My sixth TechEd Europe 2014 demo was a fun one: Extended Port ACLs, which is the ability to apply network security rules in the virtual switch port, which cannot be overruled by the guest OS admin.
There is a demo VM that is running IIS with a default site. The Windows Firewall is turned off in the guest OS. The script will:
- Clean up the demo lab
- Open a window with a continuous ping to the VM, showing the open network status
- Starts IE and browses to the VM’s site
- Kills IE and applies an extended port ACL to block everything.
- IE is re-opened (with flushed cache) and fails to load the site. Ping packets are dropping in the continuous ping.
- Kills IE and creates another extended port ACL to allow inbound TCP 80
- Reopens IE to show the site is accessible. Meanwhile, pings continue to fail.
There’s plenty of process management, and controlling IE in this script.
cls
#Clean up the demo to start up with
Get-VMNetworkAdapterExtendedAcl -VMName PortACLs | Remove-VMNetworkAdapterExtendedAcl
$DemoVM = "PortACLS"
Write-Host "Extended Port ACLs Demo"
#Clear IE Cache
RunDll32.exe InetCpl.cpl, ClearMyTracksByProcess 8
#Ping the VM
Start-Process Ping -ArgumentList "-t","PortACLS"
#Start IE
$ie = new-object -comobject InternetExplorer.Application
$ie.visible = $true
$ie.top = 200; $ie.width = 900; $ie.height = 600 ; $ie.Left = 100
$ie.navigate("http://portacls.demo.internal")
#Block all traffic script block
Read-Host "Block all traffic to the VM"
#Kill IE
Get-Process -Name IEXPLORE | Stop-Process
RunDll32.exe InetCpl.cpl, ClearMyTracksByProcess 8
Write-Host "`nAdd-VMNetworkAdapterExtendedAcl –VMName PortACLs –Action `“Deny`” –Direction `“Inbound`” –Weight 1"
Sleep 3
Write-Host "`nAll inbound traffic to the virtual machine is blocked" -foregroundcolor red -backgroundcolor yellow
Add-VMNetworkAdapterExtendedAcl –VMName PortACLs –Action “Deny” –Direction “Inbound” –Weight 1
#Start IE to show the site is offline
$ie = new-object -comobject InternetExplorer.Application
$ie.visible = $true
$ie.top = 200; $ie.width = 900; $ie.height = 600 ; $ie.Left = 100
$ie.navigate("http://portacls.demo.internal")
#Put in web traffic exception script block
Read-Host "`n`n`nAllow HTTP traffic to the VM"
#Kill IE
Get-Process -Name IEXPLORE | Stop-Process
RunDll32.exe InetCpl.cpl, ClearMyTracksByProcess 8
Write-Host "Add-VMNetworkAdapterExtendedAcl –VMName PortACLs –Action `“Allow`” –Direction `“Inbound`” –LocalPort 80 –Protocol `“TCP`” –Weight 10"
Sleep 3
Write-Host "`nAll inbound traffic to the virtual machine is blocked EXCEPT for HTTP" -foregroundcolor red -backgroundcolor yellow
Add-VMNetworkAdapterExtendedAcl –VMName PortACLs –Action “Allow” –Direction “Inbound” –LocalPort 80 –Protocol “TCP” –Weight 10
#Start IE to show that the website is now back online, despite all other traffic being blocked
$ie = new-object -comobject InternetExplorer.Application
$ie.visible = $true
$ie.top = 200; $ie.width = 900; $ie.height = 600 ; $ie.Left = 100
$ie.navigate("http://portacls.demo.internal")
Read-Host "`n`n`nEnd the demo"
#Clean up after the demo
Get-Process -Name Ping | Stop-Process
Get-Process -Name IEXPLORE | Stop-Process
Get-VMNetworkAdapterExtendedAcl -VMName PortACLs | Remove-VMNetworkAdapterExtendedAcl