The New Tech - View Single Post - HOW TO SECURE Windows 2000/XP/Server 2003 & VISTA

**APK** · 05:46pm

Port Filtering (HOW TO & WHY)

4.) Another thing I do for securing a Windows NT-based OS: IP Port Filtrations (like ip security policies (per AnalogX above), it is often called the "poor man's firewall" & works perfectly with both IPSecurity policies, hardware AND software firewalls, all in combination/simultaneously running)!

DIRECTIONS ON HOW TO IMPLEMENT THEM (very easy):

Start Menu ->

Connect To Item (on the right hand side) ->

Local Area Connection (whatever you called it, this is the default, iirc) open it via double click OR, right-click popup menu PROPERTIES item ->

Properties button on left-hand side bottom, press/click it ->

NEXT SCREEN (Local Area Connection PROPERTIES) ->
"This connection uses the followng items" (go down the list, to Tcp/IP & select it & /click the PROPERTIES button there) ->

Press/Click the Advanced Button @ the bottom Right-Hand Side (shows Advanced Tcp/IP Settings screen) ->

OPTIONS tab, use it & Tcp IP Filtering is in the list, highlite/select it ->

Beneath the Optional Settings, press/click the PROPERTIES button on the lower right-hand side ->

Check the "Enable Tcp/IP Filtering (on all adapters)" selection ->

In the far right, IP PROTOCOLS section, add ports 6 (tcp) & 17 (udp) ->

In the far left "tcp ports" list - check off the radio button above the list titled "PERMIT ONLY", & then add ports you want to have open (all others will be filtered out, & for example, I leave port 80,8080, & 443 here open, only on my standalone, non-networked home machine!

(For a HOME or WORK LAN, you may need to open up ports 135/137/139/445 for a Windows based network for file & print sharing PLUS enable NetBIOS over Tcp/IP in your network connection properties & ENABLE Client for Microsoft Networks & File and Print sharing too)

NOTE - you may need more if you run mail servers, & what-have-you (this varies by application))

I leave the UDP section "PERMIT ALL" because of ephemeral/short-lived ports usage that Windows does (I have never successfully filtered this properly but it doesn't matter as much imo, because udp does not do 'callback' as tcp does, & that is why tcp can be DDOS'd/DOS'd imo - it only sends out info., but never demands verification of delivery (faster, but less reliable)) ->

DONE!

You may need a reboot & it will signal if it needs it or not (probably will, even in VISTA):

I say this, because although IP Security Policies work with the "Plug-N-Play" design of modern Windows NT-based OS' (ipsec.sys) & do NOT require a reboot to activate/deactivate them in Windows 2000/XP/Server 2003/VISTA? This is working @ a diff. level & diff. driver iirc (tcpip.sys) & level of the telecommunications stacks in this OS family & WILL require a reboot to take effect (for a more detailed read of this, see here):

----

http://www.microsoft.com/technet/com...uy/cg0605.mspx

(In THAT url above? Trust me - Enjoy the read, it is VERY informative: That article shows you how TcpIP.sys, ipnat.sys, ipsec.sys, & ipfiltdrv.sys interact, PLUS how you can use them to your advantage in security!)

----

Also, these URL's will be helpful as well, bigtime (for understanding (e.g. - knowing which IP ports you need to leave open & why (or, why not)):

IANA PROTOCOL NUMBERS LIST:

http://www.isi.edu/in-notes/iana/***...otocol-numbers

IANA PORTS LIST (well-known, registered, & dynamic/private ports):

http://www.isi.edu/in-notes/iana/***...s/port-numbers

APK

Dec 6, 2007, 08:07pm	Port Filtering (HOW TO & WHY)
APK Elite Member Posts: 354 Name: The Duke of URL Karma:	Port Filtering (HOW TO & WHY) 4.) Another thing I do for securing a Windows NT-based OS: IP Port Filtrations (like ip security policies (per AnalogX above), it is often called the "poor man's firewall" & works perfectly with both IPSecurity policies, hardware AND software firewalls, all in combination/simultaneously running)! DIRECTIONS ON HOW TO IMPLEMENT THEM (very easy): Start Menu -> Connect To Item (on the right hand side) -> Local Area Connection (whatever you called it, this is the default, iirc) open it via double click OR, right-click popup menu PROPERTIES item -> Properties button on left-hand side bottom, press/click it -> NEXT SCREEN (Local Area Connection PROPERTIES) -> "This connection uses the followng items" (go down the list, to Tcp/IP & select it & /click the PROPERTIES button there) -> Press/Click the Advanced Button @ the bottom Right-Hand Side (shows Advanced Tcp/IP Settings screen) -> OPTIONS tab, use it & Tcp IP Filtering is in the list, highlite/select it -> Beneath the Optional Settings, press/click the PROPERTIES button on the lower right-hand side -> Check the "Enable Tcp/IP Filtering (on all adapters)" selection -> In the far right, IP PROTOCOLS section, add ports 6 (tcp) & 17 (udp) -> In the far left "tcp ports" list - check off the radio button above the list titled "PERMIT ONLY", & then add ports you want to have open (all others will be filtered out, & for example, I leave port 80,8080, & 443 here open, only on my standalone, non-networked home machine! (For a HOME or WORK LAN, you may need to open up ports 135/137/139/445 for a Windows based network for file & print sharing PLUS enable NetBIOS over Tcp/IP in your network connection properties & ENABLE Client for Microsoft Networks & File and Print sharing too) NOTE - you may need more if you run mail servers, & what-have-you (this varies by application)) I leave the UDP section "PERMIT ALL" because of ephemeral/short-lived ports usage that Windows does (I have never successfully filtered this properly but it doesn't matter as much imo, because udp does not do 'callback' as tcp does, & that is why tcp can be DDOS'd/DOS'd imo - it only sends out info., but never demands verification of delivery (faster, but less reliable)) -> DONE! You may need a reboot & it will signal if it needs it or not (probably will, even in VISTA): I say this, because although IP Security Policies work with the "Plug-N-Play" design of modern Windows NT-based OS' (ipsec.sys) & do NOT require a reboot to activate/deactivate them in Windows 2000/XP/Server 2003/VISTA? This is working @ a diff. level & diff. driver iirc (tcpip.sys) & level of the telecommunications stacks in this OS family & WILL require a reboot to take effect (for a more detailed read of this, see here): ---- http://www.microsoft.com/technet/com...uy/cg0605.mspx (In THAT url above? Trust me - Enjoy the read, it is VERY informative: That article shows you how TcpIP.sys, ipnat.sys, ipsec.sys, & ipfiltdrv.sys interact, PLUS how you can use them to your advantage in security!) ---- Also, these URL's will be helpful as well, bigtime (for understanding (e.g. - knowing which IP ports you need to leave open & why (or, why not)): IANA PROTOCOL NUMBERS LIST: http://www.isi.edu/in-notes/iana/*...otocol-numbers IANA PORTS LIST (well-known, registered, & dynamic/private ports): http://www.isi.edu/in-notes/iana/...s/port-numbers APK Last edited by APK; May 24, 2008 at 05:46pm.*