This step-by-step article describes how to configure TCP/IP Filtering on Microsoft Windows 2000-based computers.
Windows 2000-based computers support several methods of controlling inbound access. One of the most simple and most powerful methods of controlling inbound access is by using the TCP/IP Filtering feature. TCP/IP Filtering is available on all Windows 2000-based computers that have the TCP/IP stack installed.
TCP/IP Filtering is useful from a security standpoint because it works in Kernel mode. In contrast, other methods of controlling inbound access to Windows 2000-based computers, such as by using the IPSec Policy filter and the Routing and Remote Access server, depend on User-mode processes or the Workstation and Server service.
You can layer your TCP/IP inbound access control scheme by using TCP/IP Filtering with IPSec filters and Routing and Remote Access packet filtering. This approach is especially useful if you want to control inbound and outbound TCP/IP access. TCP/IP Security controls only inbound access.
How to configure TCP/IP security
To configure TCP/IP security:
, point to
, and then double-click
Network and Dial-up Connections
Right-click the interface on which you want to configure inbound access control, and then click
Components checked are used by this connection
Internet Protocol (TCP/IP)
, and then click
Internet Protocol (TCP/IP) Properties
dialog box, click
, and then click
Enable TCP/IP Filtering (All adapters)
check box. When you select this check box, you enable filtering for all adapters, but you configure the filters on a per-adapter basis. The same filters do not apply to all adapters.
There are three columns with the following labels:
In each column, you must select either of the following options:
. If you want to permit all packets for TCP or UDP traffic, leave
If you want to block all UDP or TCP traffic, click
, but do not add any port numbers in the
column. You cannot block UDP or TCP traffic by selecting
and excluding IP protocols 6 and 17.
. If you want to allow only selected TCP or UDP traffic, click
, and then type the appropriate port in the
Note that you cannot block ICMP messages, even if you select
column and you do not include IP protocol 1.
TCP/IP Filtering can filter only inbound traffic. This feature does not affect outbound traffic or response ports that are created to accept responses from outbound requests. Use IPSec Policies or packet filtering if you require more control over outbound access.
For additional information about IP number assignments, click the following article number to view the article in the Microsoft Knowledge Base:
Internet protocol numbers
For additional information about TCP and UDP port numbers, visit the following Internet Assigned Numbers Authority (IANA) Web site:
Microsoft provides thirdparty contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this thirdparty contact information.