|
|
Welcome to Vista Banter. You are currently viewing our boards as a guest which gives you limited access to view most discussions, articles and access our other FREE features. By joining our free community you will have access to ask questions and reply to others posts, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact contact support. |
|
|||||||
| Security and Windows Vista A forum for discussion on security issues with Windows Vista. (microsoft.public.windows.vista.security) |
|
|
LinkBack | Thread Tools | Display Modes |
November 1st 06, 09:16 PM
posted to microsoft.public.windows.vista.security
|
|||
|
|||
Bad choice in NETSH.EXE for configuring IPSec
NETSH.EXE does not allow both the actioninbound and actionoutbound to be
"block" in Vista 5728. The following generates an error message in Vista 5728, but works fine in Win2k3: netsh.exe ipsec dynamic add mmpolicy name=temp netsh.exe ipsec dynamic add rule srcaddr=any dstaddr=any mmpolicy=temp actioninbound=block actionoutbound=block This is unfortunate because it is handy to use IPSec for packet filtering. This seems to be a useless artificial limitation in Vista and breaks compatibility with Win2k3. I hope it is fixed... 
|
|
November 4th 06, 10:21 PM
posted to microsoft.public.windows.vista.security
|
|||
|
|||
|
Bad choice in NETSH.EXE for configuring IPSec
IPsec rules, called "connection security rules" in the advanced MMC, now require negotiation. You'll use firewall rules for general packet filtering. I just tried these on my laptop, and they blocked everything:
netsh advfirewall firewall add rule name="temp" dir=in action=block netsh advfirewall firewall add rule name="temp" dir=out action=block __________________________________________________ ____ Steve Riley http://blogs.technet.com/steriley http://www.protectyourwindowsnetwork.com "Walter Porter" wrote in message ... NETSH.EXE does not allow both the actioninbound and actionoutbound to be "block" in Vista 5728. The following generates an error message in Vista 5728, but works fine in Win2k3: netsh.exe ipsec dynamic add mmpolicy name=temp netsh.exe ipsec dynamic add rule srcaddr=any dstaddr=any mmpolicy=temp actioninbound=block actionoutbound=block This is unfortunate because it is handy to use IPSec for packet filtering. This seems to be a useless artificial limitation in Vista and breaks compatibility with Win2k3. I hope it is fixed...
|
|
November 6th 06, 03:08 PM
posted to microsoft.public.windows.vista.security
|
|||
|
|||
|
Bad choice in NETSH.EXE for configuring IPSec
IPsec rules ... now require negotiation.
Thank you for the response and the suggestion, but it still seems to be a pointless artificial limitation on the IPSec implementation, isn't consistent with Win2000/XP/2003, and complicates the task if you just want to stick with using IPSec alone. This also seems rather easy to fix before RTM.
|
|
November 6th 06, 10:04 PM
posted to microsoft.public.windows.vista.security
|
|||
|
|||
|
Bad choice in NETSH.EXE for configuring IPSec
-- Steve Riley http://blogs.technet.com/steriley http://www.protectyourwindowsnetwork.com "Walter Porter" wrote in message ... IPsec rules ... now require negotiation. Thank you for the response and the suggestion, but it still seems to be a pointless artificial limitation on the IPSec implementation, isn't consistent with Win2000/XP/2003, and complicates the task if you just want to stick with using IPSec alone. This also seems rather easy to fix before RTM.
|
|
November 6th 06, 10:06 PM
posted to microsoft.public.windows.vista.security
|
|||
|
|||
|
Bad choice in NETSH.EXE for configuring IPSec
It was more of a happy accident that the IPsec engine in 2000/XP/2003 could be used as a rudimentary packet filter. However, it really isn't the best choice, since it lacks an understanding of TCP connection states ("stateful inspection" as it's commonly called). A firewall is the appropriate choice for performing packet filtering.
-- Steve Riley http://blogs.technet.com/steriley http://www.protectyourwindowsnetwork.com "Walter Porter" wrote in message ... IPsec rules ... now require negotiation. Thank you for the response and the suggestion, but it still seems to be a pointless artificial limitation on the IPSec implementation, isn't consistent with Win2000/XP/2003, and complicates the task if you just want to stick with using IPSec alone. This also seems rather easy to fix before RTM.
|
Linear Mode
