Solved

Windows Firewall ports, what to close and what needs to be left open

Posted on 2012-03-20
5
653 Views
Last Modified: 2012-06-22
Hello,*thanks for all your help lately, I am so new to servers- I am a hardware guy. Let me know your thoughts on the below.

I am really nervous about the port configuration on my windows 2008 server for my website. I was told by my hosting that I need to have ONLY the following 4 ports open:
25-status-open
80- status - open
443- status - open
3389- status - open - will change to higher number to alleviate default configuration
* I cant see these being the only four ports open that I need.

I downloaded nMap and ran an 'intensive port scan' to identify what's open. The following ports were identified & I have since decided they need to stay open for the corresponding reasons, but I'm not sure if I'm right:
53 (this is Microsoft DNS)- status- open
587 (this is Microsoft exchange) - status -open

I still have 10 other ports listed as open, and since I'm not sure if I'm doing my research correctly, I'm posting here in the hopes that someone can guide me more definitely than a google search.
Ports still open:
88- status - open
464 - status - open
593 - status - open
808 - status - open
6001 - status - open
6002 - status - open
6004 - status - open
6005 - status - open
6006 - status - open
6007 - status - open
0
Comment
Question by:jeffmeverett
  • 2
  • 2
5 Comments
 
LVL 2

Assisted Solution

by:n4th4nr1ch
n4th4nr1ch earned 400 total points
ID: 37743861
Your understanding of ports is still in it's beginning stages so it's confusing still. Your hosting company is not helping much either. Here's the brief explanation.

ip traffic goes both ways. in this discussion we will always consider IN is from the internet(WAN) to your box(LAN). Ports are applicable BOTH directions, which always confuses people new to ports, which very often includes basic support from hosting companies.

Here is the list of ports they said you have to have open. I will comment with more details:

INBOUND (from WAN to your box)
25 - you ONLY need this open IF you are planning on sending email which originates with 1 machine but gets sent or relayed from this machine. For example, if you are using your server as a mail server box. If you are sending mail from your website which is on the same box, only, then you don't need this port open. Or if you are doing something very non-standard and weird
80 - you ONLY need this open if you are SERVING a website from this box AND using the default port (this is likely based on your description), or if you are doing something very non-standard and weird
443 - you ONLY need this open if you are using HTTPS for your website, or if you are doing something very non-standard and weird
3389 - you ONLY need this open if you are using remote desktop to connect to this web server, or if you are doing something very non-standard and weird.

OUTBOUND (from your box to WAN)
Generally you should just accept all ports.


Since you have not specified what kind of server other than to say it's for your website, it's harder to pin down what you need open. The short answer is that you simply think about WHAT is your server DOING?

For example DNS port... well.... is your server supposed to be serving DNS? Did you install and set up a DNS server software stack on it? If not, then you don't need it open.
0
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 100 total points
ID: 37743865
Here is a list of ports and information about the ports.

88      TCP      UDP      Kerberos—authentication system: Are you using Kerberos? Is this on Domain?

464      TCP      UDP      Kerberos Change/Set password

Other depend on the Website itself but seems like those are required.

http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
0
 

Author Comment

by:jeffmeverett
ID: 37744739
The fellow EE Expert  'n4th4nr1ch' said in the above post:->   "Since you have not specified what kind of server other than to say it's for your website, it's harder to pin down what you need open."  Answer": I have server 2008 Standard. I have an Exchange server 2010 on there that handles 3 email addresses no more, I have an SQL Database  as well all on one server. Yes I know not the best situation but my developer had to do it quick and easy. Its going to be an informative site with a tiny subscription fee. I will be sending mail from it and and automatic email is sent off from Exchange with every sign up.  ** I do need to have port 3389 open because I do have to connect remotely and the server is a 1000 miles away.  I was wondering if I needed to be concerned with renaming the RDP ( Remote Desktop Connection) port to a number other than the default of 3389, let me know your thoughts.  Also you mentioned something about DNS - I am not sure what 'serving DNS means- I believe DNS is a naming system, that changes the words into numbers? Not too sure, I could use a little expert schooling on that as well.  I am around and checking answers asap!
0
 
LVL 2

Accepted Solution

by:
n4th4nr1ch earned 400 total points
ID: 37744815
DNS is a service like any other, and it's served with a server. The most common one is BIND, and there are also many others such as Microsoft DNS (most commonly used with Active Directory), SimpleDNS, etc.

" I was wondering if I needed to be concerned with renaming the RDP ( Remote Desktop Connection) port to a number other than the default of 3389, let me know your thoughts."
You can change ports but you can never name them. They are just numbers. So you can't rename RDP from 3389 to something else. You can use your firewall to redirect traffic, but then you would have to get a non-standard client that allows you to change the port you're trying from the client side. The short answer to this is allow 3389 and use it. If there's a specific problem or goal I can assure you there are much better ways to solve it than port redirection, especially on tcp/3389.

Having an email server means you will need ports open to access that. If you're using it for SMTP, which is what it sounds like, then you will need 25 open only to places which will use the server for sending emails. For example if you connect to this server from your home with your cellphone, well you need that port to be open from your home at least.
But if it's only for automated emails such as registration emails on a website, then you only need that port open to those machines and not to the public.

The SQL port is almost ALWAYS only open to the machine(s) which will need to make queries and nothing else ever. If you're hosting your website from the same machine then you don't even need that open in the first place.
0
 

Author Closing Comment

by:jeffmeverett
ID: 37787958
Great Info to go by. Thanks!
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

937 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now