Get IT Done: Secure your Windows 2000 server using TCP/IP filters

Use TCP/CP filters to secure Windows 2000 server from internal hacking

Your top priority as a network administrator is securing your servers from internal and external hackers. You may have one or more firewalls protecting your internal network from outside hackers, but what do you do about those internal hackers? You know the ones I’m describing—those curious or malicious users who try to go places or do things they shouldn’t.

Although you could go to the extreme of installing an internal firewall, you can quickly handle most of these internal troublemakers by configuring TCP/IP filtering. In this Daily Feature, I’ll show you how it’s done.

How TCP/IP filtering works
Windows 2000 TCP/IP packet filtering allows you to block all incoming network traffic except for the traffic you explicitly allow. You allow traffic based on protocol and port number, or simply by protocol number.

The most common protocols are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). TCP is used when guaranteed delivery of the packet is required. The downside of using TCP is extra network traffic in the form of acknowledgements to ensure the packet arrived at its destination. Think of a TCP packet as a registered letter. When a registered letter is sent to you, you must sign for it as an acknowledgement that you received the letter. If the sender of the registered letter does not receive your acknowledgement, another letter is sent to you until you sign for the letter or a pre-determined time limit runs out.

UDP is a lighter protocol that does not guarantee packet delivery. It uses fewer packets on the network because it does not require an acknowledgement from its recipient. Think of UDP as regular mail. When a regular mail letter is sent to you, it is left in your mailbox. The sender does not know if you have received it or if the letter got lost in the mail. Some TCP/IP based services, such as DNS, use both TCP and UDP.

Port numbers can range from 0 to 65,535. Port numbers from 0 to 1024 are called Well Known Port Numbers. Some of the most common service and ports are:
  • FTP -- 21
  • TELNET -- 23
  • SMTP -- 25
  • DNS --53
  • HTTP -- 80
  • KERBEROS v5 -- 88
  • POP -- 110
  • RPC -- 135
  • NETBIOS Name Service -- 137
  • IMAP -- 143
  • SNMP -- 161
  • LDAP -- 389
  • HTTPS -- 443
  • WINS -- 1512

Each Windows 2000 computer has a list of the well-known port numbers registered with the Internet Assigned Numbers Authority (IANA). You can find this list by looking in %SYSTEMROOT%\SYSTEM32\DRIVERS\ETC for the SERVICES file. SERVICES lists the name of the service, the port number, the protocol, and a brief description of the service. You can use this list to figure out which ports and protocols to block.

Enabling TCP/IP filtering
In Windows 2000, TCP/IP filters apply to all network interfaces. For example, you can’t allow only incoming HTTP traffic on the computer’s external network interface but allow all traffic on its internal network interface. Before using TCP/IP filters, you need to know what type of network traffic you want to allow. That depends on the computer’s function.

To enable TCP/IP filters, right-click on My Network Places and click Properties. Right-click Local Area Connection and click Properties. When the Properties screen appears, double-click Internet Protocol (TCP/IP). Click the Advanced button and click Options. Double-click TCP/IP Filtering. You’ll then see the screen shown in Figure A.

Figure A
You can enable TCP/IP filtering using the TCP/IP Filtering dialog box.

Select the Enable TCP/IP Filtering (All Adapters) check box. Windows 2000’s default setting is to allow all incoming traffic. Add a filter by clicking the Add button under the appropriate heading: TCP Ports, UDP Ports, or IP Protocols. Enter the port information in the respective dialog boxes that appear. When you’ve finished, click OK four times. You must restart the computer to enable the filters.

For example, assume you want to configure TCP/IP filters for an e-mail server to allow e-mail traffic but block HTTP and other TCP/IP services. You would configure Windows 2000 to permit the following filters:
  • SMTP—TCP port 25
  • DNS—TCP and UDP port 53
  • POP3—TCP port 110
  • IMAP TCP—port 143

Your TCP/IP Filtering screen would look like Figure B.

Figure B
A sample TCP/IP Filtering screen for an e-mail server.

Testing and troubleshooting filters
Once you’ve enabled the appropriate filters, test to make sure that you can access the computer. For example, for an e-mail server, test the server by configuring Outlook Express to send and receive e-mail using POP, IMAP, and SMTP. Also test to make sure you can’t access the computer using the restricted protocols. For example, if you aren’t allowing Telnet traffic, try to access the computer using Telnet.

If you’re having trouble accessing a computer, the TCP/IP filters may be too restrictive. Try disabling all filters, and then try to access the computer. Depending on the applications you’re running on the computer, you’ll need additional ports for the application to work properly.