Dear Microsoft

 Friday, January 16, 2004

Can I Get Some Help Here?

Gee, Microsoft, you could have made filtering network traffic just a little bit more usable. All you had to do was write a log file, or at least give us the option to log what you're doing.

So I'm applying their so-called IP filters to a host before we deploy it. And, unlike some idiots out there in InternetLand, I use a default DENY rule. So, I add one of those. Then I add the exceptions to the "naff off" rule. And then I apply the filter.

And that doesn't work, because now everything is denied. I suppose that's better than having everything allowed, but it's more than a little annoying. Now I have to leave my chair!

The rudimentary firewall in Windows 2000 applies the rules in an somewhat dynamic fashion. In other words, it's unpredictable. If you permit traffic first, and only then deny it, then things work. Maybe. Who knows? It doesn't log anything.

Update: There are a couple of tools that make the Windows 2000 IP Security Policy more transparent. Of course, neither of these is installed by default, and one must be acquired from the Resource Kit. netdiag, from the support tools provided on the Windows 2000 CD, can display the status of all networking components. The helpful thing here is that it appears to display the policy filters in the order in which they are applied. The following will spit verbose output for the IPsec test suite to NetDiag.log:

netdiag.exe /v /test:ipsec /l

The other tool is ipsecpol, part of the Resource Kit, but fortunately available for download. ipsecpol can be used to set policy from the command line. But the elite programmers at Microsoft wrote it only to set policy, not display it, so you'll want to read the instructions. Knowledge Base article 813878: How to Block Specific Network Protocols and Ports by Using IPsec contains examples.

5:09:45 PM # Google It!
categories: Dear Microsoft, Security, System Administration