standard HTTP and HTTPS ports benefits

some of the security guides I have read flag it as an issue if a web server is not using standard HTTP/HTTPS ports (80 and 443).

what realistic risks are there by not using standard ports? any security risks? or is it just operational problems and headaches for the admin..

what other reasons are there that an admin may not use standard HTTP/HTTPS ports? i know some of the servers host multiple sites, wasn't sure if that may be an issue?

where in IIS can you see what ports are being used, do you have to check this per site?
LVL 3
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
The reasons for using standard http and https ports are

1. the port definitions are managed by an oversight organization, the IETF.  (http://www.ietf.org)
2. that they are well documented and well known
3. typing either http:// or https:// implies the use of 80 or 443 respectively
4. it makes it easier to control access to a large number of web sites when they use the standard ports.  defining a new port for every web site would become cumbersome for the person(ppl) managing the perimeter security devices (firewalls/routers/etc.)
5. having to type the port number in a URL is annoying and troublesome for most non-technical ppl

The risks of using non-standard ports is mostly in the management overhead required to document, configure and manage the systems/sites involved.

IMO, there are not many good reasons to use non-standard http/https ports.  All modern day web servers can host multiple (read... 100s or more) web sites on a single IP and port with the use of Host Names (host header) on the address bound to the site.

Obfuscation (in this case, using a non-standard http(s) port) does not help in protecting your web site from anything.  If it is an Internet available site, you have to make that port visible to everyone.  Whether 80, 443, 8080, 8090, 80443, etc... it can be scanned and found.

In IIS Manager, expand the server, then click on the Sites object.  On the right hand panel, you should see a list of the web sites on the server.  Under the "Binding" column, is everything associated with the IP address and ports bound to the site.

Dan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MurfurFull Stack DeveloperCommented:
What version of IIS?

But the short answer is just an admin vortex if you do not use standard ports, as all the software involved in the protocol assumes standard ports unless you specify otherwise - servers, browsers, firewalls etc. The vortex is that if you do not use standard ports you have to a) remember what they are and b) manually specify them in various places in order to make a connection.

As to IIS, mine used to have it in brackets after the site name but you can go to site settings and check there and exactly where depends on your version of IIS, hence my question!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.