TCP/IP Port Filtering
Applies To: Windows Server 2003, Windows Server 2003 with SP1
TCP/IP port filtering is the practice of selectively enabling or disabling Transmission Control Protocol (TCP) ports and User Datagram Protocol (UDP) ports on computers or network devices. When used in conjunction with other security practices, such as deploying firewall software at your Internet access point, applying port filters to intranet and Internet servers insulates those servers from many TCP/IP-based security attacks, including internal attacks by malicious users.
An Internet or intranet host, such as a computer or network device on a TCP/IP-based network, uses a combination of an IP address and port number to communicate with an application or service running on another Internet or intranet host. Together, an IP address and port number make up a socket. Because TCP/IP hosts are assigned a unique IP address, and standard TCP/IP-based applications and services typically use a specific TCP or UDP port number, sockets can direct communications between specific applications or services running on specific hosts.
A port number is identified in a TCP or UDP packet header and represents the transport protocol address of a specific application and service that uses TCP or UDP. For example, HTTP services use TCP port 80 by default, Telnet uses TCP port 23 by default, and Simple Network Management Protocol (SNMP) uses UDP port 161 by default.
The Internet Assigned Numbers Authority (IANA) categorizes TCP and UDP ports into three categories. Table 5.18 lists these categories.
Table 5.18 IANA Categories of TCP and UDP Ports
| Port Category | Port Number | Range Description |
|---|---|---|
Well-known ports |
0–1023 |
Typically used by standard system processes or programs that are executed by users with administrator credentials. Assigned by IANA. |
Registered ports |
1024–49151 |
Used by ordinary user processes or programs that are executed by ordinary users. IANA does not assign these ports, but registers use of them as a convenience for the TCP/IP community. |
Dynamic or private ports |
49152–65535 |
Unassigned and unregistered ports used for private applications, client-side processes, or other processes that dynamically allocate port numbers. |
Typically, the server side of a TCP or UDP process listens to the associated well-known port number. The client side of the process uses either the well-known port number or, more commonly, a dynamically allocated port number that is assigned only for the duration of the process.
To enable communications with the applications and services that your servers use, you must ensure that the associated ports are enabled. However, because malicious users on your internal network can attempt to exploit enabled ports to attack your servers, you should disable the TCP and UDP ports on your servers that are not used. This reduces the avenues of attack to your servers and improves the security of hosts that connect to your servers.
Important
Server-based port filtering is not the only method you should use to secure your servers and network from TCP/IP-based security attacks. To provide a more complete network security solution, you should also deploy network firewall software at your Internet access point.
Table 5.19 lists some of the default TCP port numbers for processes that are commonly used with Internet services.
Table 5.19 TCP Ports and Associated Services
| Default TCP Port Number | Internet Service |
|---|---|
20 |
FTP Data Channel |
21 |
FTP Control Channel |
23 |
Telnet (enabled on some intranet or Internet servers) |
25 |
Simple Mail Transfer Protocol (SMTP) |
80 |
HTTP for World Wide Web |
119 |
Network News Transfer Protocol (NNTP) |
443 |
Hypertext Transfer Protocol over TLS/SSL (HTTPS) for secure World Wide Web |
563 |
Network News Transfer Protocol over TLS/SSL (NNTPS) |
Notes
Windows Media Services can provide streaming media services over unicast or multicast IP through a variety of static or dynamic UDP and TCP ports, or through a single port, depending on the configuration. You can also configure Windows Media Services to provide HTTP streaming media services through the default HTTP port, which is TCP port 80. For more information about Windows Media Services, see Help and Support Center for Windows Server 2003, and search for Using Windows Media Services.
SSL 3.0 and Transport Layer Security (TLS) provide a way for clients and servers to exchange encrypted information. SSL 3.0 and TLS also provide a way for the server to verify the identity of the client before a user logs on to a server.
Table 5.20 lists the well-known UDP port numbers for the processes that are commonly used with Internet services.
Table 5.20 UDP Ports and Associated Services
| UDP Port Number | Service |
|---|---|
53 |
DNS name queries (supports some Internet services) |
161 |
SNMP |
For a list of TCP and UDP port numbers that are used by Windows Server 2003, see the services.txt file in the systemroot\System32\Drivers\Etc folder.
Related Information
For more information about network firewalls, see Microsoft Internet Security and Accelerations Server.