Block IP Addresses using IP Security Policy in Windows Server 2003

Most System Administrators use a hardware firewall to block IP addresses from accessing their network. Co-located servers do not always have the advantage of utilizing a hardware firewall. Software firewalls can often be expensive.

As you may already know, Windows 2003 lets administrators control IP access from the configuration panels in SMTP and IIS, among others. But what if you want to block an IP address from all services with only one motion? This is where the IP Security Policy Management snap-in comes in handy.

Configure the IP Security Policy to block your first IP address

1.       Click “Start” and “Run” – type “MMC” and press OK.

2.       In the MMC, click “File” and “Add/Remove Snap In.”

3.       In the “Standalone” tab, click “Add.”

4.       Select “IP Security Policy Management” and click “Add.”

5.       Select “Local Computer” and click “Finish.”

6.       Close the “Add standalone Snap-in” window and click “OK” on the “Add/Remove Snap-in” window.

7.       Now that you are back in the MMC console, right-click on “IP Security Policies on Local Computer” in the left-hand pane and select “Create IP Security Policy.”

8.       Click “Next.”

9.       Enter a name (ex. IP Block List) and description into the boxes and click “Next.”

10.    Leave “Activate the default response rule” checked. Click “Next.”

11.    Leave “Active Directory default (Kerberos)” checked. Click “Next.”

12.    Leave “Edit properties” checked. Click “Finish.”

13.    The Properties box should be open.

14.    To add your first IP address, click “Add.” Make sure “Use Add Wizard” is checked beside the button.

15.    Click “Next” when the “Create IP Security Rule” wizard opens.

16.    Leave “This rule does not specify a tunnel” checked. Click “Next.”

17.    Select “All network connections” under Network Type (unless you want to specify by adapter). Click “Next.”

18.    You are now at the “IP Filter List.” The “All ICMP Traffic” and “All IP Traffic” options will not meet our needs; we will need to add another. Click “Add.”

19.    Name the IP Filter List (ex. Blocked IP List) and enter a description. Click “Add” to enter the first IP address to block.

20.    The “IP Filter Wizard” will pop up. Click “Next.”

21.    This will be the first IP address or IP range we enter to block. Enter a description (I usually enter the IP itself) and make sure “Mirrored” is selected below. This will ensure packets to/from are blocked, allowing you to create one rule instead of two. Click “Next.”

22.    Keep “Source Address” as “My IP Address” and click “Next.”

23.    Under “Destination Address” select “A specific IP Address” or “A specific IP Subnet.” If you select “Any IP address” it will block all IPs!

24.    Enter in the IP address in the fields below and click “Next.”

25.    Under “select protocol type” choose “Any” (means “All”) unless you specifically want to block from RDP (Remote Desktop), TCP or UDP, etc. Click “Next.”

26.    Click “Finish.”

27.    Now that you are back to the “IP Filter List” click “OK.”

28.    You will be back in the “IP Filter List” list in the Security Rule Wizard – make sure you select your new “Blocked IP List” and not “All IP Traffic” or “All ICMP Traffic.” Click “Next.”

29.    You will be taken to “Filter Action.” The lists: Permit, Request Security (Optional), and Require Security will not meet our needs. Click “Add.”

30.    In the “IP Security Filter Action” wizard, click “Next.”

31.    Select a name (ex. Block all Packets) and click “Next.”

32.    Select “Block” for the filter action behavior. Click “Next.”

33.    Click “Finish.”

34.    You are back to the “Filter Action” list. Select your new list (Block All Packets) and click “Next.”

35.    Click “Finish.”

36.    You are back to your IP Security Policy list (Blocked IP List) Properties. Click “OK.”

37.    Back in the “IP Security Policies on Local Computer” snap-in, you’ll need to assign the new policy. In the right-hand pane, right-click on your new list (IP Block List) and select “assign.”

To make it easier the next time you wish to block an IP address, save the MMC Snap-in configuration as a shortcut. Go to “File” and “Save As” and save it on your Desktop or Start Menu.

To Block Additional IP Addresses

1.       Enter the IP Block List snap-in you saved.

2.       In the right-hand pane double-click your IP Block List.

3.       Under “IP Filter List” select the newly created “Blocked IP List” and click “Edit.” Make sure “Use Add Wizard” is checked.

