Port Restrictions

Earlier in the chapter, we discussed the possible threats that open ports pose to the security of the system. When an attacker has the ability to contact an open port, he can launch an attack against the system if a known vulnerability exists. Because your home system is not behind a corporate firewall, you need some protection against attackers looking for open ports. Chapter 11 discusses third-party personal firewalls available to the home user; even without a third-party package, however, Windows 2000 comes with some built-in port filtering capability.

You can find a list of open ports on your local system at %systemroot%driversetcservices. Port restrictions can be implemented using the TCP/IP Security console located in the TCP/IP properties. Select Start, Settings, Control Panel, Network and Dial Up Connections, Local Area Connection, Internet Protocol (TCP/IP). Click the Properties button, and then click the Advanced button. On the Options tab, choose TCP/IP filtering. You see the dialog box shown in Figure 10.33. To allow only TCP and ICMP connections, configure the UDP Ports and IP Protocols to Permit Only and leave the IP Protocols box blank.

Port filtering can be difficult with the Advanced TCP/IP settings. You have to set these filters on each network adapter you have, which can vary from 1 to 3 in many computers—even home systems. This type of filtering is basic and is not meant to replace firewall filtering. A better filter built into Windows 2000 is IP Security Policy (IPSec), which is discussed next.