Microsoft KB Archive/816792

= How to configure TCP/IP Filtering in Windows Server 2003 =

Article ID: 816792

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition

-





For a Microsoft Windows 2000 version of this article, see 309798.



IN THIS TASK

 * SUMMARY
 * Configuring TCP/IP security in Windows Server 2003
 * Configuring TCP/IP security in Windows Small Business Server 2003
 * REFERENCES

SUMMARY
This article describes how to configure TCP/IP filtering on Microsoft Windows 2003-based computers.

Windows 2003-based computers support several methods of controlling inbound access. One of the most simple and most powerful methods of controlling inbound access is to use the TCP/IP filtering feature. TCP/IP filtering is available on all Windows 2003-based computers.

TCP/IP filtering helps with security because it works in kernel mode. In contrast, other methods of controlling inbound access to Windows 2003-based computers, such as by using the IPSec Policy filter and the Routing and Remote Access server, depend on user-mode processes or the Workstation and Server services.

You can layer your TCP/IP inbound access control scheme by using TCP/IP filtering with IPSec filters and Routing and Remote Access packet filtering. This approach is especially useful if you want to control both inbound and outbound TCP/IP access, because TCP/IP security alone controls only inbound access.

Note TCP/IP filtering can filter only inbound traffic and cannot block ICMP messages, regardless of the settings that are configured in the Permit Only IP Protocols column or whether you do not permit Internet Protocol 1. Use IPSec Policies or packet filtering if you need more control over outbound access.

Note We recommend that you use the Configure E-mail and Internet Connection Wizard on SBS 2003-based computers with two network adaptors, and that you turn on the Firewall option and then open the required ports on the external network adaptor. For more information about the Configure E-mail and Internet Connection Wizard, click Start, and then click Help and Support. In the Search box, type Configure E-mail and Internet Connection Wizard, and then click Start Searching. You can find information about the Configure E-mail and Internet Connection Wizard in the Small Business Server Topics result set list. back to the top

Configuring TCP/IP security in Windows Server 2003
To configure TCP/IP security:
 * 1) Click Start, point to Control Panel, point to Network Connections, and then click the local area connection that you want to configure.
 * 2) In the Connection Status dialog box, click Properties.
 * 3) Click Internet Protocol (TCP/IP), and then click Properties.
 * 4) In the Internet Protocol (TCP/IP) Properties dialog box, click Advanced.
 * 5) Click Options.
 * 6) Under Optional settings, click TCP/IP filtering, and then click Properties.
 * 7) Click to select the Enable TCP/IP Filtering (All adaptors) check box.

Note When you select this check box, you enable filtering for all adaptors, but you configure the filters individually for each adaptor. The same filters do not apply to all adaptors.
 * 1) In the TCP/IP Filtering dialog box, there are three sections where you can configure filtering for TCP ports, User Datagram Protocol (UDP) ports, and Internet protocols. For each section, configure the security settings that are appropriate for your computer.

Note When Permit All is activated, you permit all packets for TCP or UDP traffic. Permit Only lets you to permit only selected TCP or UDP traffic by adding the allowed ports. To specify the ports, you use the Add button. To block all UDP or TCP traffic, click Permit Only but do not add any port numbers in the UDP Ports column or TCP Ports column. You cannot block UDP or TCP traffic by selecting Permit Only for IP Protocols and excluding IP protocols 6 and 17.

back to the top

Configuring TCP/IP security in Windows Small Business Server 2003
To configure TCP/IP Filtering, follow these steps.

Note To perform this procedure, you must be a member of the Administrators group or the Network Configuration Operators group on the local computer.  Click Start, point to Control Panel, right-click Network Connections, and then click Open. Right-click the network connection where you want to configure inbound access control, and then click Properties. Under adaptorName Connection Properties on the General tab, click Internet Protocol (TCP/IP), and then click Properties. In the Internet Protocol (TCP/IP) Properties dialog box, click Advanced. Click the Options tab. Click TCP/IP Filtering, and then click Properties. Click to select the Enable TCP/IP Filtering (All adaptors) check box.

Note When you select this check box, you enable filtering for all adaptors. However, filter configuration must be completed on each adaptor. When TCP/IP Filtering is enabled, you can configure each adaptor by selecting the Permit All option, or you could allow for only specific IP protocols, TCP ports, and UDP ports to accept inbound connections. For example, if you enable TCP/IP Filtering and you configure the external network adaptor to permit only port 80, this lets the external network adaptor to accept Web traffic only. If the internal network adaptor also has TCP/IP Filtering enabled but is configured with the Permit All option selected, this enables unrestricted communication on the internal network adaptor.</li> Under TCP/IP Filtering, there are three columns with the following labels: <ul> TCP Ports</li> UDP Ports</li> IP Protocols</li></ul>

In each column, you must select one of the following options: <ul> Permit All. Select this option if you want to permit all packets for TCP or UDP traffic.</li> Permit Only. Select this option if you want to permit only selected TCP or UDP traffic, click Add, and then type the appropriate port or protocol number in the Add Filter dialog box. You cannot block UDP or TCP traffic by selecting Permit Only in the IP Protocols column and by then adding IP protocols 6 and 17.</li></ul>

Note You cannot block ICMP messages, even if you select Permit Only in the IP Protocols column and then you do not include IP protocol 1.</li></ol>

TCP/IP Filtering can filter only inbound traffic. This feature does not affect outbound traffic or TCP response ports that are created to accept responses from outbound requests. Use IPSec Policies or Routing and Remote Access packet filtering if you require more control over outbound access.

Note If you select Permit Only in UDP Ports, TCP Ports, or the IP Protocols column and the lists are left blank, the network adaptor will not be able to communicate with anything over a network, either locally or to the Internet.

back to the top