General discussion

Locked

Windows 2000 Minimal Ports Needed

By Aakash Shah ·
I am trying to lock down my W2K workstations by using TCP/IP filtering. My intention is to block all ports except the ports I specify. However, I want a comprehensive list of the minimal ports that will be needed to log into a domain-based network. This way I can allow only these ports and block off everything else. Can anyone help me with this?

This conversation is currently closed to new comments.

11 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by CG IT In reply to Windows 2000 Minimal Port ...

see the services file under systemroot\system32\drivers\etc folder

port number codes can be found systemtoor\system32\drivers \etc folder in the protocol file.

these can be found on any W2K computer [server included].

Collapse -

by CG IT In reply to

note: what you allow and disallow is mostly based upon the services you run.

Collapse -

by mikex In reply to Windows 2000 Minimal Port ...

11.) Check all open TCP/IP ports.

First, check to see which ports your machine has open, and figure out which services the ports map to. For the former, you can use "netstat -an" from a DOS prompt. Many users may find the Port Scan feature of InternetPeriscope easier to use, as it tells you which services are commonly used by which ports. Install and run InternetPeriscope ON your server for this first test.

Next, perform a Port Scan on your server from a machine that is OUTSIDE of your firewall. Again, InternetPeriscope can help you to do this. This will give you an idea of what ports the hacker's see when they scan your system.

If you see any services on your machine that you do not need, you should remove them to further "harden" your server's security.

It's depending on your work which port you will leave open - if you want more info check out wich are the regular TCP/IP ports on win2k systems

Collapse -

by Aakash Shah In reply to

Thanks for responding mikex. I can find out what ports are open while the computer is running (I use WinInternal's TCPView) and . However, I don't know if any ports are used while the computer is booting and getting to the welcome screen that are then closed by the time the user logs in. I wanted to know if there is a resource somewhere that can help me with this. You mentioned that InternetPeriscope tells me what services are commonly used by what ports. Do you know what services are required for a W2K system logging onto a domain?

Collapse -

by smight In reply to Windows 2000 Minimal Port ...

Great question. Check out Microsoft KB832017 at http://support.microsoft.com/default.aspx?scid=kb;en-us;832017&Product=winsvr2003. This is a good resource for figuring out what ports use what service. The TCP/IP filtering does not filter any outbound traffic, just the inbound traffic.

You'll have to allow all the UDP ports in order to do DNS resolution since the windows DNS client binds to a dynamic port.

I only know of one way to figure this out. You will need to use a packet capture tool like ethereal (freeware!) with the winpcap driver (also free!) or the Network Monitor that comes on windows 2000 server or 2003 server. Furthermore, because you are logging on and off a domain (as per your question) you won't be able to have anything running on your w2k workstation. So youll need a hub (not switch) and plug your workstation into the hub and then the hub into the network jack. Then use a second computer and plug into the hub also. This way the hub will repeat all traffic to the NIC on the second computer. Then fire up your packet capture software running on the second computer and start listening. Goto the first computer and log on and off the network. Stop the packet captures and then read the traces to see what tcp ports were used.

This is not an easy task by any means and packet traces are a pain to read. Furthermore, Windows client services frequently bind to dynamic ports so that they can run multiple requests at the same time. This means that you will likely have to open a huge range of ports to get this to work reliably. Good luck man.

Chris Britt

Collapse -

by Aakash Shah In reply to

Thanks for responding smight. The MS article was a great reference. However, do you have an article that explaisn what ports are needed for workstations?

I'd like to avoid taking the packet capture approach if possible and would like to use a reference instead. But, if I can't find any other reference, then I'll go ahead and do this. Anyone else have any other ideas?

Collapse -

by mikex In reply to Windows 2000 Minimal Port ...

You're to paranoic (BTW it's a goos question), but here're the basic ports (the rest is depending on your network/server config and the services that you're using):

This list of well-known port numbers specifies the port used by the server process as its contact port.

1 TCP Port Service Multiplexer (TCPMUX)
5 Remote Job Entry (RJE)
42 Host Name Server (Nameserv)
49 Login Host Protocol (Login)
53 Domain Name System (DNS)
137 NetBIOS Name Service
139 NetBIOS Datagram Service
150 NetBIOS Session Service
190 Gateway Access Control Protocol (GACP)
197 Directory Location Service (DLS)
389 Lightweight Directory Access Protocol (LDAP)
546 DHCP Client
547 DHCP Server
1080 Socks

The rest can vary

Collapse -

by Aakash Shah In reply to

Thanks for responding Mikex. What is your source for these ports? I'd like to have a official reference to point to when performing this task.

Thanks.

Collapse -

by smight In reply to Windows 2000 Minimal Port ...

Well, I don't know of an authoritative list of source port requirements for workstations and no one seems to be able to provide you with one. There are several references out there but you correctly point out that they are not specific to requriements for workstations.

I am supplying this answer again because I posted the idea that the only way to know with certainty is to use the packet capture approach and trace it for yourself. I supplied you with some informaiton about freeware packet capturing software (www.ethereal.com).

If after a while you decide that the packet capture is the correct (possibly only) method for figuring this out and it work, please come back and rate this answer. If in the mean time, someone gives you an authoritative list for workstations or a reference to one on the net (I'd like to see it too) then obviously award the points there. But if you end up using the pakcet capturing tools that I mentioned to solve the issue, I would appreciate it if you rate this answer as successful.

Best of luck to you. Packet capturing is no small task. I would be really interested in learning your results.

Chris Britt

Collapse -

by Aakash Shah In reply to

smight: Since your response did have the most usable content, I will award you the points for this question.

Back to Security Forum
11 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums