Where did TCP/IP Filtering go in Windows Server 2008?

tcpip windows-server-2008

I'm configuring our new Windows Server 2008 machine. In Windows Server 2003 we would enable TCP/IP Filtering on our network cards to only allow traffic on specific ports to get through. This was done by right clicking on the network connection, and selecting properties. Then, selecting "Internet Protocol (TCP/IP)" and clicking properties. Next, click Advanced and select the options tab. In optional settings there was TCP/IP filtering. Select, TCP/IP filtering and click Properties.

In the TCP/IP Filtering window you could permit traffic only on certain ports. The Options tab no longer exists in Windows Server 2008. I have searched Google and TechNet, but can't seem to find where they hid it or what the replacement for these settings would be. Does anyone know where these settings are in Windows Server 2008? Is the Windows Firewall as close as I'm going to get? Is the Windows Firewall just as reliable as the old settings I used to use?


Based on my Googling, here is what I've found:

Both TCP\IP Filtering and the Windows Firewall up to Windows XP were bound to a specific NIC. Regardless of what type of network the computer was connected to, the filtering and firewall were either on or off. This is effective, but not intelligent.

In Vista, 7, and W2K8 the firewall is bound to a specific network profile, not to a NIC. So now it's possible to have different firewall rules and conditions applied to every network adapter or to specific network adapters based on the type of network the computer is connected to. For instance, You can allow incoming HTTP connections to your wireless NIC when you're connected to a private network, but not when you're connected to a public network. You can allow incoming FTP connections to your ethernet NIC when you're connected to a public network but not when you're connected to a private network. Etc., etc. Much more intelligent and much more granular control.


Short answer: Those settings do not exist anymore and you should use the Windows Firewall or Windows Firewall with Advanced Security to configure port blocking. If you want to automate the process you can use the netsh command line tool to open or close ports.

Long answer: The TCP/IP filtering option listed under the Internet Protocol (TCP/IP) properties section were a GUI wrap around the IP Filtering API added in Windows Server 2000 and outlined in this document (Search for EnableSecurityFilters, TcpAllowedPorts, and UdpAllowedPorts for more details). These filters were per network card and were seperate from the Windows Firewall settings that operated at a higher level.

In Vista and Server 2008 the per network card settings have been replaced with domain, public and private network profile settings using a new filtering model called Windows Filtering Platform (WFP). The WFP API is used by the Windows firewall and IPsec as well as 3rd party firewall, antivirus, diagnostic, and other types of network applications:

Windows Filtering Platform (WFP) is a new architecture in Windows Vista and Windows Server 2008 that enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs). Filtering and modifying TCP/IP packets provides unprecedented access to the TCP/IP packet processing path. In this path, you can examine or modify outgoing and incoming packets before additional processing occurs. By accessing the TCP/IP processing path at different layers, you can more easily create firewalls, antivirus software, diagnostic software, and other types of applications and services.

WFP provides APIs so that you can participate in the filtering decisions that occur at several layers in the TCP/IP protocol stack. WFP also integrates and provides support for next-generation firewall features such as authenticated communication and dynamic firewall configuration that is based on an application's use of the Windows Sockets API. This capability is also known as an application-based policy.

WFP is not a firewall. It is a set of system services and user-mode and kernel-mode APIs that enable you to develop firewalls and other connection-monitoring or packet-processing software. For example, the Windows Firewall in Windows Vista and Windows Server 2008 uses WFP.

Related

Multiple RDP connections on one session
Why is IIS_IUSRS used instead of IUSR for file permissions?
When routers communicate with HTTPS, how is their identity confirmed?
How do I add a multicast route in Windows 7?
Live web server migration
Get high I/O rate alert from linode.com,how to location problem?
Should I change my server hostname?
How Do I Configure IIS FTP 7.5 Passive Ports Per-FTP Site? (Setting appears locked at the server level)
Direct connection between multiple clients on OpenVPN
nagios Missing Dependency: perl(Net::SNMP)
How to measure and minimize UDP packet loss
Forward differing hostnames to different internal IPs through NAT router