What is to be gained by closing ports on a network aboe 1024?

Posted on 2006-05-06
Last Modified: 2013-12-04
This is a theoretical question and now I find it interesting.  On a corporate network, if one is already blocking all well-known tcp ports on every VLAN that are not explicitly required for business, what is to be gained by blocking tcp ports 1024 to 65,535?  Assume in this scenario that outbound traffic to the Internet is limited to HTTP, SSL, FTP, mail etc.  What are the risks to windows boxes?  What kinds of problems should one expect to inter-VLAN traffic?  At first glance, worms seem like they may be an issue.  Obviously high level hackers will have a hay day with that many open ports, but for average risks, what should one expect for Windows to Windows traffic?
Question by:awakenings
    LVL 11

    Assisted Solution

    Basically think of it this way. An open port is like an open door to your own house. It is not that everybody will come in, but there are people who would. In the IT world of security you never know what is going to happen, when you leave the doors open. On every port there is a potential service that can be compromised through known exploit or operating system vulnerability. And when you close all ports it is relative to say that all windows and doors are closed. Its not fool proof however. Windows is very chatty about information exchange, especially to make file sharing simpler. Also RPC port exposure can become and issue if you do not keep with Service Packs and patches. All in all its recommended that you keep your shields up at all times. Sure paranoid sometimes, but better than nothing.

    Author Comment


          Thanks.  Interestingly enough, it is RPC that makes me wonder.  By default, it needs all those ports open for communication.  With a simple reg change, the ports can be brought down to one port we would open across the network.  I am very aware of the theory and the potential and I can list hackers tools that someone on the inside might use, but I'm trying to understand the risk.  At first glance, it actually seems pretty low given our patching schedule and hardening standards.  I guess I look at the it this way.   On one level one could have 60,000+ ports open.  On the other level, it seems that risks are both unknown and possibly fairly low except for the very real threat of worms.  But an RPC worm, say a new variant of blaster, could be a zero day exploit and would hit our systems no matter if the ports are open or closed because it is moving over RPC.  Does anyone think there are any real threats in keeping the tcp ports above 1023 open.  Are there any examples?
    LVL 38

    Assisted Solution

    by:Rich Rumble
    If you have a service/app listening on any port, you have a risk of entry via bug, exploit, buffer overflow etc... The port range or number is insignifigant to the threat. It sounds like were referring to the Ephemeral port range of many OS's TCP/OSI stack.
    Most communication on the inthernet isn't one to one, meaning if I go to and look at a "netstat" command to see what ports I'm using, I'll see my PC has picked a port in the ephemeral port range, and choosen the default port for http port 80 as the destination. Even though my pc is using port "12345" for example to communicate to port 80, that doesn't mean my PC has port 12345 open and a service listening on that port.

    Most folks only impliment ingress filtering techniques on their lan, block all ports incomming, except this, this and this. Very few impliment Egress filtering, block all outgoing destination ports except this this and this.
    I don't see the need to target 1024-65535 anymore than 1-1024 if applying egress filters, your not looking to block the PC from using some randomly assinged port, your looking to block the traffic for a certain destination port, regaurless of IP. If I wanted to stop msblaster from propigating out of my network and onto someone elses, I'd block destination port 69 udp and destination ports 139,445 udp/tcp to any ip that wasn't 10.x.x.x (if you use a different rfc 1918 subnet, it'd be 192.168.x.x or 172.16.x.x)) That way my users can still access port 445,139 internally, I'd apply the ACL/port filter for ms-blast to the public interface, so the private ip's would be unaffected.

    Author Comment


         You bring up alot of good points and I appreciate your input.  I am still in the process of thinking about it.  On a side note, the page I was really thinking of is;

        We currently have most of our TCP and UDP ports blocked.  Apparently on the AD server (we are beginning to impliment) they did not set the registry entry for RPC to 1 port.  It is part of a trusted network so all AD servers across the company would need to be set.  We have requirements that need us to limit our port usage to those required by business.  Obviously the requirement could be argued either way.  Obviously there is more than one approach to handling the issue.  I am in favor of changing the registry entry across the enterprise on AD servers.  I was then asked, what is the risk of opening up 60 plus thousand tcp ports.  They are considering opening all TCP ports.  I don't think that is a smart idea from more than one standpoint.

         So what do you think the risk is of opening up the more ports?  Is it 100 times worse?  Twice as bad?  A million times as bad?  I am also not sure why you think that the well-known verses ephemeral ports is not really an important distinction in terms of blocking or not blocking TCP ports.  Tell me more about your opinion.

    LVL 38

    Accepted Solution

    From what I gather, your trying to limit the ports that are reachable on the INTERNAL lan by using firewall rules on your routers and firewalls, or the firewalls on the PC's themselves. Typically the internal lan is the most trusted network for most. The internet is likely the most untrusted. My argument above was more of a public vs internal firewall port rules. In either case, the fact remains, that in order to exploit, overflow, hack etc... a service must be running on a port that is allowing connections. If I scan a server and see ports 80, 443, 445, 3899 are open, it means one or two things, 1.) that server only has those ports open and accepting connections because those are the only services running on that server, or 2.) that the firewall is only allowing those port to be seen as open, and it's possible that other ports on that server are listening. Nonetheless, the server will only respond to connections to those ports, and those are the ports/services that should be made more secure. If a firewall is blocking port 139 or port 5800, but that server has them listening, a hacker can't connect to them, or hope to expolit them as the firewall will drop any packets destined for those ports.

    Security isn't a product it's a process, to be certain. On the internal lan, I don't see much of a need for one to block much of anything lan-to-lan. AD replication, and user authentication is pretty much an internal (lan) action. Even if you have remote offices, they likely tunnel into your lan and use the same type of RFC 1918 private ip space.
    So your chicago office has an ip space of 10.2.3.x and your Dallas office has an ip space of 10.3.4.x, both have GC's that need to send/recieve replication data with the GC's you have in your location. I don't see a need to limit ports in this situation. The firewall at each location should simply allow 0-65535 back and forth for PRIVATE LAN traffic.

    If you want to be a bit more restrictive than that, then block known service ports that you don't want to allow. Or create a firewall rule that makes the GC's exempt from other firewall rules that may infringe on AD's ability to function. So if you want to block ports 1024-65535 on the lan, you can do so, just make an exception for the GC's if that causes issues. In the article they also mention using Windows IPSEC tunneling, which is good, but M$'s version of IPSEC has exceptions built in, so you can't break AD's fucntions. If you turned on an IPSEC firewall on a 2000, or xp box, and use nmap to scan that IPSEC firewalled box, you can by-pass that firewall by binding your scanning (src port) to port 500 or port 88. nmap -sT -g 88
    That command will bind the scanner to use port 88 (kerberos) and when the windows ipsec filter see's that a packet came from port 88 (or 500) it will allow it to pass because it's an exception in that firewall. It wasn't until M$ 2003 came out that you were able to block these exceptions with IpSec filters. (you can now do this in win2k and xp as well)
    So that's just and FYI.
    Personally, professionally, I don't see restricting the internal lan traffic as much of a benefit for most. You should limit a few ports interanlly, such as mail ports like smtp and pop, only specific devices/servers should be allowed to use those ports, namely your mail servers. If you have a LAN pc allowed to use those ports they are likely infected with a virus and it's spamming folks. TFTP is another one to block also for unauthorized pc's and servers, it's very common for viri to use it as well to further DL more payload.

    Featured Post

    Superior storage. Superior surveillance.

    WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

    Join & Write a Comment

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    This is a short article about OS X KeRanger, and what people can do to get rid of it.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now