Site Server - Protocol and Ports that Control Access to Services
Protocol and Ports that Control Access to Services
Internet Customer Unit
April 1999
Introduction
This document provides filter settings for network operators to review so that they can address security issues in their environment. They can then control the protocols and ports that are accessible on their servers running the Microsoft® Windows NT® Server operating system. Filter settings can be applied optionally on any of the following devices and software:
Network access servers that support filter settings.
Routers.
Firewalls
Windows NT Server computers with the Routing and RAS (RRAS) services version 1.0 installed.
Note This document contains information that requires periodic updates so the latest information on this topic can be provided. Use this document as a reference. Please check original source locations for the most recent filter setting updates.
NetBIOS Messages and Name Resolution Behavior
Network operators can apply the following registry key settings to control NetBIOS Messages and Name Resolution behavior on any computer running the Microsoft® Windows NT® Server operating system.
Messages
These settings prevent NetBIOS messages from being sent and listened to on a given server using the messenger service.
Hkey_Local_machine \System \CurrentControlSet \Alerter Start = REG_DWORD 0x3 \Messenger Start = REG_DWORD 0x3
Name Resolution
These settings prevent the system from requesting and responding to NetBIOS Name Resolution lookups on user datagram protocol (UDP) ports 137 and 138 respectively.
Hkey_Local_machine \System \CurrentControlSet \Browser Start = REG_DWORD 0x3 \NetBT\Parameters EnableDNS = REG_DWORD 0x1 EnableLMHOSTS = REG_DWORD 0x0 NodeType = REG_DWORD 0x2
Services Protocol and Port Usage
Referenced Protocol Numbers
Tcp = 6 Udp = 17 Gre [pptp] = 47
Table of Services/Protocols/Ports
Service |
Protocol |
Client / ServerRequest Port |
Service Port In |
Service Port Out |
---|---|---|---|---|
Browsing of NetBIOS over TCP/IP |
UDP (requests) |
137 |
137 |
137 |
|
UDP (datagram responses) |
138 |
138 |
138 |
Content replication service |
TCP |
|
|
507 |
Cybercash |
TCP (credit gateway) |
|
|
8000 |
|
TCP (admin) |
|
|
8001 |
|
TCP (coin gateway) |
|
|
8002 |
DHCP lease |
TCP (request) |
|
|
67 |
|
TCP (response) |
|
|
68 |
DNS (client to server lookup) |
TCP or UDP (depends on software) |
1024 – 5000 |
53 |
53 |
(server to server lookup) |
TCP or UDP (depends on software) |
53 |
53 |
53 |
(primary to secondary zone transfer) |
TCP |
53 |
53 |
1024 - 5000 |
(primary to secondary soa record transfer) |
UDP |
53 |
53 |
53 |
File shares |
UDP (name lookup) |
|
|
137 |
|
TCP (session) |
|
|
139 |
FTP-data |
TCP |
|
|
20 |
FTP |
TCP |
|
|
21 |
HTTP |
TCP |
|
|
80 |
HTTP-Secure Sockets Layer (SSL) |
TCP |
|
|
443 |
IMAP4 |
TCP |
|
|
143 |
IRC |
TCP |
|
|
531 |
ISPMOD (SBS 2nd tier DNS registration wizard) |
TCP |
|
|
1234 |
LDAP |
TCP |
|
|
389 |
LDAP (SSL) |
TCP |
|
|
636 |
Membership DPA |
TCP |
|
|
568 |
Membership MSN |
TCP |
|
|
569 |
Microsoft Chat (michat) |
TCP (server to server) |
|
|
6665 |
|
TCP (client to server) |
|
|
6667 |
NetBT |
UDP (name lookups) |
|
|
137 |
|
UDP (datagrams) |
|
|
138 |
|
TCP (service sessions) |
|
|
139 |
NetMeeting |
TCP (user location service) |
|
|
522 |
|
TCP (T.120) |
|
|
1503 |
|
TCP (audio call ctrl) |
|
|
1731 |
|
UDP (RTP audio stream) |
|
|
Dynamic |
NetShow (with protocol rollover) |
UDP |
Tcp/1755 |
Tcp/1755 |
Udp/1755 |
|
TCP |
|
1755 |
1755 |
|
HTTP |
80 |
80 |
80 |
|
Multicast |
1 - 65000 |
1 – 65000 |
1 - 65000 |
|
DCOM |
135 |
135 |
1024 – 5000 |
NNTP |
TCP |
|
|
119 |
POP3 |
TCP |
|
|
110 |
PPTP |
PPTP (protocol 47, GRE) |
|
|
1723 |
Printer sharing |
UPD (name lookup) |
|
|
137 |
|
TCP (session) |
|
|
139 |
RADIUS |
UDP (authentication) |
|
|
1645 or 1812 |
|
UDP (accounting) |
|
|
1646 or 1813 |
Referral.microsoft.com (for Internet Explorer and SBS signup referrals) |
TCP |
|
|
80 |
RPC (for example, userMgr, SrvMgr, and so on) |
TCP (port mapper) |
|
|
135 |
|
TCP (session ports) |
|
|
Dynamic |
SMTP |
TCP |
|
|
25 |
SNMP |
UDP |
|
|
161 |
SNMP Trap |
UDP |
|
|
162 |
SQL Server (namedPipes client, supports encryption over NetBEUI, IPX/SPX, TCP/IP) |
UDP (name lookup) |
|
|
137 |
|
TCP (session) |
|
|
139 |
SQL Server (TCP client) |
UDP/TCP (name lookup) |
|
|
53 |
|
TCP (session) |
|
|
1433 |
SQL Server (RPC client, supports encryption over NetBEUI, IPX/SPX, TCP/IP) |
UDP (name lookup) |
|
|
137 |
|
TCP (session mapper) |
|
|
135 |
|
TCP (session) |
|
|
1024-5000 |
(RPC client using a fixed port, see Knowledge Base article 164667) |
TCP (session queries) |
|
|
1500 |
(RPC client using a fixed port, see Knowledge Base article 164667) |
TCP (session replication) |
|
|
2500 |
Telnet |
TCP |
|
|
23 |
Wins registration |
UDP (NetBIOS over TCP/IP name service) |
|
|
137 |
Wins replication |
TCP |
|
|
42 |
Windows Challenge/Response authentication |
TCP (NetBIOS over TCP/IP session service) |
|
|
139 |
X400 |
TCP |
|
|
102 |