Capabilities and Functionality
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Overview
Windows Server 2003 TCP/IP was designed to make it easy to integrate Microsoft systems into large-scale corporate, government, and public networks, and to provide the ability to operate over those networks in a secure manner. The Windows Server 2003 TCP/IP protocol is installed by default and, unlike previous versions of Windows, cannot be uninstalled. However, you can reset the TCP/IP configuration to a default state with the netsh interface ip reset command.
Support for Standard Features
Windows Server 2003 TCP/IP supports the following standard features:
Ability to bind to multiple network adapters with different media types
Logical and physical multihoming
Internal IP routing capability
Internet Group Management Protocol (IGMP) version 3 (IP multicasting)
Duplicate IP address detection
Multiple default gateways
Dead gateway detection
Automatic Path Maximum Transmission Unit (PMTU) discovery
Internet Protocol security (IPsec)
Quality of Service (QoS)
ATM Services
Virtual Private Networks (VPNs) with the Point-to-Point Tunneling Protocol (PPTP) and the Layer Two Tunneling Protocol with IPsec (L2TP/IPsec)
Performance Enhancements
In addition, Windows Server 2003 TCP/IP has the following performance enhancements:
Protocol stack tuning, including increased default window sizes and new algorithms for high-delay and high-loss links, which increases throughput
TCP-scalable window sizes (described in RFC 1323)
Selective acknowledgments (SACK) (described in RFC 2018)
TCP fast retransmit and fast recovery (described in RFC 2581)
Round Trip Time (RTT) and Retransmission Timeout (RTO) calculation improvements
Improved performance for management of large numbers of connections
Hardware task offload mechanisms including checksum offload and large send offload (LSO)
Services Available
The Windows Server 2003 operating system provides the following TCP/IP-related services:
Dynamic Host Configuration Protocol (DHCP) client and server and DHCP Relay Agent (with the Routing and Remote Access service)
In the absence of a DHCP server, Automatic Private IP Addressing (APIPA) is used
Windows Internet Name Service (WINS), a NetBIOS name client and server
Domain Name System (DNS) client and server, including support for DNS dynamic updates
Dial-up support using the Point-to-Point Protocol (client and server) and Serial Line Internet Protocol (client only)
PPTP and L2TP/IPsec, used for remote access and site-to-site VPN connections
TCP/IP network printing (client only with the Lpr.exe and Lpq.exe tools)
SNMP agent
NetBIOS interface
Network Location Service
Windows Sockets version 2 (Winsock2) interface
Remote Procedure Call (RPC) support
Network Dynamic Data Exchange (NetDDE)
Computer browsing (My Network Places) across IP routers
Reliable multicast with the Pragmatic General Multicast (PGM) protocol
Basic TCP/IP connectivity utilities, including: finger, ftp, rcp, rexec, rsh, telnet, and tftp
Server and client software for simple network protocols, including: Character Generator, Daytime, Discard, Echo, and Quote of the Day
Routing Information Protocol (RIP) listener (for Windows XP Professional) and RIP and Open Shortest Path First (OSPF) (with the Routing and Remote Access service)
Network Address Translator (NAT) capabilities using either the Internet Connection Sharing (ICS) or the NAT/Basic Firewall routing protocol component of the Routing and Remote Access service
Stateful firewalling capabilities using either the Internet Connection Firewall (for Windows Server 2003 with no service packs installed), Windows Firewall (for Windows Server 2003 Service Pack 1), or the NAT/Basic Firewall routing protocol component of the Routing and Remote Access service
Multicast forwarding and IGMP router and proxy capabilities with the Routing and Remote Access service
TCP/IP management and diagnostic tools, including: arp, ipconfig, nbtstat, netsh, netstat, ping, pathping, route, nslookup, and tracert
New Features for Windows Server 2003 TCP/IP
The features and improvements of TCP/IP that are new for Windows Server 2003 include the following:
Windows Server 2003, Windows XP with Service Pack 1, and Windows XP with Service Pack 2 now include a production-quality IPv6 protocol stack. For more information about IPv6, see Windows Server 2003 Help and Support Center or the Microsoft Windows IPv6 Web site (https://go.microsoft.com/fwlink/?LinkID=17074).
Auto-negotiation of RFC 1323 options (window scaling and TCP timestamps).
Default support of network interface cards providing large send offload (LSO) and checksum offload.
IGMP version 3.
Reliable multicast with PGM.
Alternate configuration.
Automatic determination of the interface-related and default route metrics.
The table below lists features and the operating system versions that they are present in as a reference. Features are described in more detail throughout this article.