4.       Under “IP Filter Lists” select your “Blocked IP List” (not All ICMP or IP Traffic) and click “Edit.”

5.       You are now in the “Add IP wizard” area. You will see the first IP address you blocked in a listing under “IP Filters.” Click “Add.”

6.       Follow all previous steps to add the IP address you wish to block. Once finished, exit all dialog boxes.

You may need to restart the server for the settings to take effect.

Block IP Addresses using IP Security Policy in Windows Server 2003

Most System Administrators use a hardware firewall to block IP addresses from accessing their network. Co-located servers do not always have the advantage of utilizing a hardware firewall. Software firewalls can often be expensive.

As you may already know, Windows 2003 lets administrators control IP access from the configuration panels in SMTP and IIS, among others. But what if you want to block an IP address from all services with only one motion? This is where the IP Security Policy Management snap-in comes in handy.

Configure the IP Security Policy to block your first IP address

1.       Click “Start” and “Run” – type “MMC” and press OK.

2.       In the MMC, click “File” and “Add/Remove Snap In.”

3.       In the “Standalone” tab, click “Add.”

4.       Select “IP Security Policy Management” and click “Add.”

5.       Select “Local Computer” and click “Finish.”

6.       Close the “Add standalone Snap-in” window and click “OK” on the “Add/Remove Snap-in” window.

7.       Now that you are back in the MMC console, right-click on “IP Security Policies on Local Computer” in the left-hand pane and select “Create IP Security Policy.”

8.       Click “Next.”

9.       Enter a name (ex. IP Block List) and description into the boxes and click “Next.”

10.    Leave “Activate the default response rule” checked. Click “Next.”

11.    Leave “Active Directory default (Kerberos)” checked. Click “Next.”

12.    Leave “Edit properties” checked. Click “Finish.”

13.    The Properties box should be open.

14.    To add your first IP address, click “Add.” Make sure “Use Add Wizard” is checked beside the button.

15.    Click “Next” when the “Create IP Security Rule” wizard opens.

16.    Leave “This rule does not specify a tunnel” checked. Click “Next.”

17.    Select “All network connections” under Network Type (unless you want to specify by adapter). Click “Next.”

18.    You are now at the “IP Filter List.” The “All ICMP Traffic” and “All IP Traffic” options will not meet our needs; we will need to add another. Click “Add.”

19.    Name the IP Filter List (ex. Blocked IP List) and enter a description. Click “Add” to enter the first IP address to block.

20.    The “IP Filter Wizard” will pop up. Click “Next.”

21.    This will be the first IP address or IP range we enter to block. Enter a description (I usually enter the IP itself) and make sure “Mirrored” is selected below. This will ensure packets to/from are blocked, allowing you to create one rule instead of two. Click “Next.”

22.    Keep “Source Address” as “My IP Address” and click “Next.”

23.    Under “Destination Address” select “A specific IP Address” or “A specific IP Subnet.” If you select “Any IP address” it will block all IPs!

24.    Enter in the IP address in the fields below and click “Next.”

25.    Under “select protocol type” choose “Any” (means “All”) unless you specifically want to block from RDP (Remote Desktop), TCP or UDP, etc. Click “Next.”

26.    Click “Finish.”

27.    Now that you are back to the “IP Filter List” click “OK.”

28.    You will be back in the “IP Filter List” list in the Security Rule Wizard – make sure you select your new “Blocked IP List” and not “All IP Traffic” or “All ICMP Traffic.” Click “Next.”

29.    You will be taken to “Filter Action.” The lists: Permit, Request Security (Optional), and Require Security will not meet our needs. Click “Add.”

30.    In the “IP Security Filter Action” wizard, click “Next.”

31.    Select a name (ex. Block all Packets) and click “Next.”

32.    Select “Block” for the filter action behavior. Click “Next.”

33.    Click “Finish.”

34.    You are back to the “Filter Action” list. Select your new list (Block All Packets) and click “Next.”

35.    Click “Finish.”

36.    You are back to your IP Security Policy list (Blocked IP List) Properties. Click “OK.”

37.    Back in the “IP Security Policies on Local Computer” snap-in, you’ll need to assign the new policy. In the right-hand pane, right-click on your new list (IP Block List) and select “assign.”

To make it easier the next time you wish to block an IP address, save the MMC Snap-in configuration as a shortcut. Go to “File” and “Save As” and save it on your Desktop or Start Menu.

