Key Firewall ports for Windows server 2008
Some just might say that security has gone mad these days, gone are the times when we only used firewalls to protect our internal network infrastructure from external attack. Certainly I now see many of our customers deploying internal firewalls to protect their sites but at the same time, cause poor old Active Directory some challenges.
Therefore with this ever growing popularity I figured it would be nice to have the main ports required to be open listed on a simple table. As one customer seemed to like it, I thought I may as well give it to you all. You never know if you will need it.
Possible Rule name |
Description |
Port |
Path |
Active Directory Domain Controller - Kerberos TCP |
Inbound rule for the Active Directory Domain Controller service to allow authentication traffic |
88 |
System |
Active Directory Domain Controller - Kerberos UDP |
Inbound rule for the Active Directory Domain Controller service to allow authentication traffic |
88 |
System |
Active Directory Domain Controller - Kerberos password change TCP |
Inbound rule for the Active Directory Controller service to allow Kerberos password changes over TCP |
464 |
System |
Active Directory Domain Controller - Kerberos password change UDP |
Inbound rule for the Active Directory Controller service to allow Kerberos password changes over TCP
|
464 |
System |
Active Directory Domain Controller - LDAP (TCP-In) |
Inbound rule for the Active Directory Domain Controller service to allow remote LDAP traffic. (TCP 389) |
389 |
%systemroot%\System32\lsass.exe |
Active Directory Domain Controller - LDAP (UDP-In) |
Inbound rule for the Active Directory Domain Controller service to allow remote LDAP traffic. (UDP 389) |
389 |
%systemroot%\System32\lsass.exe |
Active Directory Domain Controller - LDAP for Global Catalog (TCP-In) |
Inbound rule for the Active Directory Domain Controller service to allow remote Global Catalog traffic. (TCP 3268) |
3268 |
%systemroot%\System32\lsass.exe |
Active Directory Domain Controller - NetBIOS name resolution (UDP-In) |
Inbound rule for the Active Directory Domain Controller service to allow NetBIOS name resolution. (UDP 138) |
138 |
System |
Active Directory Domain Controller - SAM/LSA (NP-TCP-In) |
Inbound rule for the Active Directory Domain Controller service to be remotely managed over Named Pipes. (TCP 445) |
445 |
System |
Active Directory Domain Controller - SAM/LSA (NP-UDP-In) |
Inbound rule for the Active Directory Domain Controller service to be remotely managed over Named Pipes. (UDP 445) |
445 |
System |
Active Directory Domain Controller - Secure LDAP (TCP-In) |
Inbound rule for the Active Directory Domain Controller service to allow remote Secure LDAP traffic. (TCP 636) |
636 |
%systemroot%\System32\lsass.exe |
Active Directory Domain Controller - Secure LDAP for Global Catalog (TCP-In) |
Inbound rule for the Active Directory Domain Controller service to allow remote Secure Global Catalog traffic. (TCP 3269) |
3269 |
%systemroot%\System32\lsass.exe |
Active Directory Domain Controller - W32Time (NTP-UDP-In) |
Inbound rule for the Active Directory Domain Controller service to allow NTP traffic for the Windows Time service. (UDP 123) |
123 |
%systemroot%\System32\svchost.exe |
Active Directory Domain Controller (RPC) |
Inbound rule to allow remote RPC/TCP access to the Active Directory Domain Controller service. |
Dynamic RPC |
%systemroot%\System32\lsass.exe |
Active Directory Domain Controller (RPC-EPMAP) |
Inbound rule for the RPCSS service to allow RPC/TCP traffic to the Active Directory Domain Controller service. |
135 |
%systemroot%\System32\svchost.exe |
Active Directory Domain Controller (TCP-Out) |
Outbound rule for the Active Directory Domain Controller service. (TCP) |
Any |
%systemroot%\System32\lsass.exe |
Active Directory Domain Controller (UDP-Out) |
Outbound rule for the Active Directory Domain Controller service. (UDP) |
Any |
%systemroot%\System32\lsass.exe |
DNS (TCP, Incoming) |
DNS inbound |
53 |
%systemroot%\System32\dns.exe |
DNS (UDP, Incoming) |
DNS inbound |
53 |
%systemroot%\System32\dns.exe |
DNS (TCP, outbound) |
DNS outbound |
53 |
%systemroot%\System32\dns.exe |
DNS (UDP, outbound) |
DNS outbound |
53 |
%systemroot%\System32\dns.exe |
DNS RPC, incoming |
Inbound rule for the RPCSS service to allow RPC/TCP traffic to the DNS Service |
135 |
%systemroot%\System32\dns.exe |
DNS RPC, incoming |
Inbound rule to allow remote RPC/TCP access to the DNS service |
Dynamic RPC |
%systemroot%\System32\dns.exe |