Table 1. Feature Comparison Table for Windows TCP/IP Versions
Product | Windows 98 | Windows 98 SE | Windows NT 4.0 SP5 | Windows 2000 | Windows Server 2003 |
---|---|---|---|---|---|
Dead gateway detection |
Y |
Y |
Y |
Y |
Y |
Fast retransmit/recovery |
Y |
Y |
Y |
Y |
Y |
APIPA |
Y |
Y |
N |
Y |
Y |
Selective ACK (SACK) |
Y |
Y |
N |
Y |
Y |
Jumbo frame support |
Y |
Y |
Y |
Y |
Y |
Large windows |
D |
D |
N |
D |
D |
DNS dynamic update |
N |
N |
N |
Y |
Y |
Media sense |
N |
N |
N |
Y |
Y |
Wake on LAN |
N |
N |
N |
Y |
Y |
IP forwarding |
N |
D |
D |
D |
D |
NAT |
N |
D |
N |
D |
D |
Kerberos v5 |
N |
N |
N |
Y |
Y |
IPsec |
N |
N |
N |
Y |
Y |
PPTP |
Y |
Y |
Y |
Y |
Y |
L2TP/IPsec |
N |
N |
N |
Y |
Y |
IP Helper API |
Y |
Y |
Y |
Y |
Y |
Winsock2 API |
Y |
Y |
Y |
Y |
Y |
GQoS API |
Y |
Y |
N |
Y |
Y |
IP Filtering API |
N |
N |
N |
Y |
Y |
Firewall hook |
N |
N |
N |
Y |
Y |
Packet scheduler |
N |
N |
N |
D |
D |
Network location |
N |
N |
N |
N |
Y |
ISSLOW |
Y |
Y |
N |
Y |
Y |
Personal firewall |
N |
N |
N |
N |
D |
Block source routing |
N |
Y |
Y |
Y |
Y |
ICMP Router Discovery |
Y |
Y |
D |
D |
D |
IPsec offload |
N |
N |
N |
Y |
Y |
IGMP v3 |
N |
N |
N |
N |
Y |
Reliable multicast (PGM) |
N |
N |
N |
N |
Y |
Alternate configuration |
N |
N |
N |
N |
Y |
Auto-determination of routing metrics |
N |
N |
N |
N |
|
Checksum offload |
N |
N |
N |
N |
Y |
Large send offload |
N |
N |
N |
N |
Y |
N=No, Y=Yes, and D=Disabled by Default
Internet RFCs Supported by Windows Server 2003 TCP/IP
Requests for Comments (RFCs) are a constantly evolving series of reports, proposals for protocols, and protocol standards used by the Internet community. You can obtain RFCs from the Engineering Task Force Web site (https://go.microsoft.com/fwlink/?LinkID=29138).
Table 2. RFCs supported by Windows Server 2003 TCP/IP
RFC | Title |
---|---|
768 |
User Datagram Protocol (UDP) |
783 |
Trivial File Transfer Protocol (TFTP) |
791 |
Internet Protocol (IP) |
792 |
Internet Control Message Protocol (ICMP) |
793 |
Transmission Control Protocol (TCP) |
816 |
Fault Isolation and Recovery |
826 |
Address Resolution Protocol (ARP) |
854 |
Telnet Protocol (TELNET) |
862 |
Echo Protocol (ECHO) |
863 |
Discard Protocol (DISCARD) |
864 |
Character Generator Protocol (CHARGEN) |
865 |
Quote of the Day Protocol (QUOTE) |
867 |
Daytime Protocol (DAYTIME) |
894 |
IP over Ethernet |
919, 922 |
IP Broadcast Datagrams (broadcasting with subnets) |
950 |
Internet Standard Subnetting Procedure |
959 |
File Transfer Protocol (FTP) |
1001, 1002 |
NetBIOS Service Protocols |
1065, 1035, 1123, 1886 |
Domain Name System (DNS) |
1042 |
A Standard for the Transmission of IP Datagrams over IEEE 802 Networks |
1055 |
Transmission of IP over Serial Lines (IP-SLIP) |
1112 |
Internet Group Management Protocol (IGMP) |
1122, 1123 |
Host Requirements (communications and applications) |
1144 |
Compressing TCP/IP Headers for Low-Speed Serial Links |
1157 |
Simple Network Management Protocol (SNMP) |
1179 |
Line Printer Daemon Protocol |
1188 |
IP over FDDI |
1191 |
Path MTU Discovery |
1201 |
IP over ARCNET |
1256 |
ICMP Router Discovery Messages |
1323 |
TCP Extensions for High Performance |
1332 |
PPP Internet Protocol Control Protocol (IPCP) |
1518 |
Architecture for IP Address Allocation with CIDR |
1519 |
Classless Inter-Domain Routing (CIDR): An Address Assignment and Aggregation Strategy |
1534 |
Interoperation Between DHCP and BOOTP |
1542 |
Clarifications and Extensions for the Bootstrap Protocol |
1552 |
PPP Internetwork Packet Exchange Control Protocol (IPXCP) |
1661 |
The Point-to-Point Protocol (PPP) |
1662 |
PPP in HDLC-like Framing |
1748 |
IEEE 802.5 MIB using SMIv2 |
1749 |
IEEE 802.5 Station Source Routing MIB using SMIv2 |
1812 |
Requirements for IP Version 4 Routers |
1828 |
IP Authentication using Keyed MD5 |
1829 |
ESP DES-CBC Transform |
1851 |
ESP Triple DES-CBC Transform |
1852 |
IP Authentication using Keyed SHA |
1994 |
PPP Challenge Handshake Authentication Protocol (CHAP) |
1995 |
Incremental Zone Transfer in DNS |
1996 |
A Mechanism for Prompt DNS Notification of Zone Changes |
2018 |
TCP Selective Acknowledgment Options |
2085 |
HMAC-MD5 IP Authentication with Replay Prevention |
2104 |
HMAC: Keyed Hashing for Message Authentication |
2131 |
Dynamic Host Configuration Protocol |
2136 |
Dynamic Updates in the Domain Name System (DNS UPDATE) |
2181 |
Clarifications to the DNS Specification |