To Block Additional IP Addresses

1.       Enter the IP Block List snap-in you saved.

2.       In the right-hand pane double-click your IP Block List.

3.       Under “IP Filter List” select the newly created “Blocked IP List” and click “Edit.” Make sure “Use Add Wizard” is checked.

4.       Under “IP Filter Lists” select your “Blocked IP List” (not All ICMP or IP Traffic) and click “Edit.”

5.       You are now in the “Add IP wizard” area. You will see the first IP address you blocked in a listing under “IP Filters.” Click “Add.”

6.       Follow all previous steps to add the IP address you wish to block. Once finished, exit all dialog boxes.

You may need to restart the server for the settings to take effect.

Windows XP shuts down after login – PC-OFF.BAT

The PC-OFF.BAT virus loads a shutdown script when logging onto Windows XP. A few seconds after logging in, Windows will shut down. This also affects safe mode. The countdown timer is set to only a few seconds, not allowing the user to enter “shutdown – a” in the run box. You may not even see the emergency shutdown dialog before you are automatically shut down.

In order to remove the files, you’ll need the Windows XP CD. Other options include putting the hard drive into another computer, or using a LiveCD (BartPE or Linux) to remove the files.

Remove the files from your hard drive using the Windows XP CD

1.       Insert the Windows XP disc into the CDROM. You may need to adjust your BIOS settings to boot the CDROM first.

2.       When the “Welcome to Setup” screen appears, press “R.”

3.       Select the installation you wish to access (there should be only one option for most systems).

4.       Enter the administrator password when asked.

5.       Once at the Recovery Prompt, press ENTER after typing the following command: chdir c:\windows

6.       Press ENTER after typing the following command: del bar311.exe

7.       Press ENTER after typing the following command: del password_viewer.exe

8.       Press ENTER after typing the following command: del photo.zip.exe

9.       Press ENTER after typing the following command: del pc-off.bat

10.    Press ENTER after typing the following command: exit

11.    Remove the Windows XP disc and restart your computer.

Once pc-off.bat is removed from the Windows directory, you’ll be able to logon to Windows without it shutting down immediately. There are still remnants left over in the registry though – best to clean those up.

1.       Go to Start -> Run and type “regedit” and press ENTER.

2.       Go to HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon and find the key: “Userinit=C:\WINDOWS\system32\userinit.exe,xxxxxx.exe” where xxxxxx.exe is bar311.exe, photo.zip.exe or password_viewer.exe.

3.       Delete bar311.exe, photo.zip.exe or password_viewer.exe from the key, but be sure to leave userinit.exe! If you delete that, you will be unable to logon to Windows.

4.       Go to HKEY_CURRENT_USER \software\microsoft\windows\currentversion\explorer\advanced and set the following key values: “Hidden=dword:00000001 (1)” “HideFileExt=Dword:00000000 (0)” “ShowSupperHidden=Dword:00000001 (1)”

5.       Go to HKEY_CURRENT_USER \software\microsoft\Command Processor and find the key: “autorun=c:\windows\pc-off.bat” and remove “c:\windows\pc-off.bat”

Install the Windows Recovery Console in the Boot list

The Windows Recovery Console is required to fix many startup issues caused by malware, viruses, and corrupt system files. The Recovery Console can be booted from the Windows Setup disc, but many machines (including Netbooks) do not have CD drives or easy access to the Windows Setup disc.

Below are the instructions to install the Recovery Console on any Windows XP machine as a boot list option. You will no longer need physical access to the Windows Setup disc (except to install initially) when things go wrong.

• Insert the Windows XP setup disc.
• Click Start -> Run and type: “%windir%\i386\winnt32.exe /cmdcons“
• Click YES on the Windows Setup box to install the Recovery Console.

• Setup will attempt to connect to the Internet to update any setup files from the disc. Press ESC to interrupt the setup and use the files on the disc only.
• Once the Recovery Console is installed a confirmation box will pop up. Click OK.

Some Windows XP passwords will not be recognized by the Recovery Console. To remove the password requirement, modify the following registry key:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Setup\RecoveryConsole
• Set the DWORD SecurityLevel value to 1.

Removing the VMware Server SSL Certificate Trust Warning

When you first install VMware Server, you’ll find the administration area in Firefox or Internet Explorer has a security certificate error. This is because the certificate that ships with VMware is self-signed (untrusted). One solution is to use a trusted certificate from a third party (Verisign, GoDaddy, etc) but that has costs associated with it and is not actually necessary. If you want your computer to properly trust the certificate, add it to the Trusted Root list.

