Windows Firewall ports, what to close and what needs to be left open

Posted on 2012-03-20
Last Modified: 2012-06-22
Hello,*thanks for all your help lately, I am so new to servers- I am a hardware guy. Let me know your thoughts on the below.

I am really nervous about the port configuration on my windows 2008 server for my website. I was told by my hosting that I need to have ONLY the following 4 ports open:
80- status - open
443- status - open
3389- status - open - will change to higher number to alleviate default configuration
* I cant see these being the only four ports open that I need.

I downloaded nMap and ran an 'intensive port scan' to identify what's open. The following ports were identified & I have since decided they need to stay open for the corresponding reasons, but I'm not sure if I'm right:
53 (this is Microsoft DNS)- status- open
587 (this is Microsoft exchange) - status -open

I still have 10 other ports listed as open, and since I'm not sure if I'm doing my research correctly, I'm posting here in the hopes that someone can guide me more definitely than a google search.
Ports still open:
88- status - open
464 - status - open
593 - status - open
808 - status - open
6001 - status - open
6002 - status - open
6004 - status - open
6005 - status - open
6006 - status - open
6007 - status - open
Question by:jeffmeverett
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Assisted Solution

n4th4nr1ch earned 400 total points
ID: 37743861
Your understanding of ports is still in it's beginning stages so it's confusing still. Your hosting company is not helping much either. Here's the brief explanation.

ip traffic goes both ways. in this discussion we will always consider IN is from the internet(WAN) to your box(LAN). Ports are applicable BOTH directions, which always confuses people new to ports, which very often includes basic support from hosting companies.

Here is the list of ports they said you have to have open. I will comment with more details:

INBOUND (from WAN to your box)
25 - you ONLY need this open IF you are planning on sending email which originates with 1 machine but gets sent or relayed from this machine. For example, if you are using your server as a mail server box. If you are sending mail from your website which is on the same box, only, then you don't need this port open. Or if you are doing something very non-standard and weird
80 - you ONLY need this open if you are SERVING a website from this box AND using the default port (this is likely based on your description), or if you are doing something very non-standard and weird
443 - you ONLY need this open if you are using HTTPS for your website, or if you are doing something very non-standard and weird
3389 - you ONLY need this open if you are using remote desktop to connect to this web server, or if you are doing something very non-standard and weird.

OUTBOUND (from your box to WAN)
Generally you should just accept all ports.

Since you have not specified what kind of server other than to say it's for your website, it's harder to pin down what you need open. The short answer is that you simply think about WHAT is your server DOING?

For example DNS port... well.... is your server supposed to be serving DNS? Did you install and set up a DNS server software stack on it? If not, then you don't need it open.
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 100 total points
ID: 37743865
Here is a list of ports and information about the ports.

88      TCP      UDP      Kerberos—authentication system: Are you using Kerberos? Is this on Domain?

464      TCP      UDP      Kerberos Change/Set password

Other depend on the Website itself but seems like those are required.

Author Comment

ID: 37744739
The fellow EE Expert  'n4th4nr1ch' said in the above post:->   "Since you have not specified what kind of server other than to say it's for your website, it's harder to pin down what you need open."  Answer": I have server 2008 Standard. I have an Exchange server 2010 on there that handles 3 email addresses no more, I have an SQL Database  as well all on one server. Yes I know not the best situation but my developer had to do it quick and easy. Its going to be an informative site with a tiny subscription fee. I will be sending mail from it and and automatic email is sent off from Exchange with every sign up.  ** I do need to have port 3389 open because I do have to connect remotely and the server is a 1000 miles away.  I was wondering if I needed to be concerned with renaming the RDP ( Remote Desktop Connection) port to a number other than the default of 3389, let me know your thoughts.  Also you mentioned something about DNS - I am not sure what 'serving DNS means- I believe DNS is a naming system, that changes the words into numbers? Not too sure, I could use a little expert schooling on that as well.  I am around and checking answers asap!

Accepted Solution

n4th4nr1ch earned 400 total points
ID: 37744815
DNS is a service like any other, and it's served with a server. The most common one is BIND, and there are also many others such as Microsoft DNS (most commonly used with Active Directory), SimpleDNS, etc.

" I was wondering if I needed to be concerned with renaming the RDP ( Remote Desktop Connection) port to a number other than the default of 3389, let me know your thoughts."
You can change ports but you can never name them. They are just numbers. So you can't rename RDP from 3389 to something else. You can use your firewall to redirect traffic, but then you would have to get a non-standard client that allows you to change the port you're trying from the client side. The short answer to this is allow 3389 and use it. If there's a specific problem or goal I can assure you there are much better ways to solve it than port redirection, especially on tcp/3389.

Having an email server means you will need ports open to access that. If you're using it for SMTP, which is what it sounds like, then you will need 25 open only to places which will use the server for sending emails. For example if you connect to this server from your home with your cellphone, well you need that port to be open from your home at least.
But if it's only for automated emails such as registration emails on a website, then you only need that port open to those machines and not to the public.

The SQL port is almost ALWAYS only open to the machine(s) which will need to make queries and nothing else ever. If you're hosting your website from the same machine then you don't even need that open in the first place.

Author Closing Comment

ID: 37787958
Great Info to go by. Thanks!

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 2008 R2 File Share 8 51
Finding machines using a specific DNS server 6 65
Separate DNS forwarding 2 43
Moving on from sbs 2008... 36 82
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question