General discussion

  • Creator
    Topic
  • #2289097

    Windows 2000 Minimal Ports Needed

    Locked

    by aakash shah ·

    I am trying to lock down my W2K workstations by using TCP/IP filtering. My intention is to block all ports except the ports I specify. However, I want a comprehensive list of the minimal ports that will be needed to log into a domain-based network. This way I can allow only these ports and block off everything else. Can anyone help me with this?

All Comments

  • Author
    Replies
    • #2704467

      Reply To: Windows 2000 Minimal Ports Needed

      by cg it ·

      In reply to Windows 2000 Minimal Ports Needed

      see the services file under systemroot\system32\drivers\etc folder

      port number codes can be found systemtoor\system32\drivers \etc folder in the protocol file.

      these can be found on any W2K computer [server included].

    • #2709795

      Reply To: Windows 2000 Minimal Ports Needed

      by mikex ·

      In reply to Windows 2000 Minimal Ports Needed

      11.) Check all open TCP/IP ports.

      First, check to see which ports your machine has open, and figure out which services the ports map to. For the former, you can use “netstat -an” from a DOS prompt. Many users may find the Port Scan feature of InternetPeriscope easier to use, as it tells you which services are commonly used by which ports. Install and run InternetPeriscope ON your server for this first test.

      Next, perform a Port Scan on your server from a machine that is OUTSIDE of your firewall. Again, InternetPeriscope can help you to do this. This will give you an idea of what ports the hacker’s see when they scan your system.

      If you see any services on your machine that you do not need, you should remove them to further “harden” your server’s security.

      It’s depending on your work which port you will leave open – if you want more info check out wich are the regular TCP/IP ports on win2k systems

      • #2709698

        Reply To: Windows 2000 Minimal Ports Needed

        by aakash shah ·

        In reply to Reply To: Windows 2000 Minimal Ports Needed

        Thanks for responding mikex. I can find out what ports are open while the computer is running (I use WinInternal’s TCPView) and . However, I don’t know if any ports are used while the computer is booting and getting to the welcome screen that are then closed by the time the user logs in. I wanted to know if there is a resource somewhere that can help me with this. You mentioned that InternetPeriscope tells me what services are commonly used by what ports. Do you know what services are required for a W2K system logging onto a domain?

    • #2716880

      Reply To: Windows 2000 Minimal Ports Needed

      by smight ·

      In reply to Windows 2000 Minimal Ports Needed

      Great question. Check out Microsoft KB832017 at http://support.microsoft.com/default.aspx?scid=kb;en-us;832017&Product=winsvr2003. This is a good resource for figuring out what ports use what service. The TCP/IP filtering does not filter any outbound traffic, just the inbound traffic.

      You’ll have to allow all the UDP ports in order to do DNS resolution since the windows DNS client binds to a dynamic port.

      I only know of one way to figure this out. You will need to use a packet capture tool like ethereal (freeware!) with the winpcap driver (also free!) or the Network Monitor that comes on windows 2000 server or 2003 server. Furthermore, because you are logging on and off a domain (as per your question) you won’t be able to have anything running on your w2k workstation. So youll need a hub (not switch) and plug your workstation into the hub and then the hub into the network jack. Then use a second computer and plug into the hub also. This way the hub will repeat all traffic to the NIC on the second computer. Then fire up your packet capture software running on the second computer and start listening. Goto the first computer and log on and off the network. Stop the packet captures and then read the traces to see what tcp ports were used.

      This is not an easy task by any means and packet traces are a pain to read. Furthermore, Windows client services frequently bind to dynamic ports so that they can run multiple requests at the same time. This means that you will likely have to open a huge range of ports to get this to work reliably. Good luck man.

      Chris Britt

      • #2718211

        Reply To: Windows 2000 Minimal Ports Needed

        by aakash shah ·

        In reply to Reply To: Windows 2000 Minimal Ports Needed

        Thanks for responding smight. The MS article was a great reference. However, do you have an article that explaisn what ports are needed for workstations?

        I’d like to avoid taking the packet capture approach if possible and would like to use a reference instead. But, if I can’t find any other reference, then I’ll go ahead and do this. Anyone else have any other ideas?

    • #2716856

      Reply To: Windows 2000 Minimal Ports Needed

      by mikex ·

      In reply to Windows 2000 Minimal Ports Needed

      You’re to paranoic (BTW it’s a goos question), but here’re the basic ports (the rest is depending on your network/server config and the services that you’re using):

      This list of well-known port numbers specifies the port used by the server process as its contact port.

      1 TCP Port Service Multiplexer (TCPMUX)
      5 Remote Job Entry (RJE)
      42 Host Name Server (Nameserv)
      49 Login Host Protocol (Login)
      53 Domain Name System (DNS)
      137 NetBIOS Name Service
      139 NetBIOS Datagram Service
      150 NetBIOS Session Service
      190 Gateway Access Control Protocol (GACP)
      197 Directory Location Service (DLS)
      389 Lightweight Directory Access Protocol (LDAP)
      546 DHCP Client
      547 DHCP Server
      1080 Socks

      The rest can vary

      • #2707699

        Reply To: Windows 2000 Minimal Ports Needed

        by aakash shah ·

        In reply to Reply To: Windows 2000 Minimal Ports Needed

        Thanks for responding Mikex. What is your source for these ports? I’d like to have a official reference to point to when performing this task.

        Thanks.

    • #2707704

      Reply To: Windows 2000 Minimal Ports Needed

      by smight ·

      In reply to Windows 2000 Minimal Ports Needed

      Well, I don’t know of an authoritative list of source port requirements for workstations and no one seems to be able to provide you with one. There are several references out there but you correctly point out that they are not specific to requriements for workstations.

      I am supplying this answer again because I posted the idea that the only way to know with certainty is to use the packet capture approach and trace it for yourself. I supplied you with some informaiton about freeware packet capturing software (www.ethereal.com).

      If after a while you decide that the packet capture is the correct (possibly only) method for figuring this out and it work, please come back and rate this answer. If in the mean time, someone gives you an authoritative list for workstations or a reference to one on the net (I’d like to see it too) then obviously award the points there. But if you end up using the pakcet capturing tools that I mentioned to solve the issue, I would appreciate it if you rate this answer as successful.

      Best of luck to you. Packet capturing is no small task. I would be really interested in learning your results.

      Chris Britt

    • #2708908

      Reply To: Windows 2000 Minimal Ports Needed

      by aakash shah ·

      In reply to Windows 2000 Minimal Ports Needed

      This question was closed by the author

Viewing 5 reply threads