TCP/IP Filter?

  • Thread starter Thread starter Lars
  • Start date Start date
L

Lars

Hi,

Is it possible to set a policy from an Active Directory OU to explicity
allow or disallow TCP/IP ports? (Windows 2000 Srv DC / Windows XP Pro
clients) I haven't found such an option. Thank you.

~Lars
 
Lars said:
Hi,

Is it possible to set a policy from an Active Directory OU to explicity
allow or disallow TCP/IP ports? (Windows 2000 Srv DC / Windows XP Pro
clients) I haven't found such an option. Thank you.
Click to expand...

Everything is allowed by default. To disallow particular ports in the Group
Policy Editor, navigate to Computer Configuration/Windows Settings/Security
Settings/IP Security Policy.

As you work your way through the wizards, when you get to the section on
Filters you will see that your only options are Permit, Request Security or
Require Security. There is no option to Deny. You will need to add this
yourself by clicking the Add button. (IMHO this was a bit of an oversight
by MS......)

Andy.
 
Hi Andy,

Thanks for the reply. I agree on the oversight you point out.

WRT the group policy, do you recommend a 'new' policy in 'Computer
Configuration/Windows Settings/Security Settings/IP Security Policy' or
editing one of the 3 I see there by default - Client (Respond Only); Secure
Server (Require Security) or Server (Request Security)

I am trying to close traffic in/out on various ports at the workstation.

Regards,
~Lars
 
Lars said:
Hi Andy,

Thanks for the reply. I agree on the oversight you point out.
Click to expand...

I would have though that 'block' would be the most common filtering people
would want.
WRT the group policy, do you recommend a 'new' policy in 'Computer
Configuration/Windows Settings/Security Settings/IP Security Policy'
or editing one of the 3 I see there by default - Client (Respond
Only); Secure Server (Require Security) or Server (Request Security)
Click to expand...

I generally try to leave the default policies alone whenever possible and
give my new policies a meaningfull name, like 'Block incoming HTTP
traffic'. That way you can easily see what policies are being applied.
The 3 you mention are not active by default anyway so there is no harm in
leaving them there or deleting them if they are a distraction.


Regards
Andy
 
Back
Top