1.       Navigate to the SSL folder where VMWare Server is installed (ex. C:\Program Files\VMware\VMware Server\SSL).

2.       Double-click on RUI.crt.

3.       Click “Install Certificate” on the Certificate Information window that pops up.

4.       Click “Next” to start the Certificate Import Wizard.

5.       Select “Place all certificates in the following store” and click “Browse”.

6.       Select “Trusted Root Certification Authorities” and click “OK”.

7.       Click “Next” and “Finished”.

8.       A Security Warning box will pop up, click “Yes” and then “OK”.

9.       Close the Certificate Information window.

10.    The SSL warning will no longer show on the VMWare Server login screen.

Bluetooth Audio Streaming from Windows Server 2003 to LG FB163

I've recent got a sexy little LG FB-163 Micro HIFI System that comes with Bluetooth. Unfortunately, the Bluetooth is only used to stream audio, and not for file transfer or sharing as I had originally hoped for.

After a lot of procrastination, I finally got around to try out the Bluetooth function. After a lot of experimentation, I got it working with the following configuration:
OS: Windows Server 2003
BT Stack: BlueSoleil version 6.2.227.11 (Demo)
BT Dongle: D-Link DBT-120 rev B4 

At first, I was using a hacked Windows XP Bluetooth stack with a D-Link DBT-120 rev B4 dongle as Windows 2003 do not come with a Bluetooth stack, but I couldn't get my PC to pair with the FB-163.

As the FB-163 uses the newer A2DP Bluetooth profile, I went out and bought a newer dongle (unbranded model ES-389), thinking that it is a hardware problem. The ES-389 was detected as a "Silicon Wave" bluetooth device by Windows, but couldn't pair with the FB-163 either.
So I thought, maybe I need a newer Bluetooth stack. Thus I installed BlueSoleil version 6.2.227.11 as I had downloaded the demo version previously.Unfortunately, when I tried to pair ES-389 with the FB-163, it couldn't even get FB-163's device name. The error message was "Refreshing device name is not successful".



After a lot of troubleshooting, I replaced the ES-389 with my older DBT-120 as I remembered that the D-Link dongle could at least get the device name from FB-163. 

The short version is that it worked, and here are the steps I took:

1. In the start screen, the FB-163 is identified by a "Headset" icon with its MAC address.
   
2. When I right-clicked the "Headset" icon and chose "Get Device Name", it worked and got the "LG_AUDIO" device name.
   
   
3. I right-clicked the Headset icon and chose "Pair". The passkey dialog box appeared and I entered the default PIN "0000" (Why do everyone seem to use the same PIN?).
   
   
4. The DBT-120 and FB-163 are now paired.
   
   
5. Finally, I right-clicked the Headset icon and chose "Connect Bluetooth Advance Audio". The DBT-120 and FB-163 are now connected.

I fired up my music player and the music streaming worked perfectly.

Windows Update IE Frame Recursion/Loop Problem when Selecting "Optional" Updates

I've been having problems performing the "Windows Update" with the Internet Explorer on one of my Windows Server 2003 system, which is used as a software testing workstation.

From IE6 to IE8, the whole "Windows Update" process goes on normally until I try to select the "Software, Optional" option on the side frame. IEjust loads another "Windows Update" process in the center frame.

Prior to IE8, the recursive process just cascades deeper and deeper, with more frames within frame. But since IE8, the process is now a loop. When I try to continue the "Windows Update" process in the sub-frame window, the sub-frame just goes back to the original "High Priority" option sub-frame.

The funny thing is that it only happens to one of my machines. Usually, I just use CTupdate to update this machine and forget about it; but I thought I'll fix it since I have some free time now.

After a little googling, I found a link to this page: 
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windowsupdate&mid=bcd4ec08-55d3-4ee5-8daa-56dcd25f5311 
The forum poster found out that it was the "BitComet Helper" add-on from his BitComet 0.84 that was affecting his Windows XP system.
I checked and I found that I have an old BitComet 0.7 in my system that I have totally forgotten about, so I went on to disable the add-on. 

In IE8, I went to "Tools -> Manage Add-ons", and disabled the "BitComet Helper" add-on.


Problem solved and my "Windows Update" is now working fine.