Appendix I: Using Port Scanning Tools to Audit the Security Configuration of Deployment Servers

To minimize the risk of the deployment infrastructure being compromised across the network, always place deployment servers on a private network. In addition, verify that no unnecessary network services are listening for connections. A convenient way to determine which network services are listening for connections on a computer is to use a port-scanning tool such as Nmap. (For more information about Nmap, visit https://www.insecure.org/nmap.)

An Active Directory server has more ports open than any other server in the distribution infrastructure, as shown in the following list. Any additional ports should be considered a security risk, so evaluate whether the network service that is listening for inbound connections on that port is necessary.

  • 53/TCP. Domain Name System (DNS); required to enable clients to locate servers

  • 88/TCP. Kerberos; required for authentication

  • 389/TCP. Lightweight Directory Access Protocol (LDAP); required to locate resources in the Active Directory

  • 445/TCP. Common Internet File System (CIFS); required for file sharing and some applications

  • 464/TCP. Kerberos; required for authentication

  • 593/TCP. RPC; required for several different network services

  • 636/TCP. Encrypted LDAP; required to locate resources in Active Directory

  • 3268/TCP and 3269/TCP. Active Directory global catalog requests

Assuming that the build server is hosting Windows DS and also acting as the image server and DHCP server, it must listen for incoming packets on only the following ports:

  • 67-68/UDP. Dynamic Host Configuration Protocol (DHCP); used to assign IP addresses; these ports are required only on the computer that provides DHCP addresses to distribution clients

  • 69/UDP. Trivial FTP (TFTP); used to transfer images to distribution clients

  • 137/UDP , 1378/UDP , 139/TCP. NetBIOS over TCP/IP; required for file sharing and some applications

  • 445/TCP/UDP. CIFS; required for file sharing and some applications

Ports that any Windows computer might be use include:

  • 123/UDP. Network Time Protocol (NTP); used to keep time synchronized between computers

  • 135/TCP. RPC; required for several different network services

  • 137/UDP , 1378/UDP , 139/TCP. NetBIOS over TCP/IP; required for file sharing and some applications

  • 445/TCP/UDP. CIFS; required for file sharing and some applications

  • 4500/UDP. Used by IPSec to establish authenticated and encrypted network connections

  • 1024+/TCP/UDP. Used by various applications.

Download

Get the Microsoft Solution Accelerator for Business Desktop Deployment 2007

Update Notifications

Sign up to learn about updates and new releases

Feedback

Send us your comments or suggestions