By following the steps below, you will be able to create a new policy and manage the filter lists and actions. The goal here will be to put all these pieces together into a nice tidy package that is fully automated.

The policy you create in this tutorial will not be applied to the system until you “Assign” the policy in Step 6. As long as the policy is not assigned, you can safely edit, add, remove, etc. rules and sets to the policy without affecting the system. Note: double and triple check your sets to ensure you do not block legitimate traffic before assigning the policy.

To begin this tutorial, open the command prompt. If you don’t know how, you probably shouldn’t be doing this. All commands meant to be typed are in italics.

Step 1: Create IP Security Policy

netsh ipsec static add policy description=”This policy blocks all traffic to hosts/nets associated with it.”

Step 2: Create an IP Filter List

netsh ipsec static add filterlist description=”This filter list contains hosts and networks known to host malware, criminal activity, etc.”

Step 3: Create IP Filters and Associate them with the Filter List (Repeat this step until all hosts you wish to block have been entered)

Single IP (10.254.254.254/32)

netsh ipsec static add filter filterlist=”Bad Hosts” srcaddr=10.254.254.254 dstaddr=any description=”John Smith. 12/31/2015. Brute force logon attempts to: SERVER01″

Subnet (10.254.254.0/24)

netsh ipsec static add filter filterlist=”Bad Hosts” srcaddr=10.254.254.0 dstaddr=any srcmask=24 description=”John Smith. 12/31/2015. Brute force logon attempts to: SERVER01″

Network Range (10.254.254.2-10)

netsh ipsec static add filter filterlist=”Bad Hosts” srcaddr=10.254.254.2-10.254.254.15 dstaddr=any description=”John Smith. 12/31/2015. Brute force logon attempts to: SERVER01″

Step 4: Create a Filter Action

netsh ipsec static add filteraction description=”This action blocks all traffic.” action=block

Step 5: Create Policy Rule to apply Filter Action to Filter List

netsh ipsec static add rule policy=”Blocked Traffic” filterlist=”Bad Hosts” filteraction=”Block All Traffic” activate=yes

Step 6: Assigning (and un-assigning) the Policy

This step will apply all the settings you have created up to this point. Double and triple check that you did not enter a valid host or network or it will be blocked. If fact, if you have any doubts in your mind, do not do this step until another person (who knows what they are doing) looks over your work too! Note: This is one place MS will not give you a little “are you sure you want to do this” type of warning. As soon as you assign the policy, it is done.

Assign

netsh ipsec static set policy name=”Blocked Traffic” assign=yes

Un-assign

netsh ipsec static set policy assign=no

By following the steps below, you will be able to create a new policy and manage the filter lists and actions. In part three, I will explain how this can be done from the command line for all you CLI warriors. This tutorial should be accurate for: Windows XP, Vista, 7 and Server 2003, 2008, 2008R2 (possibly even 2000)

The policy you create in this tutorial will not be applied to the system until you “Assign” the policy in Step 6. As long as the policy is not assigned, you can safely edit, add, remove, etc. rules and sets to the policy without affecting the system. Note: double and triple check your sets to ensure you do not block legitimate traffic before assigning the policy.

To begin this tutorial, open the Local Security Policy by:

• Control Panel → Administrative Tools → Local Security Policy
• Start → Run → secpol.msc

Step 1: Create IP Security Policy

1. Right click “IP Security Policies on Local Computer”
2. Select “Create IP Security Policy…”
3. IP Security Policy Wizard
   • Welcome Screen → Next
   • IP Security Policy Name → Give a descriptive name and description → Next
   • Requests for Secure Communication → Do Not Check “Activate the default response rule” → Next
   • Wizard Completion → Do Not Check “Edit Properties” → Finish

Step 2: Create an IP Filter List

1. Double click your new policy (or, right click and select properties)
2. On the Rules Tab → Uncheck “Use Add Wizard” → Click “Add…”
3. Create an IP Filter List
   • On the “IP Filter List” Tab → Click “Add…”
   • In the “IP Filter List” Window → Enter a descriptive name and description → Uncheck “Use Add Wizard” → Click “Add…”