2236 |
Internet Group Management Protocol, Version 2 |
2308 |
Negative Caching of DNS Queries (DNS NCACHE) |
2401 |
Security Architecture for the Internet Protocol |
2402 |
IP Authentication Header |
2406 |
IP Encapsulating Security Payload (ESP) |
2581 |
TCP Congestion Control |
3208 |
PGM Reliable Transport Protocol Specification |
3376 |
Internet Group Management Protocol, Version 3 |
New Features for TCP/IP in Windows Server 2003 Service Pack 1
The features and improvements of TCP/IP that are new for Windows Server 2003 Service Pack 1 include the following:
Windows Firewall
The Netstat –b option
Netsh commands for Windows Sockets
SYN attack protection is enabled by default
SYN attack notification IP Helper APIs
Registry parameter for ICMP host routes
Smart TCP port allocation
Registry value for multiple ARP replies
Windows Firewall
Windows Firewall replaces the Internet Connection Firewall provided with Windows Server 2003 with no service packs installed. Windows Firewall is a stateful firewall that drops unsolicited incoming traffic that does not correspond to either traffic sent in response to a request of the computer (solicited traffic) or unsolicited traffic that has been specified as allowed (excepted traffic). Windows Firewall provides a level of protection from malicious users and programs that rely on unsolicited incoming traffic to attack computers.
For more information about Windows Firewall in Windows Server 2003 Service Pack 1, see the Microsoft Windows Server 2003 Windows Firewall TechCenter (https://go.microsoft.com/fwlink/?linkid=67902).
The Netstat –b option
The Netstat tool displays a variety of information about active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP route table, and IPv4 and IPv6 statistics. In Windows Server 2003 Service Pack 1, the Netstat tool supports a new –b option that displays the set of components that are listening on each open TCP and UDP port.
With Windows Server 2003 with no service packs installed, you can use the –o option to display the set of ports being listened on and the corresponding process ID (PID). You can then lookup the PID in the display of the tasklist /svc command to discover the name of the process that owns the port. However, in some cases, there are multiple services within a single process and it is not possible to determine which service within the process owned the port.
With the –b option, Netstat displays the TCP or UDP port, the file names corresponding to the components of the service that owns the port, and the PID. From the file names and PID, you can determine which of the services in the display of the tasklist /svc command owns the port.
Netsh Commands for Windows Sockets
There are now Windows Sockets (Winsock) Netsh commands to view the set of installed Winsock Layered Service Providers (LSPs) (the netsh winsock show catalog command) and to reset the Winsock LSP catalog to a default configuration (the netsh winsock reset catalog command). The netsh winsock reset catalog command is useful for restoring the Winsock LSP catalog when it has been corrupted by programs or services that install LSPs. However, you must reinstall the programs or services that use LSPs.
SYN Attack Protection is Enabled by Default
A TCP Synchronize (SYN) attack is a denial-of-service attack that exploits the retransmission and time-out behavior of the Synchronize-Acknowledgement (SYN-ACK) segment during the TCP three-way handshake to create a large number of half-open TCP connections. Depending on the TCP/IP protocol implementation, a large number of half-open TCP connections could do any of the following:
Use all available memory.
Use all possible entries in the TCP Transmission Control Block (TCB), an internal table used to track TCP connections. Once the half-open connections use all the entries, further connection attempts are responded to with a TCP connection reset.
Use all available half-open connections. Once all the half-open connections are used, further connection attempts are responded to with a TCP connection reset.
To create a large number of TCP half-open connections, attackers send a large number of SYN segments, each from a spoofed IP address and TCP port number. Each spoofed IP address and TCP port number are for a process that does not respond to the SYN-ACKs being sent by the attacked host. SYN attacks are typically used to render Internet servers inoperative.
