Share via

Key Firewall ports for Windows server 2008

  • Article

Some just might say that security has gone mad these days, gone are the times when we only used firewalls to protect our internal network infrastructure from external attack. Certainly I now see many of our customers deploying internal firewalls to protect their sites but at the same time, cause poor old Active Directory some challenges.

Therefore with this ever growing popularity I figured it would be nice to have the main ports required to be open listed on a simple table. As one customer seemed to like it, I thought I may as well give it to you all. You never know if you will need it.

 

Possible Rule name

Description

Port

Path

 Active Directory Domain Controller - Kerberos

TCP

 Inbound rule for the Active Directory Domain Controller service to allow authentication traffic

88 

 System

Active Directory Domain Controller - Kerberos

UDP

Inbound rule for the Active Directory Domain Controller service to allow authentication traffic

88 

 System

Active Directory Domain Controller - Kerberos password change

TCP

 Inbound rule for the Active Directory Controller service to allow Kerberos password changes over TCP

464 

 System

Active Directory Domain Controller - Kerberos password change

UDP

 Inbound rule for the Active Directory Controller service to allow Kerberos password changes over TCP

 

464 

 System

Active Directory Domain Controller - LDAP (TCP-In)

Inbound rule for the Active Directory Domain Controller service to allow remote LDAP traffic. (TCP 389)

389

%systemroot%\System32\lsass.exe

Active Directory Domain Controller - LDAP (UDP-In)

Inbound rule for the Active Directory Domain Controller service to allow remote LDAP traffic. (UDP 389)

389

%systemroot%\System32\lsass.exe

Active Directory Domain Controller - LDAP for Global Catalog (TCP-In)

Inbound rule for the Active Directory Domain Controller service to allow remote Global Catalog traffic. (TCP 3268)

3268

%systemroot%\System32\lsass.exe

Active Directory Domain Controller - NetBIOS name resolution (UDP-In)

Inbound rule for the Active Directory Domain Controller service to allow NetBIOS name resolution. (UDP 138)

138

System

Active Directory Domain Controller - SAM/LSA (NP-TCP-In)

Inbound rule for the Active Directory Domain Controller service to be remotely managed over Named Pipes. (TCP 445)

445

System

Active Directory Domain Controller - SAM/LSA (NP-UDP-In)

Inbound rule for the Active Directory Domain Controller service to be remotely managed over Named Pipes. (UDP 445)

445

System

Active Directory Domain Controller - Secure LDAP (TCP-In)

Inbound rule for the Active Directory Domain Controller service to allow remote Secure LDAP traffic. (TCP 636)

636

%systemroot%\System32\lsass.exe

Active Directory Domain Controller - Secure LDAP for Global Catalog (TCP-In)

Inbound rule for the Active Directory Domain Controller service to allow remote Secure Global Catalog traffic. (TCP 3269)

3269

%systemroot%\System32\lsass.exe

Active Directory Domain Controller - W32Time (NTP-UDP-In)

Inbound rule for the Active Directory Domain Controller service to allow NTP traffic for the Windows Time service. (UDP 123)

123

%systemroot%\System32\svchost.exe

Active Directory Domain Controller (RPC)

Inbound rule to allow remote RPC/TCP access to the Active Directory Domain Controller service.

Dynamic RPC

%systemroot%\System32\lsass.exe

Active Directory Domain Controller (RPC-EPMAP)

Inbound rule for the RPCSS service to allow RPC/TCP traffic to the Active Directory Domain Controller service.

135

%systemroot%\System32\svchost.exe

Active Directory Domain Controller (TCP-Out)

Outbound rule for the Active Directory Domain Controller service. (TCP)

Any

%systemroot%\System32\lsass.exe

Active Directory Domain Controller (UDP-Out)

Outbound rule for the Active Directory Domain Controller service. (UDP)

Any

%systemroot%\System32\lsass.exe

DNS (TCP, Incoming)

DNS inbound

53

%systemroot%\System32\dns.exe

DNS (UDP, Incoming)

DNS inbound

53

%systemroot%\System32\dns.exe

DNS (TCP, outbound)

DNS outbound

53

%systemroot%\System32\dns.exe

DNS (UDP, outbound)

DNS outbound

53

%systemroot%\System32\dns.exe

DNS RPC, incoming

Inbound rule for the RPCSS service to allow RPC/TCP traffic to the DNS Service

135

%systemroot%\System32\dns.exe

DNS RPC, incoming

Inbound rule to allow remote RPC/TCP access to the DNS service

Dynamic RPC

%systemroot%\System32\dns.exe

Comments

  • Anonymous
    January 01, 2003
    PingBack from http://thebackroomtech.wordpress.com/2008/02/28/windows-server-2008-firewall-ports/

  • Anonymous
    June 28, 2010
    Thanks for a great summary. Could you expand on which ports are in the Dynamic RPC range for Windows Server 2008 R2?

  • Anonymous
    January 22, 2012
    keep up! continue expanding your article.

  • Anonymous
    April 22, 2013
    When it says inbound and outbound that means from where to where?

  • Anonymous
    June 04, 2013
    Inbound/Outbound You are the server: You want a resource on the network you need an outbound connection to that resource so you can get there. You are the server: You provide a service to other nodes on the network, you need the ports open inbound for that service, so they can get to you.