执行安全策略

使用“操作指南”中的第7条“Deny_RDP”文件，运行成功后通过组策略可以找到对应的ipsec策略。如下图所示：

虚拟的现实 > 1002-3389 端口限制指南 > image2019-5-22_9-23-34.png

Server 2019

2003

2008

脚本内容如下：

::删除所有策略
netsh ipsec static delete all
::创建名字为Deny_RDP的安全策略
netsh ipsec static add policy name=Deny_RDP
::创建Deny和Permit两个动作
netsh ipsec static add filteraction name=Deny action=block
netsh ipsec static add filteraction name=Permit action=permit
::创建阻止TCP3389端口访问
netsh ipsec static add filterlist name=Deny_all_3389
netsh ipsec static add filter filterlist=Deny_all_3389 srcaddr=any dstaddr=any protocol=tcp srcport=3389
netsh ipsec static add rule name=Deny_all_3389 policy=Deny_RDP filterlist=Deny_all_3389 filteraction=Deny
::创建只允许源地址为192.168.5.113访问TCP3389端口
netsh ipsec static add filterlist name=Permit_5.113_3389
netsh ipsec static add filter filterlist=Permit_5.113_3389 srcaddr=192.168.5.113 dstaddr=me protocol=tcp dstport=3389
netsh ipsec static add rule name=Permit_5.113_3389 policy=Deny_RDP filterlist=Permit_5.113_3389 filteraction=Permit
::启用Deny_RDP这条安全策略
netsh ipsec static set policy name=Deny_RDP assign=y