[Last Call] Learn how to a build a cloud-first strategyRegister Now


Windows Firewall ports, what to close and what needs to be left open

Posted on 2012-03-20
Medium Priority
Last Modified: 2012-06-22
Hello,*thanks for all your help lately, I am so new to servers- I am a hardware guy. Let me know your thoughts on the below.

I am really nervous about the port configuration on my windows 2008 server for my website. I was told by my hosting that I need to have ONLY the following 4 ports open:
80- status - open
443- status - open
3389- status - open - will change to higher number to alleviate default configuration
* I cant see these being the only four ports open that I need.

I downloaded nMap and ran an 'intensive port scan' to identify what's open. The following ports were identified & I have since decided they need to stay open for the corresponding reasons, but I'm not sure if I'm right:
53 (this is Microsoft DNS)- status- open
587 (this is Microsoft exchange) - status -open

I still have 10 other ports listed as open, and since I'm not sure if I'm doing my research correctly, I'm posting here in the hopes that someone can guide me more definitely than a google search.
Ports still open:
88- status - open
464 - status - open
593 - status - open
808 - status - open
6001 - status - open
6002 - status - open
6004 - status - open
6005 - status - open
6006 - status - open
6007 - status - open
Question by:jeffmeverett
  • 2
  • 2

Assisted Solution

n4th4nr1ch earned 1600 total points
ID: 37743861
Your understanding of ports is still in it's beginning stages so it's confusing still. Your hosting company is not helping much either. Here's the brief explanation.

ip traffic goes both ways. in this discussion we will always consider IN is from the internet(WAN) to your box(LAN). Ports are applicable BOTH directions, which always confuses people new to ports, which very often includes basic support from hosting companies.

Here is the list of ports they said you have to have open. I will comment with more details:

INBOUND (from WAN to your box)
25 - you ONLY need this open IF you are planning on sending email which originates with 1 machine but gets sent or relayed from this machine. For example, if you are using your server as a mail server box. If you are sending mail from your website which is on the same box, only, then you don't need this port open. Or if you are doing something very non-standard and weird
80 - you ONLY need this open if you are SERVING a website from this box AND using the default port (this is likely based on your description), or if you are doing something very non-standard and weird
443 - you ONLY need this open if you are using HTTPS for your website, or if you are doing something very non-standard and weird
3389 - you ONLY need this open if you are using remote desktop to connect to this web server, or if you are doing something very non-standard and weird.

OUTBOUND (from your box to WAN)
Generally you should just accept all ports.

Since you have not specified what kind of server other than to say it's for your website, it's harder to pin down what you need open. The short answer is that you simply think about WHAT is your server DOING?

For example DNS port... well.... is your server supposed to be serving DNS? Did you install and set up a DNS server software stack on it? If not, then you don't need it open.
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 400 total points
ID: 37743865
Here is a list of ports and information about the ports.

88      TCP      UDP      Kerberos—authentication system: Are you using Kerberos? Is this on Domain?

464      TCP      UDP      Kerberos Change/Set password

Other depend on the Website itself but seems like those are required.


Author Comment

ID: 37744739
The fellow EE Expert  'n4th4nr1ch' said in the above post:->   "Since you have not specified what kind of server other than to say it's for your website, it's harder to pin down what you need open."  Answer": I have server 2008 Standard. I have an Exchange server 2010 on there that handles 3 email addresses no more, I have an SQL Database  as well all on one server. Yes I know not the best situation but my developer had to do it quick and easy. Its going to be an informative site with a tiny subscription fee. I will be sending mail from it and and automatic email is sent off from Exchange with every sign up.  ** I do need to have port 3389 open because I do have to connect remotely and the server is a 1000 miles away.  I was wondering if I needed to be concerned with renaming the RDP ( Remote Desktop Connection) port to a number other than the default of 3389, let me know your thoughts.  Also you mentioned something about DNS - I am not sure what 'serving DNS means- I believe DNS is a naming system, that changes the words into numbers? Not too sure, I could use a little expert schooling on that as well.  I am around and checking answers asap!

Accepted Solution

n4th4nr1ch earned 1600 total points
ID: 37744815
DNS is a service like any other, and it's served with a server. The most common one is BIND, and there are also many others such as Microsoft DNS (most commonly used with Active Directory), SimpleDNS, etc.

" I was wondering if I needed to be concerned with renaming the RDP ( Remote Desktop Connection) port to a number other than the default of 3389, let me know your thoughts."
You can change ports but you can never name them. They are just numbers. So you can't rename RDP from 3389 to something else. You can use your firewall to redirect traffic, but then you would have to get a non-standard client that allows you to change the port you're trying from the client side. The short answer to this is allow 3389 and use it. If there's a specific problem or goal I can assure you there are much better ways to solve it than port redirection, especially on tcp/3389.

Having an email server means you will need ports open to access that. If you're using it for SMTP, which is what it sounds like, then you will need 25 open only to places which will use the server for sending emails. For example if you connect to this server from your home with your cellphone, well you need that port to be open from your home at least.
But if it's only for automated emails such as registration emails on a website, then you only need that port open to those machines and not to the public.

The SQL port is almost ALWAYS only open to the machine(s) which will need to make queries and nothing else ever. If you're hosting your website from the same machine then you don't even need that open in the first place.

Author Closing Comment

ID: 37787958
Great Info to go by. Thanks!

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question