Share via


Unlocking restricted ports for Windows NFS Client

A very common way to restrict a normal user to pose as root In UNIX world is to restrict certain ports commonly known as “secure ports”. Generally a deamon runs and does port monitoring to ensure any attempt to access such secure ports by a normal user is blocked. The TCP ports 1-1024 are reserved for root's use. A non-root user cannot bind these ports.

Adding the secure option with NFS Export means that it will only listen to requests coming from ports 1-1024, so that a malicious non-root user from a client cannot come along and open up a spoofed NFS dialogue on a non-reserved port. This option is set by default.

There are different way this is implemented on UNIX side; either as a portmon deamon or part of a kernel parameter.

A Windows client when contacting a UNIX NFS share may be blocked due to such restrictions. To overcome this port blocking and to ensure that our NFS client can talk to the UNIX /Linux NFS servers in the secured ports we need to use the “UseReserverdPorts” registry key.

HKLM\Software\Microsoft\Client for NFS\CurrentVersion\default DWORD “UseReservedPorts” and set the value to 1.