Step 3: Create IP Filters and Associate them with the Filter List (Repeat this step until all hosts you wish to block have been entered)

1. Address Tab
   • Change Source Address to → “A specific IP Address or Subnet”
   • Enter the IP Address and/or subnet in the text box (Use CIDR syntax for defining subnets (e.g. 10.10.10.0/24)
   • Check “Mirrored”
2. Protocol Tab → Ensure protocol type is set to “Any”
3. Description Tab → Enter a description. It is typically useful to identify the creator of the rule, why it was added and a date/time when the rule was created.
4. Click “OK”
5. Repeat step 3 until all the hosts/networks you wish to block are entered. Once completed, press “OK”.

Step 4: Create a Filter Action

1. On the “Filter Action” Tab → Uncheck “Use Add Wizard” → Click “Add…”
2. On the “Security Methods” Tab → Select the “Block” radio button (All other options on this tab will become greyed out)
3. On the “General” Tab → Enter a descriptive name and description → Press “OK”

Step 5: Create Policy Rule to apply Filter Action to Filter List

1. On the “Filter Action” Tab, ensure the new filter action you created is selected.
2. On the “IP Filter List” Tab, ensure the new filter list you created is selected.
3. Press “OK”
4. On the new policy properties window, ensure the new list and action are enabled.
5. Press “OK”

Step 6: Assigning (and un-assigning) the Policy

This step will apply all the settings you have created up to this point. Double and triple check that you did not enter a valid host or network or it will be blocked. If fact, if you have any doubts in your mind, do not do this step until another person (who knows what they are doing) looks over your work too! Note: This is one place MS will not give you a little “are you sure you want to do this” type of warning. As soon as you assign the policy, it is done.

1. Right click your new policy → Select “Assign” → Done (It really is that easy)
   • To un-assign, just do the same thing except select “Un-assign” instead.

In part 3, I will cover how to do all this directly from the command line.

1. Storage is cheap.
2. Your data is only as safe as your password.
3. When stored online, your data is no longer yours.

While these factors are why I do not recommend online backups, I want to take a moment to discuss when online backups do make sense.

Disclaimer: When Online Backups Make Sense

As a reader pointed out, many people setup a backup process but the process gets in their way of doing it properly. Either their backups fail to run regularly or they stop rotating the media because the process is cumbersome.  If this is the case, backup your data online.

Also, please understand that this is only meant to explain why I do no recommend online backup services as a regular practice.  It does not mean there is no place for it.  There are many reputable online services out there.  The vast majority of them encrypt the connections end-to-end and store the data in encrypted form.  But that is something you should ask or check before just signing up for the service and dumping your data on their servers.

For each of the weaknesses I discuss, there are measures that can be taken to protect your data, even if stored online.  Most technically savvy people know how to operate online and protect their data and identity.  But all too often, I find people and small businesses operating online in an insecure fashion.  They may be required by their insurance company to have offsite backups.  They see online backups as a panacea without understanding the potential risks they face by not fully understanding the importance of protecting their data.

One other point regarding offline backups.  If you store your data on a hard drive that is stored in the back seat of your car or in your gym bag, just save yourself the hassle and use an online service.  By now, most of us have heard the stories about the IT guy at the hospital whose car was broken into and all the hospital’s data was compromised.  Or, the VA worker whose laptop was stolen with patient records.  The same thing can (and will) happen to you if you do not treat your offline backups with care.

Disks Are Cheap

The other day I was spec’ing out a brick-and-mortar backup solution for a small business.  I was surprised to find a 1TB external hard drive for only $90.  I realize that in a few years from now, that 1TB drive will not be enough storage.  File sizes grow.  However, as history has shown, a comparable storage medium will be available at that time for a similar price.

Online storage solutions exist because they offer strategy, software and storage for ~$50/year.  The price point and ease of use is attractive.  It is why the services are popular.  When you add the fact that to do your own backups you need (probably) two 1TB external drives, software and some knowledge of your computer, these solutions become even more attractive.  It is the same reason people use Gmail or Yahoo! for their e-mail.  Sure, they could buy a domain name, setup postfix and roundcube and have control over their e-mail services.  But why?  Especially when it is free to use Yahoo! or Gmail.

