Application Port Openings

1 minute read

Description:

Computers these days are meant to be networked. Applications and services run on many ports so it’s not really feasible to block all ports and open only the ones you need due to dynamic addressing. That being said, there are some cases, such as when a computer is placed in your DMZ, that you want to do just that – block all ports except for the ones that need to be opened. I use this page as a reference for such devices.

For AD:

TCP

25

TCP

42

TCP

135

TCP

137

TCP

139

TCP and UDP

389

TCP

636

TCP

3268

TCP

3269

TCP and UDP

88

TCP and UDP

53

TCP and UDP

445

TCP

9389

TCP

5722

TCP and UDP

464

UDP

123

UDP

137

UDP

138

UDP

67

UDP

2535

TCP & UDP

1024-5000

TCP & UDP

49152-65535

Reference: https://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/

For SQL Server:

  1. Create a rule in your AV software to block all ports except:
    TCP : 1433, 1434, 2383, 2382, 135, 80, 443, 4022
    UDP: 1434

Reference:
http://sqlmag.com/sql-server/sql-server-tcp-and-udp-ports

 

For A Domain Computer:

  1. Create a rule in your AV software to block all ports except:
    (depends, follow link)

TCP: 389,636,3268,3269,88,53,445,135,5722,464,9389,139,49152-65535
UDP: 389,88,53,445,123,464,138,137,49152-65535

http://serverfault.com/questions/565775/minimum-number-of-port-need-to-open-between-windows-client-domain-controller-o

To view your dynamic ranges for the client you can use the below commands:

netsh int ipv4 show dynamicport tcp
netsh int ipv4 show dynamicport udp
netsh int ipv6 show dynamicport tcp
netsh int ipv6 show dynamicport udp

Reference:
https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

 

For RPC/SMB Access:

  1. Create a rule in your AV software to block all ports except:

SMB- TCP – 445

RPC – TCP – 135

RPC – TCP – 5722

 

For A FTP Server:

  1. Create a rule in your AV software to block all ports except:
    TCP: 22

I used to use 20 and 21 for FTP, but nowadays a SFTP server can be used anywhere a FTP server used to be used.

 

For A Web Server:

  1. Create a rule in your AV software to block all ports except:
    TCP: 80,443

 

For File Sharing:
**
** TCP: 139, 445
UDP: 137, 138

* If the server has NBT enabled, it listens on UDP ports 137, 138, and on TCP ports 139, 445. If it has NBT disabled, it listens on TCP port 445 only.

Reference: 
http://superuser.com/questions/764623/what-port-or-ports-are-used-for-file-sharing-in-windows