TCP/IP Port Filtering (IIS 6.0)
TCP/IP port filtering is the practice of selectively enabling or disabling Transmission Control Protocol (TCP) ports and User Datagram Protocol (UDP) ports on computers or network devices. When used in conjunction with other security practices, such as deploying firewall software at your Internet access point, applying port filters to intranet and Internet servers insulates those servers from many TCP/IP-based security attacks, including internal attacks by malicious users.
An Internet or intranet host, such as a computer or network device on a TCP/IP-based network, uses a combination of an IP address and port number to communicate with an application or service running on another Internet or intranet host. Together, an IP address and port number make up a socket. Because TCP/IP hosts are assigned a unique IP address, and standard TCP/IP-based applications and services typically use a specific TCP or UDP port number, sockets can direct communications between specific applications or services running on specific hosts.
A port number is identified in a TCP or UDP packet header and represents the transport protocol address of a specific application and service that uses TCP or UDP. For example, HTTP services use TCP port 80 by default, Telnet uses TCP port 23 by default, and Simple Network Management Protocol (SNMP) uses UDP port 161 by default.
The Internet Assigned Numbers Authority (IANA) categorizes TCP and UDP ports into three categories. Table 5.18 lists these categories.
Typically, the server side of a TCP or UDP process listens to the associated well-known port number. The client side of the process uses either the well-known port number or, more commonly, a dynamically allocated port number that is assigned only for the duration of the process.
To enable communications with the applications and services that your servers use, you must ensure that the associated ports are enabled. However, because malicious users on your internal network can attempt to exploit enabled ports to attack your servers, you should disable the TCP and UDP ports on your servers that are not used. This reduces the avenues of attack to your servers and improves the security of hosts that connect to your servers.
Server-based port filtering is not the only method you should use to secure your servers and network from TCP/IP-based security attacks. To provide a more complete network security solution, you should also deploy network firewall software at your Internet access point.
Table 5.19 lists some of the default TCP port numbers for processes that are commonly used with Internet services.
Table 5.20 lists the well-known UDP port numbers for the processes that are commonly used with Internet services.
For a list of TCP and UDP port numbers that are used by Windows Server 2003, see the services.txt file in the systemroot\System32\Drivers\Etc folder.
For more information about network firewalls, see Microsoft Internet Security and Accelerations Server.