Windows Server 2003 ports and firewalls

Who is the intended audience?

Technically competent Information Technology (IT) literate people that have a desire to protect their Windows Server 2003 servers from Local Area Network (LAN) based threats, through the use of locally installed personal firewalls running on their servers.

What is this document for?

It describes the protocols and ports necessary to enable a Windows Server 2003 to be firewalled, and yet provide normal service on the LAN.

File access

The following protocols and ports are required:

• TCP/445 and UDP/445; SMB over IP traffic

Establishing an explicit trust between Active Directory (AD) domains

The following protocols and ports are required:

• TCP/445 and UDP/445; SMB over IP traffic
• TCP/389 and TCP/636; LDAP, where 636 is for Secure Sockets Layer (SSL)
• UDP/389; LDAP ping
• TCP/88 and UDP/88; Kerberos authentication
• TCP/53 and UDP/53; DNS

Validating and authenticating a trust

The following protocols and ports are required:

• TCP/445 and UDP/445; SMB over IP traffic
• TCP/389 and TCP/636; LDAP
• UDP/389; LDAP ping
• TCP/88 and UDP/88; Kerberos authentication
• TCP/53 and UDP/53; DNS
• TCP/135 and UDP/135; Remote Procedure Call (RPC) endpoint mapper
• a range of RPC ports, which should be restricted when firewalling

AD replication, mutual authentication and Domain Controller (DC) location

The following protocols and ports are required:

• TCP/135 and UDP/135; RPC endpoint mapper
• RPC service port for AD access; you must lock to a fixed port when firewalling
• RPC service port for AD replication; you must lock to a fixed port when firewalling
• TCP/88 and UDP/88; Kerberos authentication
• TCP/389 and TCP/636; LDAP
• UDP/389; LDAP ping
• TCP/3268 and TCP/3269; Global Catalog (GC) LDAP, where 3269 is for SSL
• TCP/445 and UDP/445; SMB over IP traffic
• TCP/53 and UDP/53; DNS
• UDP/123; Network Time Protocol (NTP)

Non-AD ports that are also required

The following protocols and ports are required:

• TCP/137 and UDP/137; Network Basic Input-Output System (NetBIOS) name service
• UDP/138; NetBIOS datagram service
• TCP/139; NetBIOS session service

For Windows 2000 Server, post SP2, the File Replication Service (FRS), by default, uses a dynamic port which is determined by a call to the RPC endpoint mapper.  FRS can be set to a fixed address and, indeed, must be in order to firewall the server.  This fixed port is still determined by a call to the RPC port mapper, but will always be the same.

To set FRS to use a static TCP port, set the following registry key and then restart the server:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters]

"RPC TCP/IP Port Assignment"=dword:0000c001

In this example, the port is set to a hexadecimal value of 0xC001 which is a decimal value of 49153 (12x4096+1).

You might care to read the original Microsoft article for further details.

Limiting the range of dynamic RPC ports

The dynamic ports can be restricted to a smaller range and Microsoft recommend that there are at least 20 ports in the range and that they are not below 5000.

To limit the range of dynamic RPC ports, add the following registry key and then restart the server:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RPC\Internet]

"Ports"=REG_MULTI_SZ:5000-5019

In this example, the ports are set to use 20 ports in the range 5000 through 5019.  You might care to read the original Microsoft article for further details.

Jarmanator IT Ltd is a private limited company registered in England with the registration number 05079569 and whose registered offices are 3 Warners Mill, Silks Way, BRAINTREE, CM7 3GB
Copyright © 2009 Jarmanator IT Ltd