How to configure TCP/IP filtering in Windows 2000

This step-by-step article describes how to configure TCP/IP Filtering on Microsoft Windows 2000-based computers.

Windows 2000-based computers support several methods of controlling inbound access. One of the most simple and most powerful methods of controlling inbound access is by using the TCP/IP Filtering feature. TCP/IP Filtering is available on all Windows 2000-based computers that have the TCP/IP stack installed.

TCP/IP Filtering is useful from a security standpoint because it works in Kernel mode. In contrast, other methods of controlling inbound access to Windows 2000-based computers, such as by using the IPSec Policy filter and the Routing and Remote Access server, depend on User-mode processes or the Workstation and Server service.

You can layer your TCP/IP inbound access control scheme by using TCP/IP Filtering with IPSec filters and Routing and Remote Access packet filtering. This approach is especially useful if you want to control inbound and outbound TCP/IP access. TCP/IP Security controls only inbound access.

How to configure TCP/IP security

To configure TCP/IP security:

1. Click Start , point to Settings , click Control Panel , and then double-click Network and Dial-up Connections .
2. Right-click the interface on which you want to configure inbound access control, and then click Properties .
3. In the Components checked are used by this connection box, click Internet Protocol (TCP/IP) , and then click Properties .
4. In the Internet Protocol (TCP/IP) Properties dialog box, click Advanced .
5. Click the Options tab.
6. Click TCP/IP filtering , and then click Properties .
7. Select the Enable TCP/IP Filtering (All adapters) check box. When you select this check box, you enable filtering for all adapters, but you configure the filters on a per-adapter basis. The same filters do not apply to all adapters.
8. There are three columns with the following labels:
   TCP Ports
   UDP Ports
   IP Protocols
   In each column, you must select either of the following options:
   Permit All . If you want to permit all packets for TCP or UDP traffic, leave Permit All activated.
   
   Permit Only . If you want to allow only selected TCP or UDP traffic, click Permit Only , click Add , and then type the appropriate port in the Add Filter dialog box.
   If you want to block all UDP or TCP traffic, click Permit Only , but do not add any port numbers in the UDP Ports or TCP Port column. You cannot block UDP or TCP traffic by selecting Permit Only for IP Protocols and excluding IP protocols 6 and 17.
   
   Note that you cannot block ICMP messages, even if you select Permit Only in the IP Protocols column and you do not include IP protocol 1.

TCP/IP Filtering can filter only inbound traffic. This feature does not affect outbound traffic or response ports that are created to accept responses from outbound requests. Use IPSec Policies or packet filtering if you require more control over outbound access.

REFERENCES

For additional information about IP number assignments, click the following article number to view the article in the Microsoft Knowledge Base: For additional information about TCP and UDP port numbers, visit the following Internet Assigned Numbers Authority (IANA) Web site: Microsoft provides thirdparty contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this thirdparty contact information.