The real reason against online backups is in my two points below.  However, the cost and expertise needed to do it on your own is minimal.  If you do it on your own, you first have to assume that you probably replace your computer every 5 years.  Over that period, an online service would cost roughly $250 over that time.

To do this on your own, you probably want to start out with two 1TB disks.  The software needed is free.  You can use Windows Backup or an Open Source solution like Areca.  The time needed to learn how to properly backup your data and to manage the backups is the wildcard.  It depends on how much you value your data (if you’ve ever lost everything, your probably realize it is worth a lot; or maybe not).  The resources are available on the internet.  You just have to find a solution that works for you.

My solution.  I use two 1TB disks along with Areca to backup all my data to the disk.  I always store one of the hard drives in a locked, fireproof safe and the other at an external location I can trust.

Your Data, Your Password

If you are like most people, you use the same password for your online banking as you do your e-mail and your e-bay account.  It is a fact that people repetitiously use their passwords.  Although there is a positive trend in password strength, as was evident in the recent presidential race, there are ways to get around strong passwords.  For example, Sarah Palin’s e-mail account was compromised and all her e-mail accessed during the campaign.  Not because she used a weak password.  Instead, it was because the security questions used to reset her password were setup using easy to guess answers.  What is your mother’s maiden name?  What high school did you attend?  As social networking and the semantic web become more prevalent, the answers to these questions become easier to find.  And what about that computer support forum you posed a question on?  Well, you had to setup an annoying username and password.  You also supplied your e-mail address.  Odds are, you used the same password for that account as you did your e-mail account.  You trust the people that setup that forum without even knowing them.  You also trusted their ability to secure the data you submitted.  What if somebody were to compromise their database?  They now have access to your e-mail and any other online services you use that utilize that same password.  Thanks for playing, come again…

It is a fact that this activity goes on every day.  In my own testing, I was able to find forum after forum, website after website that were setup by lazy administrators and were vulnerable to these same attacks.  Now you are talking about client lists, confidential contracts, business relationships, personal information, tax information, etc.  All of that is vulnerable to these attacks when you store your data online.  The web is not a nice place for the complacent.

Your Data != Your Data

The 10 Immutable Laws of Security.  While they tend to talk about your computer explicitly, they are really talking about the security of the data on your computer.  If you don’t care about the data on your computer, then they don’t apply.  But, if you are like most, you value the safety of the data on your computer.

When you talk about backups, you are talking about storing all your data in a different place and medium than “your computer”.  I still tell people and small business that a security deposit box is tested and trusted; use it!  I tell them this because it is a trusted storage place and has been so for decades, if not years.  Online storage is a new medium that has only recently reached mainstream.

To store all your data online, you must trust all the individuals that handle your data.  You trust the geek squad or your neighborhood geek to fix your computer.  You know where they work.  You know where they live.  Yet, people have no idea where their data goes when they use one of these online services beyond what is posted on a web page.  Is your data handled by foreign nationals?  Are the employees at the corporation happy?  (We’ve all heard of rogue admins.)  How well do you know all those that have access to your data?  When you let somebody into your home, whether as a friend or contractor, you analyze the situation and give them a certain level of trust.  Do you do the same when you select an online service to upload everything you have stored on your computer?

You should ask yourself all these questions before selecting any backup solution, online or offline.  Most online services will offer some level of encryption.  You need to know what that means and do your homework to ensure you data is transferred in a secure manner and stored in a secure fashion.  Again, this goes for both offline and online backups.

Conclusions

The technology is neat.  The fact that we now have enough bandwidth to copy the entirety of hard drives up to the cloud is not something to scoff at.  My biggest concern is that the vast majority of people do not realize the repercussions of storing their data in the cloud.  If you put serious thought into the decision to do this and you still feel confortable, then go for it.  I, for one, will continue to backup my data to a disk I can touch and hold with my own hands.  Now get off my lawn!