Solved

Windows Firewall ports, what to close and what needs to be left open

Posted on 2012-03-20
5
652 Views
Last Modified: 2012-06-22
Hello,*thanks for all your help lately, I am so new to servers- I am a hardware guy. Let me know your thoughts on the below.

I am really nervous about the port configuration on my windows 2008 server for my website. I was told by my hosting that I need to have ONLY the following 4 ports open:
25-status-open
80- status - open
443- status - open
3389- status - open - will change to higher number to alleviate default configuration
* I cant see these being the only four ports open that I need.

I downloaded nMap and ran an 'intensive port scan' to identify what's open. The following ports were identified & I have since decided they need to stay open for the corresponding reasons, but I'm not sure if I'm right:
53 (this is Microsoft DNS)- status- open
587 (this is Microsoft exchange) - status -open

I still have 10 other ports listed as open, and since I'm not sure if I'm doing my research correctly, I'm posting here in the hopes that someone can guide me more definitely than a google search.
Ports still open:
88- status - open
464 - status - open
593 - status - open
808 - status - open
6001 - status - open
6002 - status - open
6004 - status - open
6005 - status - open
6006 - status - open
6007 - status - open
0
Comment
Question by:jeffmeverett
  • 2
  • 2
5 Comments
 
LVL 2

Assisted Solution

by:n4th4nr1ch
n4th4nr1ch earned 400 total points
Comment Utility
Your understanding of ports is still in it's beginning stages so it's confusing still. Your hosting company is not helping much either. Here's the brief explanation.

ip traffic goes both ways. in this discussion we will always consider IN is from the internet(WAN) to your box(LAN). Ports are applicable BOTH directions, which always confuses people new to ports, which very often includes basic support from hosting companies.

Here is the list of ports they said you have to have open. I will comment with more details:

INBOUND (from WAN to your box)
25 - you ONLY need this open IF you are planning on sending email which originates with 1 machine but gets sent or relayed from this machine. For example, if you are using your server as a mail server box. If you are sending mail from your website which is on the same box, only, then you don't need this port open. Or if you are doing something very non-standard and weird
80 - you ONLY need this open if you are SERVING a website from this box AND using the default port (this is likely based on your description), or if you are doing something very non-standard and weird
443 - you ONLY need this open if you are using HTTPS for your website, or if you are doing something very non-standard and weird
3389 - you ONLY need this open if you are using remote desktop to connect to this web server, or if you are doing something very non-standard and weird.

OUTBOUND (from your box to WAN)
Generally you should just accept all ports.


Since you have not specified what kind of server other than to say it's for your website, it's harder to pin down what you need open. The short answer is that you simply think about WHAT is your server DOING?

For example DNS port... well.... is your server supposed to be serving DNS? Did you install and set up a DNS server software stack on it? If not, then you don't need it open.
0
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 100 total points
Comment Utility
Here is a list of ports and information about the ports.

88      TCP      UDP      Kerberos—authentication system: Are you using Kerberos? Is this on Domain?

464      TCP      UDP      Kerberos Change/Set password

Other depend on the Website itself but seems like those are required.

http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
0
 

Author Comment

by:jeffmeverett
Comment Utility
The fellow EE Expert  'n4th4nr1ch' said in the above post:->   "Since you have not specified what kind of server other than to say it's for your website, it's harder to pin down what you need open."  Answer": I have server 2008 Standard. I have an Exchange server 2010 on there that handles 3 email addresses no more, I have an SQL Database  as well all on one server. Yes I know not the best situation but my developer had to do it quick and easy. Its going to be an informative site with a tiny subscription fee. I will be sending mail from it and and automatic email is sent off from Exchange with every sign up.  ** I do need to have port 3389 open because I do have to connect remotely and the server is a 1000 miles away.  I was wondering if I needed to be concerned with renaming the RDP ( Remote Desktop Connection) port to a number other than the default of 3389, let me know your thoughts.  Also you mentioned something about DNS - I am not sure what 'serving DNS means- I believe DNS is a naming system, that changes the words into numbers? Not too sure, I could use a little expert schooling on that as well.  I am around and checking answers asap!
0
 
LVL 2

Accepted Solution

by:
n4th4nr1ch earned 400 total points
Comment Utility
DNS is a service like any other, and it's served with a server. The most common one is BIND, and there are also many others such as Microsoft DNS (most commonly used with Active Directory), SimpleDNS, etc.

" I was wondering if I needed to be concerned with renaming the RDP ( Remote Desktop Connection) port to a number other than the default of 3389, let me know your thoughts."
You can change ports but you can never name them. They are just numbers. So you can't rename RDP from 3389 to something else. You can use your firewall to redirect traffic, but then you would have to get a non-standard client that allows you to change the port you're trying from the client side. The short answer to this is allow 3389 and use it. If there's a specific problem or goal I can assure you there are much better ways to solve it than port redirection, especially on tcp/3389.

Having an email server means you will need ports open to access that. If you're using it for SMTP, which is what it sounds like, then you will need 25 open only to places which will use the server for sending emails. For example if you connect to this server from your home with your cellphone, well you need that port to be open from your home at least.
But if it's only for automated emails such as registration emails on a website, then you only need that port open to those machines and not to the public.

The SQL port is almost ALWAYS only open to the machine(s) which will need to make queries and nothing else ever. If you're hosting your website from the same machine then you don't even need that open in the first place.
0
 

Author Closing Comment

by:jeffmeverett
Comment Utility
Great Info to go by. Thanks!
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now