Critics often point to the fact that eavesdropping hackers might be able to capture and replay the successful port-knocking sequence or series of bytes. Although this might be true with the basic implementations, attacks such as these would be squashed by using more sophisticated authentication methods or minimized by using secondary hard-coded allowed IP addresses such as TCP wrappers.
If a hacker does manage to glean your combination, the worst-case scenario is that the intruder bypasses the port-knocking protection and now has to face your normal service security measures -- log-on password prompting, and so on. As far as I can tell, the use of port knocking can only strengthen any defense-in-depth strategy and does nothing to hurt it.
I wish Windows had port-knocking mechanisms built in by default. It would be a nice complement to Microsoft’s marketplace-tested IPSec and Kerberos implementations. The Linux/Unix world has a plethora of port knocking implementations to choose from, none of which requires incredible expertise to configure or use.
For more information on port knocking, visit www.portknocking.org or en.wikipedia.org/wiki/Port_knocking. For configuration detail from one implementation example, check out gentoo-wiki.com/HOWTO_Port_Knocking.
An excellent collection of port-knocking software and utilities can be found at www.portknocking.org/view/implementations, and another Windows-based port-knocking server and client can be found at www.security.org.sg/code/portknock1.html.