SUMMARY
This step-by-step article describes how to configure TCP/IP Filtering on Microsoft Windows 2000-based computers.
Windows 2000-based computers support several methods of controlling inbound access. One of the most simple and most powerful methods of controlling inbound access is by using the TCP/IP Filtering feature. TCP/IP Filtering is available on all Windows 2000-based computers that have the TCP/IP stack installed.
TCP/IP Filtering is useful from a security standpoint because it works in Kernel mode. In contrast, other methods of controlling inbound access to Windows 2000-based computers, such as by using the IPSec Policy filter and the Routing and Remote Access server, depend on User-mode processes or the Workstation and Server service.
You can layer your TCP/IP inbound access control scheme by using TCP/IP Filtering with IPSec filters and Routing and Remote Access packet filtering. This approach is especially useful if you want to control inbound and outbound TCP/IP access. TCP/IP Security controls only inbound access.
back to the top
How to configure TCP/IP security
To configure TCP/IP security:
-
Click
Start
, point to
Settings
, click
Control Panel
, and then double-click
Network and Dial-up Connections
.
-
Right-click the interface on which you want to configure inbound access control, and then click
Properties
.
-
In the
Components checked are used by this connection
box, click
Internet Protocol (TCP/IP)
, and then click
Properties
.
-
In the
Internet Protocol (TCP/IP) Properties
dialog box, click
Advanced
.
-
Click the
Options
tab.
-
Click
TCP/IP filtering
, and then click
Properties
.
-
Select the
Enable TCP/IP Filtering (All adapters)
check box. When you select this check box, you enable filtering for all adapters, but you configure the filters on a per-adapter basis. The same filters do not apply to all adapters.
-
There are three columns with the following labels:
TCP Ports
UDP Ports
IP Protocols
In each column, you must select either of the following options:
Permit All
. If you want to permit all packets for TCP or UDP traffic, leave
Permit All
activated.
Permit Only
. If you want to allow only selected TCP or UDP traffic, click
Permit Only
, click
Add
, and then type the appropriate port in the
Add Filter
dialog box.
If you want to block all UDP or TCP traffic, click
Permit Only
, but do not add any port numbers in the
UDP Ports
or
TCP Port
column. You cannot block UDP or TCP traffic by selecting
Permit Only
for
IP Protocols
and excluding IP protocols 6 and 17.
Note that you cannot block ICMP messages, even if you select
Permit Only
in the
IP Protocols
column and you do not include IP protocol 1.
TCP/IP Filtering can filter only inbound traffic. This feature does not affect outbound traffic or response ports that are created to accept responses from outbound requests. Use IPSec Policies or packet filtering if you require more control over outbound access.
back to the top
REFERENCES
For additional information about IP number assignments, click the following article number to view the article in the Microsoft Knowledge Base:
289892
Internet protocol numbers
For additional information about TCP and UDP port numbers, visit the following Internet Assigned Numbers Authority (IANA) Web site:
Microsoft provides thirdparty contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this thirdparty contact information.
back to the top