Navigate / search

Block IP Addresses using IP Security Policy in Windows Server 2003

Most System Administrators use a hardware firewall to block IP addresses from accessing their network. Co-located servers do not always have the advantage of utilizing a hardware firewall. Software firewalls can often be expensive.

As you may already know, Windows 2003 lets administrators control IP access from the configuration panels in SMTP and IIS, among others. But what if you want to block an IP address from all services with only one motion? This is where the IP Security Policy Management snap-in comes in handy.

Configure the IP Security Policy to block your first IP address

  1. Click “Start” and “Run” – type “MMC” and press OK.
  2. In the MMC, click “File” and “Add/Remove Snap In.”
  3. In the “Standalone” tab, click “Add.”
  4. Select “IP Security Policy Management” and click “Add.”
  5. Select “Local Computer” and click “Finish.”
  6. Close the “Add standalone Snap-in” window and click “OK” on the “Add/Remove Snap-in” window.
  7. Now that you are back in the MMC console, right-click on “IP Security Policies on Local Computer” in the left-hand pane and select “Create IP Security Policy.”
  8. Click “Next.”
  9. Enter a name (ex. IP Block List) and description into the boxes and click “Next.”
  10. Leave “Activate the default response rule” checked. Click “Next.”
  11. Leave “Active Directory default (Kerberos)” checked. Click “Next.”
  12. Leave “Edit properties” checked. Click “Finish.”
  13. The Properties box should be open.
  14. To add your first IP address, click “Add.” Make sure “Use Add Wizard” is checked beside the button.
  15. Click “Next” when the “Create IP Security Rule” wizard opens.
  16. Leave “This rule does not specify a tunnel” checked. Click “Next.”
  17. Select “All network connections” under Network Type (unless you want to specify by adapter). Click “Next.”
  18. You are now at the “IP Filter List.” The “All ICMP Traffic” and “All IP Traffic” options will not meet our needs; we will need to add another. Click “Add.”
  19. Name the IP Filter List (ex. Blocked IP List) and enter a description. Click “Add” to enter the first IP address to block.
  20. The “IP Filter Wizard” will pop up. Click “Next.”
  21. This will be the first IP address or IP range we enter to block. Enter a description (I usually enter the IP itself) and make sure “Mirrored” is selected below. This will ensure packets to/from are blocked, allowing you to create one rule instead of two. Click “Next.”
  22. Keep “Source Address” as “My IP Address” and click “Next.”
  23. Under “Destination Address” select “A specific IP Address” or “A specific IP Subnet.” If you select “Any IP address” it will block all IPs!
  24. Enter in the IP address in the fields below and click “Next.”
  25. Under “select protocol type” choose “Any” (means “All”) unless you specifically want to block from RDP (Remote Desktop), TCP or UDP, etc. Click “Next.”
  26. Click “Finish.”
  27. Now that you are back to the “IP Filter List” click “OK.”
  28. You will be back in the “IP Filter List” list in the Security Rule Wizard – make sure you select your new “Blocked IP List” and not “All IP Traffic” or “All ICMP Traffic.” Click “Next.”
  29. You will be taken to “Filter Action.” The lists: Permit, Request Security (Optional), and Require Security will not meet our needs. Click “Add.”
  30. In the “IP Security Filter Action” wizard, click “Next.”
  31. Select a name (ex. Block all Packets) and click “Next.”
  32. Select “Block” for the filter action behavior. Click “Next.”
  33. Click “Finish.”
  34. You are back to the “Filter Action” list. Select your new list (Block All Packets) and click “Next.”
  35. Click “Finish.”
  36. You are back to your IP Security Policy list (Blocked IP List) Properties. Click “OK.”
  37. Back in the “IP Security Policies on Local Computer” snap-in, you’ll need to assign the new policy. In the right-hand pane, right-click on your new list (IP Block List) and select “assign.”

To make it easier the next time you wish to block an IP address, save the MMC Snap-in configuration as a shortcut. Go to “File” and “Save As” and save it on your Desktop or Start Menu.

To Block Additional IP Addresses

  1. Enter the IP Block List snap-in you saved.
  2. In the right-hand pane double-click your IP Block List.
  3. Under “IP Filter List” select the newly created “Blocked IP List” and click “Edit.” Make sure “Use Add Wizard” is checked.
  4. Under “IP Filter Lists” select your “Blocked IP List” (not All ICMP or IP Traffic) and click “Edit.”
  5. You are now in the “Add IP wizard” area. You will see the first IP address you blocked in a listing under “IP Filters.” Click “Add.”
  6. Follow all previous steps to add the IP address you wish to block. Once finished, exit all dialog boxes.

You may need to restart the server for the settings to take effect.

Comments

Manish Mishra
Reply

Thanks for this nice article. It saved my server from a Hacker’s attack

Mike
Reply

The default policies are designed (ONLY) for computers that are members of an Active Directory domain

Bill James
Reply

Great info! Now how can we block a whole range of IP addresses? (ex. 58.0.0.0 – 58.255.255.255)

Chris Stinson
Reply

Under step 23, where it gives an option to specify “A specific IP Subnet” – you’ll put in 58.0.0.0, with a subnet of 255.0.0.0.

This will block 58.0.0.0 – 58.255.255.255.

To determine the specific subnet needed to block a range of IP addresses, use the online subnet calculator here. Keep in mind 58.x.x.x is a Class A address, so click that option.

Anil Arya
Reply

Great… IP security…

Wow
Reply

Good grief. How complicated do they need to make it? Haha. Microsoft is silly. 37 steps to block an ip address? Just ridiculous!

MikeG
Reply

Great article, helped shut down a persistent attack. Just wish it didn’t require 37 steps. Anybody know an automated way to block IP’s who try multiple times (more than 10) to use the administrator account with the wrong password?

Leave a comment

name*

email* (not published)

website