Microsoft KB Archive/309798

= How to configure TCP/IP filtering in Windows 2000 =

Article ID: 309798

Article Last Modified on 11/22/2004

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Small Business Server 2000 Standard Edition
 * Microsoft BackOffice Small Business Server 2000 Service Pack 1

-



This article was previously published under Q309798



IN THIS TASK

 * SUMMARY
 * How to Configure TCP/IP Security
 * REFERENCES



SUMMARY
This step-by-step article describes how to configure TCP/IP Filtering on Microsoft Windows 2000-based computers.

Windows 2000-based computers support several methods of controlling inbound access. One of the most simple and most powerful methods of controlling inbound access is by using the TCP/IP Filtering feature. TCP/IP Filtering is available on all Windows 2000-based computers that have the TCP/IP stack installed.

TCP/IP Filtering is useful from a security standpoint because it works in Kernel mode. In contrast, other methods of controlling inbound access to Windows 2000-based computers, such as by using the IPSec Policy filter and the Routing and Remote Access server, depend on User-mode processes or the Workstation and Server service.

You can layer your TCP/IP inbound access control scheme by using TCP/IP Filtering with IPSec filters and Routing and Remote Access packet filtering. This approach is especially useful if you want to control inbound and outbound TCP/IP access. TCP/IP Security controls only inbound access.

back to the top

How to configure TCP/IP security
To configure TCP/IP security:  Click Start, point to Settings , click Control Panel , and then double-click Network and Dial-up Connections . Right-click the interface on which you want to configure inbound access control, and then click Properties . In the Components checked are used by this connection box, click Internet Protocol (TCP/IP), and then click Properties . In the Internet Protocol (TCP/IP) Properties dialog box, click Advanced . Click the Options tab. Click TCP/IP filtering, and then click Properties . Select the Enable TCP/IP Filtering (All adapters) check box. When you select this check box, you enable filtering for all adapters, but you configure the filters on a per-adapter basis. The same filters do not apply to all adapters.</li> There are three columns with the following labels:

TCP Ports

UDP Ports

IP Protocols

In each column, you must select either of the following options:

Permit All. If you want to permit all packets for TCP or UDP traffic, leave Permit All activated.

Permit Only. If you want to allow only selected TCP or UDP traffic, click Permit Only, click Add , and then type the appropriate port in the Add Filter dialog box.

If you want to block all UDP or TCP traffic, click Permit Only, but do not add any port numbers in the UDP Ports or TCP Port column. You cannot block UDP or TCP traffic by selecting Permit Only for IP Protocols and excluding IP protocols 6 and 17.

Note that you cannot block ICMP messages, even if you select Permit Only in the IP Protocols column and you do not include IP protocol 1.</li></ol>

TCP/IP Filtering can filter only inbound traffic. This feature does not affect outbound traffic or response ports that are created to accept responses from outbound requests. Use IPSec Policies or packet filtering if you require more control over outbound access.

back to the top