To mitigate the impact on a host experiencing a SYN attack, TCP/IP minimizes the amount of resources devoted to incomplete TCP connections and reduces the amount of time before abandoning the half-open connection. When a SYN attack is detected, TCP/IP in Windows Server 2003 and Windows XP lowers the number of retransmissions of the SYN-ACK segment and does not allocate memory or table entry resources for the connection until the TCP three-way handshake has been completed.
You can control SYN attack protection through the SynAttackProtect registry entry at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters (type REG_DWORD). You set SynAttackProtect to 0 to disable SYN attack protection and to 1 to enable it.
For TCP/IP in Windows XP (all versions) and Windows Server 2003 with no service packs installed, SynAttackProtect is set to 0 by default. For TCP/IP in Windows Server 2003 Service Pack 1, SynAttackProtect is set to 1 by default.
SYN Attack Notification IP Helper APIs
To allow an application to notify network administrators that a SYN attack is taking place, the IP Helper API supports new SYN attack notification APIs named NotifySecurityHealthChange and CancelSecurityHealthChangeNotify. For information about these new APIs, see the Microsoft Developer Network (MSDN) (https://go.microsoft.com/fwlink/?linkid=67904).
Registry Parameter for ICMP Host Routes
TCP/IP for Windows Server 2003 SP1 supports a new registry parameter that restricts the number of host routes that can be added to the local IP route table by receiving ICMP Redirect messages. The new registry parameter is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ MaxICMPHostRoutes (REG_DWORD type). MaxICMPHostRoutes has a default value of 1000. You should not change this value unless the computer needs to be able to add a large number of host routes by receiving ICMP Redirect messages. The update to Windows Server 2003 SP1 available from article 898060 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?linkid=69231) changes the default value of MaxICMPHostRoutes to 10000.
Smart TCP Port Allocation
When a TCP peer initiates a TCP connection termination and the connection termination completes, the TCP connection enters the TIME WAIT state. Once the TIME WAIT state is reached, TCP must wait twice the maximum segment lifetime (MSL) before a connection with the same set of socket addresses can be created. The set of socket addresses consist of the combination of the source and destination IP addresses and source and destination TCP ports. The MSL is the maximum amount of time a TCP segment can exist in an internetwork, and its recommended value is 120 seconds. This delay prevents a new connection’s TCP segments that are using the same set of socket addresses from being confused with duplicated TCP segments of the old connection.
The TCP port for a connection in the TIME WAIT state is considered an available port and can be assigned for use by an application. This can lead to the following situation:
An application requests any available TCP port.
TCP/IP assigns a TCP port to use for the application socket.
The application attempts to open a socket with a specific destination IP address.
The application establishes a TCP connection and sends data.
The application terminates the TCP connection.
TCP/IP places the application's TCP connection in the TIME WAIT state until twice the MSL has passed.
The same application requests another available TCP port.
TCP/IP assigns a TCP port to use for the application socket. Because the port for the connection in the TIME WAIT state is considered open, it can be chosen as the next port to assign to the requesting application.
Assuming that TCP/IP assigns the same TCP port number, the application attempts to open a socket with the same destination IP address.
Because the connection is using the same set of socket addresses as the connection in the TIME WAIT state, TCP/IP indicates an error to the application.
You can mitigate this situation by setting the TcpTimedWaitDelay registry entry at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters (REG_DWORD type) to a lower value. The value of TcpTimedWaitDelay determines the length of time that a connection stays in the TIME-WAIT state. However, lowering the value of TcpTimedWaitDelay is contrary to the original design of TCP and the MSL.
To prevent an application from creating a connection with the same set of socket addresses of a connection that is in a TIME WAIT state, TCP/IP in Windows Server 2003 Service Pack 1 has implemented a smart TCP port allocation algorithm. When an application requests any available TCP port, TCP/IP first attempts to find an available port that does not correspond to a connection in the TIME WAIT state. If a port cannot be found, then it picks any available port.
This new behavior makes it much more unlikely that an application will be assigned a TCP port that is in the TIME-WAIT state when connecting to the same destination. You no longer need to modify the TcpTimedWaitDelay registry entry.
Registry Value for Multiple ARP Replies
TCP/IP for Windows Server 2003 SP1 supports a new registry value that determines which MAC address is stored in the ARP cache when multiple ARP Reply messages are received. If there are multiple computers that are using the same IP address on a subnet, when a node sends an ARP Request frame for the IP address, it will receive multiple ARP replies. The new registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\StrictARPUpdate (REG_DWORD type) allows you to specify whether TCP/IP in Windows Server 2003 SP1 will store the MAC address of the last ARP reply received (StrictARPUpdate=0 [default]) or the MAC address of the first ARP reply received (StrictARPUpdate=1).