Recipe 12.11. Configuring TCPIP Filtering

Recipe 12.11. Configuring TCP/IP Filtering

Problem

You want to configure TCP/IP filtering either to prevent a system from responding to certain protocols or ports, or to allow it to respond only to certain protocols or ports. This filtering is applied to inbound traffic and does not affect outbound traffic.

Solution

Using a graphical user interface

1. Open the Control Panel.

2. From the Network Connections applet, open the connection you want to configure.

3. Click the Properties button.

4. Select Internet Protocol (TCP/IP).

5. Click the Properties button.

6. Click the Advanced button.

7. Click the Options tab.

8. Select TCP/IP filtering.

9. Click the Properties button.

10. Check the box beside Enable TCP/IP Filtering.

11. Select Permit Only for TCP Ports, UDP Ports, and/or IP Protocols.

12. Click the Add button.

13. Enter the port or protocol number and click OK.

14. Repeat the last three steps until you've entered all desired ports and protocols.

15. After you are done, close all the dialog screens by clicking either OK or Close.

16. You will be prompted to reboot for the changes to take effect.

Using a command-line interface

The following command enables TCP/IP filtering:

> reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters  /v EnableSecurityFilters /t REG_DWORD /d 1

You must reboot for the changes to take effect. To disable filtering, change /d 1 to /d 0.

Next, configure the protocols and ports you want to filter. This must be done on a per-interface basis. To configure this using the Registry, you need to know the GUID assigned to the interface you want to modify. This is a sample interface entry:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ {07383FC4-FF4D-4E16-9DD6-C27061719D76}

To find out what adapter that corresponds to, you can use this command (on Windows XP):

> wmic nicconfig get caption,settingid

Once you know the GUID of the interface, you can use the reg add command to modify the RawIPAllowedProtocols, TCPAllowedPorts, or UDPAllowedPorts values to filter what you want. Each of those values is of type REG_MULTI_SZ. Here is an example of setting protocols 25 and 80:

reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ {07383FC4-FF4D-4E16-9DD6-C27061719D76} /v RawIPAllowedProtocols /t REG_MULTI_SZ  /d 25\080

You can also use WMIC utility to configure TCP/IP filtering. These two commands show you how:

> wmic /node:"<ServerName>" nicconfig call EnableIPFilterSec(1) > wmic /node:"<ServerName>" nicconfig where ipenabled=True call EnableIPSec  (<TCPPortList>),(<UDPPortList>),(<ProtoList>)

This command allows all TCP and UDP ports, but allows only protocols 80 (http) and 25 (smtp):

> wmic nicconfig where ipenabled=True call EnableIPSec (80,25),(0),(0)

Using VBScript

' This code enables IP Filtering for all adapters and configures ' filtering for all IP-enabled adapters. ' ------ SCRIPT CONFIGURATION ------ strComputer = "." arrTCPPorts = Array ( 0 )       ' Allow all TCP ports arrUDPPorts = Array ( 0 )       ' Allow all UDP ports arrProtos   = Array ( 80, 25 )  ' Allow only HTTP and SMTP ' ------ END CONFIGURATION --------- set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") set objAdapterConfig = objWMI.Get("Win32_NetworkAdapterConfiguration") intRC = objAdapterConfig.EnableIPFilterSec( True ) if intRC = 0 then    WScript.Echo "IP Filtering for all adapters enabled" elseif intRC = 1 then    WScript.Echo "IP Filtering enabled for all adapters, " & _                 "but you must reboot for the changes to take effect" else    WScript.Echo "There was an error enabling IP Filtering for all " & _                 "adapters: " & intRC end if set colNAConfigs = objWMI.ExecQuery( _                          "select * " & _                          " from Win32_NetworkAdapterConfiguration " & _                          " where IPEnabled = True" )  for each objNAConfig in colNAConfigs    intRC = objNAConfig.EnableIPSec( arrTCPPorts, arrUDPPorts, arrProtos )    if intRC = 0 then       WScript.Echo "IP Filtering configured for '" & _                    objNAConfig.Description & "'"    elseif intRC = 1 then       WScript.Echo "IP Filtering configured for '" & objNAConfig.Description & _                    "', but you must reboot for the changes to take effect"    else       WScript.Echo "There was an error configuring IP Filtering for '" & _                    objNAConfig.Description & "': " & intRC    end if next

Discussion

Filtering by port or protocol can be useful in certain situations, but be aware of the limitations. A good example of when you might want to configure filtering is for external web servers. If your web server is running on the default HTTP port (80) and it is running no other networked application, then you only really need port 80 open. But allowing only port 80 traffic, you also prevent the system from acting as a member in an Active Directory domain (which requires several ports to be open) and it makes remote administration difficult because you won't be able to connect using the Terminal Services client. Obviously you can add these ports to the list you allow, but it is good to keep in mind that if you go down the road of port/protocol filtering, be sure you have the ports/protocols open that are needed to support the system (see Recipe 12.9 for more on how to get the list of open ports on a system).

See Also

For the list of pre-assigned port numbers, see the following site: http://www.iana.org/assignments/port-numbers, MS KB 289892, "Internet Protocol Numbers," and MS KB 309798, "HOW TO: Configure TCP/IP Filtering in Windows 2000)"