How can I close all user datagram protocol (UDP) ports on Windows 2000 Server? I use IPSec, but the problem is that I am not able to ping my server. Please suggest me the best way to protect my server. (We require to open only the 20, 21, 80, 443, 1433, 3389 ports.)
IPSec does not provide a good tool to deny access to a range of ports and it can be confusing to set up right. However, you can deny access to all ports (not just UDP, but UDP and TCP if you'd like) and then specifically allow access to the ports that you want. To do this, you create a rule for your IPSec policy that covers all traffic, and make its filter action "Block." Then create a second rule for the same policy that specifies each of the protocols you wish to allow and a filter action of "Permit" for this rule. Since rules are parsed all together and the more specific rules win, those protocols you specifically identify in the second rule will be allowed, while all others will be blocked. Remember that an IPSec rule can only have one filter action, but an IPSec policy can have many rules. This is why you create two rules, one for each filter action. If you require any of the traffic to be encrypted, change the Permit filter action to Require Security -- then make sure policy settings are appropriately set. Don't forget to test your policy in a test environment. Here are some simple steps that will help you to build this policy.
- Pick a simple protocol, say Telnet, and test that it works between two machines.
- Then create a policy and rule one above that blocks everything, and make sure your previous test fails.
- Then create a second rule in the policy that allows Telnet and test to make sure it works.
- Finally, add filters to the second rule to allow the other protocols you need.
- Test everything thoroughly before you deploy.