Berkeley Lab Computer Protection Program: System Procedures: How to Use IPSec to Block Ports for MSSQL Servers

Use IPSec to Block Port TCP 1433 and UDP 1434 for SQL Server

By default, MSSQL services listen on TCP port 1433, and UDP port 1434. If one desires to block external traffic to these ports, Windows 2000 computers have a built-in IP security mechanism called IPSec (IP Security). Please note Windows 2003 and XP computers should use the Windows Firewall to block external traffic. The following four steps outline the process: 1) create a filter action 2) create a filter list 3) create an IPSec policy and 4) assign the IPSec policy. Below we walk through the creation of an IPSec policy to block for 1433/tcp and 1434/udp, but this process can be modified for any give port.

Creating the IP Filter Action

1. Start MMC console (Start > Run > MMC).

2. Add the IP Security and Policy Management Snap-In for the Local Computer.

3. Right-click IPSec Security Policies on Local Machine, and then click Manage IP filter lists and filter actions.

4. Click the Manage Filter Actions tab.

5. Click Add to create a new filter action, and then click Next to move past the introductory Wizard dialog box.

6. Type Block as the name for the new filter action. This filter action is used to block traffic.

7. Click Next.

8. Select Block, click Next, and then click Finish.

Creating the IP Filter list

1. Flip back to the Manage IP filter lists and filter actions tab

2. Click Add to add a new IP filter list, and then type Block Port TCP 1433 and UDP 1434 for the filter list name.

3. Click Add to create a new filter and proceed through the IP Filter Wizard dialogs boxes.

4. Select Any IP Address from the Source address drop-down list, and then click Next.

5. Select My IP Address from the Destination address drop-down list, and then click Next.

6. Select TCP from the Select a protocol type drop-down list, and then click Next.

7. Select To this port and then specify port 1433.

8. Click Nextand then Finish, then Close and Close.

9. Click Add, and then repeat steps 3 to 8 to create another filter that disallws traffic to port UDP 1434. After finishing these steps, your IP Filter List should look like the one below.

After creating the filter actions and filter lists, you need to create a policy and two rules to associate the filters with the filter actions.

Creating and applying the IPSec policy

1. In the main window of the Local Security Policy snap-in, right-click IPSec Security policies on Local Machine, and then click Create IPSecurity Policy.

2. Click Next to move past the initial Wizard dialog box.

3. Type IPSec Policy to Block Port TCP 1433 and UDP 1434 for the IPSec policy name and then click Next.

3. Click Next, Next, Next, and then click Finish.

The IPSec Policy to Block Port TCP 1433 and UDP 1434 Properties dialog box is displayed so that you can edit the policy properties.

4. Click Add to start the Security Rule Wizard, and then click Next to move past the introductory dialog box.

5. Select This rule does not specify a tunnel, and then click Next.

6. Select All network connections, and then click Next.

7. Select Windows 2000 default (Kerberos V5 protocol), and then click Next.

8. Select the Block Port TCP 1433 and UDP 1434 filter list, and then click Next.

9. Select the Block filter action, click Next, and then click Finish and then Close.

The IPSec Policy to Block Port TCP 1433 and UDP 1434 Properties dialog box should look like the below.

Your IPSec policy is now ready to use.

To activate the policy, right-click IPSec Policy to Block Port TCP 1433 and UDP 1434 and then click Assign.