Configuring TCP/IP Filtering

This filtering is applied to inbound traffic and does not affect outbound traffic.

Using a graphical user interface

  1. Open the Control Panel.
  2. From the Network Connections applet, open the connection you want to configure.
  3. Click the Properties button.
  4. Select Internet Protocol (TCP/IP).
  5. Click the Properties button.
  6. Click the Advanced button.
  7. Click the Options tab.
  8. Select TCP/IP filtering.
  9. Click the Properties button.
  10. Check the box beside Enable TCP/IP Filtering.
  11. Select Permit Only for TCP Ports, UDP Ports, and/or IP Protocols.
  12. Click the Add button.
  13. Enter the port or protocol number and click OK.
  14. Repeat the last couple of steps until you’ve entered all desired ports and protocols.
  15. After you are done, close all the dialog screens by clicking either OK or Close.
  16. You will be prompted to reboot for the changes to take effect.

Using a command-line interface

The following command enables TCP/IP filtering:

> reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /vEnableSecurityFilters /t REG_DWORD /d 1

You must reboot for the changes to take effect. To disable filtering, change /d 1 to /d 0.

Next, configure the protocols and ports you want to filter. This must be done on a per-interface basis. To configure this using the registry, you need to know the GUID assigned to the interface you want to modify. This is a sample interface entry:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{07383FC4-FF4D-4E16-9DD6-C27061719D76}

To find out what adapter that corresponds with, you can use this command (on Windows Server 2003):

> wmic nicconfig get caption,settingid

Once you know the GUID of the interface, you can use the reg add command to modify the RawIPAllowedProtocols, TCPAllowedPorts, or UDPAllowedPorts values to filter what you want. Each of those values is of type REG_MULTI_SZ. Here is an example of setting protocols 25 and 80:

reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{07383FC4-FF4D-4E16-9DD6-C27061719D76} /v RawIPAllowedProtocols /t REG_MULTI_SZ /d 25\080

You can also use the WMIC utility to configure TCP/IP filtering. These two commands show you how:

> wmic /node:"<ServerName>" nicconfig call EnableIPFilterSec(1)> wmic /node:"<ServerName>" nicconfig where ipenabled=True call EnableIPSec

(<TCPPortList>),(<UDPPortList>),(<ProtoList>)

This command allows all TCP and UDP ports, but allows only protocols 80 (http) and 25 (smtp):

> wmic nicconfig where ipenabled=True call EnableIPSec (80,25),(0),(0)

Using VBScript

' This code enables IP Filtering for all adapters and configures' filtering for all IP-enabled adapters.

' ------ SCRIPT CONFIGURATION ------

strComputer = "."

arrTCPPorts = Array ( 0 )       ' Allow all TCP ports

arrUDPPorts = Array ( 0 )       ' Allow all UDP ports

arrProtos   = Array ( 80, 25 )  ' Allow only HTTP and SMTP

' ------ END CONFIGURATION ---------

set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

set objAdapterConfig = objWMI.Get("Win32_NetworkAdapterConfiguration")

intRC = objAdapterConfig.EnableIPFilterSec( True )

if intRC = 0 then

WScript.Echo "IP Filtering for all adapters enabled"

elseif intRC = 1 then

WScript.Echo "IP Filtering enabled for all adapters, " & _

"but you must reboot for the changes to take effect"

else

WScript.Echo "There was an error enabling IP Filtering for all " & _

"adapters: " & intRC

end ifset colNAConfigs = objWMI.ExecQuery( _

"select * " & _

" from Win32_NetworkAdapterConfiguration " & _

" where IPEnabled = True" )

for each objNAConfig in colNAConfigs

intRC = objNAConfig.EnableIPSec( arrTCPPorts, arrUDPPorts, arrProtos )

if intRC = 0 then

WScript.Echo "IP Filtering configured for '" & _

objNAConfig.Description & "'"

elseif intRC = 1 then

WScript.Echo "IP Filtering configured for '" & objNAConfig.Description & _

"', but you must reboot for the changes to take effect"

else

WScript.Echo "There was an error configuring IP Filtering for '" & _

objNAConfig.Description & "': " & intRC

end if

next

Filtering by port or protocol can be useful in certain situations, but be aware of the limitations. A good example of when you might want to configure filtering is for external web servers. If your web server is running on the default HTTP port (80) and it is running no other networked application, then you only need port 80 open. But allowing only port 80 traffic also prevents the server from acting as a member in an Active Directory domain (which requires several ports to be open) and makes remote administration difficult because you can’t connect using the Terminal Services client. Obviously you can add these ports to the list you allow, but remember that if you do port/protocol filtering, you must have the ports/protocols open that are needed to support the machine.