I've been using the Windows 2000 IP Security feature's packet filtering to block access to vulnerable ports on my Web server as a fail-safe measure in case my firewall is ever compromised or misconfigured. However, I understand that a sophisticated attacker can use specially formed packets to bypass Win2K's IP Security packet filtering. Is this true? If it is, how can I eliminate that vulnerability?
By default, Win2K doesn't block packets from source TCP port 88 (Kerberos) or UDP port 500 (Internet Key Exchange—IKE) regardless of the block filters you configure in your IP Security policy. Consequently, an attacker who's a bit more sophisticated than the average script kiddy can send packets to any destination port on your computer by spoofing the source port to make the packet look like a legitimate Kerberos or IKE packet. In Win2K Service Pack 1 (SP1), Microsoft responded to this problem with the new NoDefaultExempt REG_DWORD registry value under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC registry subkey. If you set NoDefaultExempt to 1, Win2K will no longer exempt Kerberos packets from your IP Security packet filters. For more information about NoDefaultExempt, see the Microsoft article "IPSec Does Not Secure Kerberos Traffic Between Domain Controllers" (http://support.microsoft.com/default.aspx?scid=kb ;en-us;q254728).
NoDefaultExempt doesn't, however, block IKE packets on UDP port 500. If you want to have full control over packet filtering, you might consider using Jean-Baptiste Marchand's PktFilter freeware utility, which is available at http://www.mirrors.wiretapped.net/security/firewalls/pktfilter. PktFilter runs as a Win2K service. By editing PktFilter's rules.txt file, you can block or allow packets based on the NIC, direction, protocol (e.g., TCP, UDP), source and destination addresses and ports, and other criteria.
