How to Block IP Addresses in Windows Server 2003

February 11, 2010 | By | 16 Comments

Microsoft Management Console

If you want to block an IP address or a range of IP addresses, and you don’t have access to the router or firewall of the network you could use Windows’ IP Security Policy Management instead. Follow the steps bellow to learn how to do so:

  1. Open the Run dialog box by selecting it from the Start menu or pressing WinKey and R.
  2. Type mmc and press OK.
  3. In the console select Add/Remove Snap-in from the File menu and click the Add button in the Standalone tab.
  4. In the Add Standalone Snap-in dialog box select IP Security Policy Management and click Add.

    Add Standalone Snap-in

  5. In the Select Computer or Domain dialog box select Local Computer and click Finish.
  6. Now just close the Add Standalone Snap-in and Add/Remove Snap-in dialog boxes by clicking the Close and OK buttons respectively.
  7. You should now be back to the console. In the left frame right click IP Security Policies on Local Computer and select Create IP Security Policy.
  8. Click Next and in the Name textbox give the policy a descriptive name. The Description textbox is optional.
  9. Click Next, leave Activate the default response rule checkbox ticked and click Next again.
  10. Leave the Edit Properties checkbox ticked and click Finish.
  11. The Properties dialog box should be open now. Click Add button and click Next in the wizard.

    IP Security Policy Properties

  12. Leave This rule does not specify a tunnel selected and click Next.
  13. Leave All network connections selected and click Next.
  14. You should now see the IP Filter List step of the wizard. You need to create a new filter, so don’t select any of the default ones, just click Add.

    IP Filter List Step of the Wizard

  15. Type a descriptive name for the filter list. The Description textbox is optional.

    IP Filter List

  16. Click Add again to start yet another wizard that will create a filter and add it to the list. Click Next.
  17. Leave the IP Traffic Source to My IP Address and click Next.
  18. For the IP Traffic Destination you could choose A specific IP Address or A specific IP Subnet to block an IP address or a range of IP address.
  19. Enter the IP address you would like to block and the Subnet mask if you selected A specific IP Subnet. Then click Next.
  20. Leave the protocol type as Any and click Next then Finish.

You now have the IP or a range of IPs blocked from accessing any service the local computer provides.

Filed in: Windows Server | Tags: , ,

Comments (16)

  1. Richard

    this did NOT work. sry

  2. Richard, could you please tell me which part didn’t work?

  3. Ben

    Hello on my server this did not block the ip that i tryed to block

  4. @Ben you could select All IP Traffic in step 14 instead of creating a new one and see if the IP gets blocked. If it worked then you must have entered the wrong protocol or not all the protocols the IP address is using.

  5. Steve

    Is there a way to only ALLOW specific listed IP addresses to access a site, and all others are blocked?

  6. @Steve yes you can, when you reach step 18 restrict any IP. Then add a new rule, repeat from step 7, to Permit the IP addresses you want to allow access to the server.

  7. Snef

    Do not forget to ‘assign’ the policy!

  8. Thank You for information.
    I want to buy some VPS so I must think also about this

  9. Ed

    Thanks for the info. Tested and it was working on my testing server. My question is do I need to repeat it on all other 2003 servers?

  10. Wolfy

    After banging my head against the wall several times and launching one computer into orbit, I rediscovered what I learned years ago.

    To block a RANGE of IP’s, you have to have the correct subnet. When doing step 19, if you reference http://www.subnet-calculator.com/subnet.php?net_class=A and READ THE SCREEN CAREFULLY you will see that to block the range of 58.218.0.1 to 58.218.255.254 you will put in a subnet of 255.255.0.0

    By using the calculator I referenced, you can easily determine the subnets for any IP address. As you wonder which CLASS (A,B,C) you should choose because its not taking what you are putting in, look to the right at First Octet Range and it will show you what the first octet (AAA in example AAA.BBB.CCC.DDD) can be for each class.

    Ed, if you still look here, YES you have to do it for each server, or block it in the main router or at each router (this would keep the traffic from ever hitting the server to begin with)

    I hope this sheds some light on a seemingly simple task …

    Email me at codehill.com at thewolfsden dot net (NO I AM NOT AFFILIATED WITH THIS SITE, Using the sites name lets me know where the emails come from or are stolen from) and I will try to help if I can, but, don’t be surprised if it takes me forever to respond…

  11. I have been using IP Security Policy for years. It is rock solid, better than “smart” firewall stuff.

    Be careful not to block yourself out, especially if you are remotely administering via RDP. Make sure you have default ALLOW for your local service carrier and all their permutations.
    Then double that ALLOW as a backup.

    I have blocked most of China and Russia. The attacks on our server have diminished to less than 10% of before the BLOCKs.

    Now I watch the mail server logs looking for trash. What is the IP? Go to
    http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml

    Where are those guys? <– You're friggen BLOCKED because I said so.

    None of our customers do business over there. There is NO reason for communication with them.

    I love this IP Security stuff.

    Don't forget to EXPORT your Policies and Backup off site.
    Rebuild the machine for any reason and you'll have all your rules waiting for you. (Or retype, retype, retype…)

    And THANKS for that subnet calculator. Put the pencil to bed.

  12. Larry Samuel

    Policy assigned “but the IPSec servicesx is not running. you must start the IPSec Services.

  13. Bob

    Do you have to restart IIS or anything to get it to take? My Malwrebytes Anti-Malware is still shoing that it successfully blocked access to a potential malicious website: 83.133.127.167 even thought I’ve got it setup in the security policy.

  14. yOni

    All works great, but one question: in the ‘IP Traffic Source’ the “Source address” is my ip address or the attacking ip?
    thanks all

  15. Worked first try, awesome, thanks! However, I think it would not work if you don’t save your admin policy file, if you go to close the window when done, it may ask to save, if people don’t, it’ll revert to the old one before changes were made.

  16. This actually worked!!! I was noticing 3 login failures a second in the event log -> security log and as soon as I “Assigned Policy”, it stopped!!!! :-)

    Thanks brother.

Leave a Reply

Trackback URL | RSS Feed for This Entry