The table (Table C-1) that makes up the majority of this appendix describes the ports that are opened on a Microsoft Windows 2000 server or a Windows 2000 server acting as a domain controller. If you're placing a computer on the Internet, you'll need to know which ports you want to allow through your firewall. As a rule, if you don't have a need for the service on which the port is listening, you should
Better still, uninstall the service altogether but block the port also. You can block the port at the Windows 2000 server by using Internet Protocol Security (IPSec) filtering, which is explained in detail in Chapter 3, "Windows 2000 Security Overview."
The first column of the table lists the port and protocol, the second describes the port and protocol, and the last two columns indicate whether the port is open by default on Windows 2000 Server and Windows 2000 Server with Active Directory installed. Note that the last two columns do not indicate whether the functionality that uses the ports is installed by default.
Table C-1. Common ports used in Windows 2000 Server.
Port | Comments | Windows 2000 Server | Windows 2000 Server with Active Directory |
---|---|---|---|
21/TCP | FTP This FTP server is part of Internet Information Services (IIS) and is administered from the IIS administrative toolset. The name of the service is MSFTPSVC. | Yes | Yes |
25/TCP | SMTP This Simple Mail Transfer Protocol service is administered from the IIS administration tool; the name of the service is SMTPSVC. | Yes | Yes |
80/TCP | HTTP This is IIS proper. The name of the service is W3SVC. | Yes | Yes |
88/UDP1 | Kerberos The Kerberos Key Distribution Center (KDC) listens on this port for ticket requests. | No2 | Yes |
119/TCP | NNTP This NNTP service is administered from the IIS administration tool; the name of the service is NNTPSVC. It is not installed by default. | Yes | Yes |
135/TCP | RPC-End Point Location Also used by WINS and DHCP. | Yes | Yes |
137/UDP | NetBIOS Name Service Also used for printing and browsing. | Yes | Yes |
139/TCP | NetBIOS Session Services Used for SMB, File Sharing, and Printing. | Yes | Yes |
389/UDP | Lightweight Directory Access Protocol (LDAP) Used to communicate with Active Directory. | No | Yes |
443/TCP | HTTPS Secure HTTP, part of IIS. The name of service is W3SVC. | Yes | Yes |
445/TCP | SMB over TCP/IP This is incorrectly listed by many tools as Microsoft-DS. You can control this functionality through the Server service. | Yes | Yes |
464/TCP | Kerberos Password V5 This port handles Kerberos password requests. | No | Yes |
500/TCP3 | ISAKMP Used by IPSec when establishing secured connections between hosts. | Yes | Yes |
563/TCP | SNEWS Secure NNTP. | Yes | Yes |
593/TCP | RPC over HTTP This is used for COM+ Internet Services and is not installed by default. Requires IIS to operate. | Yes | Yes |
636/TCP | LDAP over SSL | No | Yes |
1067/TCP | Installation Bootstrap Service | No | Yes |
1068/TCP | Installation Bootstrap Service | No | Yes |
1645/UDP | Internet Authentication Server (IAS) Used for processing Remote Authentication Dial-In User Service (RADIUS) authentication messages. Supported by IAS to provide backward compatibility with older RADIUS servers. | Yes | Yes |
1646/UDP | IAS Used for processing RADIUS accounting messages. Supported by IAS to provide backward compatibility with older RADIUS servers. | Yes | Yes |
1701/UDP | Layer 2 Tunneling Protocol (L2TP) A virtual private network (VPN) technology. | Yes | Yes |
1723/UDP | Point-to-Point Tunneling Protocol (PPTP) A VPN technology. | Yes | Yes |
1812/UDP | IAS Used for processing RADIUS authentication messages. | Yes | Yes |
1813/UDP | IAS Used for processing RADIUS accounting messages. | Yes | Yes |
3389/TCP | Microsoft RDP Remote Data Protocol for Terminal Server. | Yes | Yes |
1 This port will remain open if you attempt to block all unused ports and allow only valid ports by using IPSec filtering. You can get around this by explicitly blocking the port with the IPSec tool.
2 Some scanners might show this port as alive on Windows 2000 Server without Active Directory. There is, in fact, no service listening on the port.
3 This port will remain open if you attempt to block all unused ports and allow only valid ports by using IPSec filtering. You can get around this by explicitly blocking the port with the IPSec tool.