Blocking Ports

[Guest]

hi

Our company needs to restrict a few Windows 2000 workstations from accessing non-essential ports as part of a security audit requirement. I therefore need to identify the specific ports that a Windows 2000 workstation requires open so that it can communicate with a Windows 2000 server
The workstation needs to login to the company domain, access the file server and print server, and access DNS, WINS services

By looking through various groups I have been able to identify the following ports
- Wins - 1512 (TCP/UDP
- DNS - 53 (TCP/UDP
- Kerberos - 88 (TCP/UDP
- SMB - 445 (TCP/UDP
- RPC - 135 (TCP
- LDAP - 389 (TCP/UDP
- LDAP SSL - 636 (TCP
- LDAP GC - 3268 (TCP
- LDAP GC SSL - 3269 (TCP

Are these the only ports required - or are there additional ports
Also, can any of these be removed

Help is much appreciated

thanks
Tim

 

[Steven L Umbach]

When you say open ports, just to clarify, those would be "outbound" ports
that the client workstation needs access to.
Since you are using wins, that means you are using netbios over tcp/ip - at
least currently, which will require ports 137 UDP, 138 UDP, and 139 TCP
also. Wins client service uses 137 UDP - not 1512 which may be used for
replication between wins servers.

You may not need ldap ssl and GC ssl. If you have an enterprise Certificate
Authority for the domain or are planning on one then you will want to leave
access open for those ports.

The biggest issue is going to be RPC dynamic port allocation. During the
domain logon process RPC negotiates a session with the client computer that
uses one of the unpriviliged above 1024 ports on the domain controller.
Because of this it is difficult to create secure firewall rules. The KB
below shows how to restrict the ports that the domain controller will use
for RPC to a range that can then be used to configure a firewall or ipsec
filtering.

http://support.microsoft.com/default.aspx?scid=kb;en-us;154596

However you are going to filter this traffic, you will want to allow these
ports outbound to the domain controllers [and subsequent response return
traffic] based on their IP addresses. For file and print sharing on servers
you will need to allow only ports 139 and/or 445 to those servers based on
their IP address. One really good way to see what is going on is to use the
built in Netmon or download Ethereal and use that on a domain controller to
see what ports it uses in authentication traffic and the same on a server
watching the packet exchange sequence. The KB below may be helpful in
understanding port use. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;832017

hi,

Our company needs to restrict a few Windows 2000 workstations from

accessing non-essential ports as part of a security audit requirement. I
therefore need to identify the specific ports that a Windows 2000
workstation requires open so that it can communicate with a Windows 2000
server.

The workstation needs to login to the company domain, access the file

server and print server, and access DNS, WINS services.

 

[Guest]

Hi Steven
I do meen outbound ports..

thankyou for this information, just to clarify - and add to my list

- Wins - 137(UDP), 138 (UDP), 139 (TCP
- DNS - 53 (TCP/UDP
- Kerberos - 88 (TCP/UDP
- SMB - 445 (TCP/UDP
- RPC - 135 (TCP
- LDAP - 389 (TCP/UDP
- LDAP SSL - 636 (TCP
- LDAP GC - 3268 (TCP
- LDAP GC SSL - 3269 (TCP
- NTP - 123 (UDP) - I believe that this allows time sychronisation

Thanks
Tim

 

[Steven L Umbach]

Well all those ports are not just for wins but are for netbios over tcp/ip
naming, datagram, and session. Port 137 is actually used for client wins
access.

Your list is still incomplete as it needs to allow for RPC dynamic port
allocation that I mentioned in that the domain controller will use a random
above 1024 port for the logon process which you can control with the reistry
entry the KB article mentioned. Usually you will see port 1025,1026 or such
being used but the registry mod can force a range. The link below also is
informative on that subject, though I have not found port 1512 used for wins
client use as it suggests [maybe replication]. --- Steve

http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp