Key Firewall ports for Windows server 2008

Some just might say that security has gone mad these days, gone are the times when we only used firewalls to protect our internal network infrastructure from external attack. Certainly I now see many of our customers deploying internal firewalls to protect their sites but at the same time, cause poor old Active Directory some challenges.

Therefore with this ever growing popularity I figured it would be nice to have the main ports required to be open listed on a simple table. As one customer seemed to like it, I thought I may as well give it to you all. You never know if you will need it.

 

Possible Rule name

Description

Port

Path

 Active Directory Domain Controller - Kerberos

TCP

 Inbound rule for the Active Directory Domain Controller service to allow authentication traffic

88 

 System

Active Directory Domain Controller - Kerberos

UDP

Inbound rule for the Active Directory Domain Controller service to allow authentication traffic

88 

 System

Active Directory Domain Controller - Kerberos password change

TCP

 Inbound rule for the Active Directory Controller service to allow Kerberos password changes over TCP

464 

 System

Active Directory Domain Controller - Kerberos password change

UDP

 Inbound rule for the Active Directory Controller service to allow Kerberos password changes over TCP

 

464 

 System

Active Directory Domain Controller - LDAP (TCP-In)

Inbound rule for the Active Directory Domain Controller service to allow remote LDAP traffic. (TCP 389)

389

%systemroot%\System32\lsass.exe

Active Directory Domain Controller - LDAP (UDP-In)

Inbound rule for the Active Directory Domain Controller service to allow remote LDAP traffic. (UDP 389)

389

%systemroot%\System32\lsass.exe

Active Directory Domain Controller - LDAP for Global Catalog (TCP-In)

Inbound rule for the Active Directory Domain Controller service to allow remote Global Catalog traffic. (TCP 3268)

3268

%systemroot%\System32\lsass.exe

Active Directory Domain Controller - NetBIOS name resolution (UDP-In)

Inbound rule for the Active Directory Domain Controller service to allow NetBIOS name resolution. (UDP 138)

138

System

Active Directory Domain Controller - SAM/LSA (NP-TCP-In)

Inbound rule for the Active Directory Domain Controller service to be remotely managed over Named Pipes. (TCP 445)

445

System

Active Directory Domain Controller - SAM/LSA (NP-UDP-In)

Inbound rule for the Active Directory Domain Controller service to be remotely managed over Named Pipes. (UDP 445)

445

System

Active Directory Domain Controller - Secure LDAP (TCP-In)

Inbound rule for the Active Directory Domain Controller service to allow remote Secure LDAP traffic. (TCP 636)

636

%systemroot%\System32\lsass.exe

Active Directory Domain Controller - Secure LDAP for Global Catalog (TCP-In)

Inbound rule for the Active Directory Domain Controller service to allow remote Secure Global Catalog traffic. (TCP 3269)

3269

%systemroot%\System32\lsass.exe

Active Directory Domain Controller - W32Time (NTP-UDP-In)

Inbound rule for the Active Directory Domain Controller service to allow NTP traffic for the Windows Time service. (UDP 123)

123

%systemroot%\System32\svchost.exe

Active Directory Domain Controller (RPC)

Inbound rule to allow remote RPC/TCP access to the Active Directory Domain Controller service.

Dynamic RPC

%systemroot%\System32\lsass.exe

Active Directory Domain Controller (RPC-EPMAP)

Inbound rule for the RPCSS service to allow RPC/TCP traffic to the Active Directory Domain Controller service.

135

%systemroot%\System32\svchost.exe

Active Directory Domain Controller (TCP-Out)

Outbound rule for the Active Directory Domain Controller service. (TCP)

Any

%systemroot%\System32\lsass.exe

Active Directory Domain Controller (UDP-Out)

Outbound rule for the Active Directory Domain Controller service. (UDP)

Any

%systemroot%\System32\lsass.exe

DNS (TCP, Incoming)

DNS inbound

53

%systemroot%\System32\dns.exe

DNS (UDP, Incoming)

DNS inbound

53

%systemroot%\System32\dns.exe

DNS (TCP, outbound)

DNS outbound

53

%systemroot%\System32\dns.exe

DNS (UDP, outbound)

DNS outbound

53

%systemroot%\System32\dns.exe

DNS RPC, incoming

Inbound rule for the RPCSS service to allow RPC/TCP traffic to the DNS Service

135

%systemroot%\System32\dns.exe

DNS RPC, incoming

Inbound rule to allow remote RPC/TCP access to the DNS service

Dynamic RPC

%systemroot%\System32\dns.exe