”This policy blocks all traffic to hosts/nets associated with it.”

Step 2: Create an IP Filter List

netsh ipsec static add filterlist description=”This filter list contains hosts and networks known to host malware, criminal activity, etc.”

Step 3: Create IP Filters and Associate them with the Filter List (Repeat this step until all hosts you wish to block have been entered)

Single IP (10.254.254.254/32)

netsh ipsec static add filter filterlist=”Bad Hosts” srcaddr=10.254.254.254 dstaddr=any description=”John Smith. 12/31/2015. Brute force logon attempts to: SERVER01″

Subnet (10.254.254.0/24)

netsh ipsec static add filter filterlist=”Bad Hosts” srcaddr=10.254.254.0 dstaddr=any srcmask=24 description=”John Smith. 12/31/2015. Brute force logon attempts to: SERVER01″

Network Range (10.254.254.2-10)

netsh ipsec static add filter filterlist=”Bad Hosts” srcaddr=10.254.254.2-10.254.254.15 dstaddr=any description=”John Smith. 12/31/2015. Brute force logon attempts to: SERVER01″

Step 4: Create a Filter Action

netsh ipsec static add filteraction description=”This action blocks all traffic.” action=block

Step 5: Create Policy Rule to apply Filter Action to Filter List

netsh ipsec static add rule policy=”Blocked Traffic” filterlist=”Bad Hosts” filteraction=”Block All Traffic” activate=yes

Step 6: Assigning (and un-assigning) the Policy

This step will apply all the settings you have created up to this point. Double and triple check that you did not enter a valid host or network or it will be blocked. If fact, if you have any doubts in your mind, do not do this step until another person (who knows what they are doing) looks over your work too! Note: This is one place MS will not give you a little “are you sure you want to do this” type of warning. As soon as you assign the policy, it is done.

Assign

netsh ipsec static set policy name=”Blocked Traffic” assign=yes

Un-assign

netsh ipsec static set policy assign=no

By following the steps below, you will be able to create a new policy and manage the filter lists and actions. In part three, I will explain how this can be done from the command line for all you CLI warriors. This tutorial should be accurate for: Windows XP, Vista, 7 and Server 2003, 2008, 2008R2 (possibly even 2000)

The policy you create in this tutorial will not be applied to the system until you “Assign” the policy in Step 6. As long as the policy is not assigned, you can safely edit, add, remove, etc. rules and sets to the policy without affecting the system. Note: double and triple check your sets to ensure you do not block legitimate traffic before assigning the policy.

To begin this tutorial, open the Local Security Policy by:

• Control Panel → Administrative Tools → Local Security Policy
• Start → Run → secpol.msc

Step 1: Create IP Security Policy

1. Right click “IP Security Policies on Local Computer”
2. Select “Create IP Security Policy…”
3. IP Security Policy Wizard
   • Welcome Screen → Next
   • IP Security Policy Name → Give a descriptive name and description → Next
   • Requests for Secure Communication → Do Not Check “Activate the default response rule” → Next
   • Wizard Completion → Do Not Check “Edit Properties” → Finish

Step 2: Create an IP Filter List

1. Double click your new policy (or, right click and select properties)
2. On the Rules Tab → Uncheck “Use Add Wizard” → Click “Add…”
3. Create an IP Filter List
   • On the “IP Filter List” Tab → Click “Add…”
   • In the “IP Filter List” Window → Enter a descriptive name and description → Uncheck “Use Add Wizard” → Click “Add…”

Step 3: Create IP Filters and Associate them with the Filter List (Repeat this step until all hosts you wish to block have been entered)

1. Address Tab
   • Change Source Address to → “A specific IP Address or Subnet”
   • Enter the IP Address and/or subnet in the text box (Use CIDR syntax for defining subnets (e.g. 10.10.10.0/24)
   • Check “Mirrored”
2. Protocol Tab → Ensure protocol type is set to “Any”
3. Description Tab → Enter a description. It is typically useful to identify the creator of the rule, why it was added and a date/time when the rule was created.
4. Click “OK”
5. Repeat step 3 until all the hosts/networks you wish to block are entered. Once completed, press “OK”.

Step 4: Create a Filter Action

1. On the “Filter Action” Tab → Uncheck “Use Add Wizard” → Click “Add…”
2. On the “Security Methods” Tab → Select the “Block” radio button (All other options on this tab will become greyed out)
3. On the “General” Tab → Enter a descriptive name and description → Press “OK”

Step 5: Create Policy Rule to apply Filter Action to Filter List

1. On the “Filter Action” Tab, ensure the new filter action you created is selected.
2. On the “IP Filter List” Tab, ensure the new filter list you created is selected.
3. Press “OK”
4. On the new policy properties window, ensure the new list and action are enabled.
5. Press “OK”

Step 6: Assigning (and un-assigning) the Policy

This step will apply all the settings you have created up to this point. Double and triple check that you did not enter a valid host or network or it will be blocked. If fact, if you have any doubts in your mind, do not do this step until another person (who knows what they are doing) looks over your work too! Note: This is one place MS will not give you a little “are you sure you want to do this” type of warning. As soon as you assign the policy, it is done.

1. Right click your new policy → Select “Assign” → Done (It really is that easy)
   • To un-assign, just do the same thing except select “Un-assign” instead.

In part 3, I will cover how to do all this directly from the command line.