What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI
Course Of The Month
9 days, 22 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Questions on windows ports
Posted on 2016-08-28
We are using Comodo Internet Security Premium version 8.4.0.5076. Recently we were recommended to close all unused ports in each PC; we only needed the ports opened such as:
- Port 53 (for DNS)
- Port 80 (for Http)
- Port 443 (for SSL secure browsing)
- Port 8080 (for secondary port)
And close all other ports as follows:
- Block 0-52
- Block 53-79
- Block 81-443
- Block 444-8079
- Block 8081-65535
That seems to make sense but we have these questions about apps used in some computers, such as:
- Port 53 (for DNS)
- Port 80 (for Http)
- Port 443 (for SSL secure browsing)
- Port 8080 (for secondary port)
And close all other ports as follows:
- Block 0-52
- Block 53-79
- Block 81-443
- Block 444-8079
- Block 8081-65535
That seems to make sense but we have these questions about apps used in some computers, such as:
Remote Desktop
SQL
Google Drive
OneDrive
Mega cloud
DropBox
Box
iCloud
Hyper-V
SQL
Google Drive
OneDrive
Mega cloud
DropBox
Box
iCloud
Hyper-V
What do EE recommend as to the open and closed ports?
Is the recommendation of closing non-used ports a good one?
Finally, based on the list of apps, what ports do these apps uses so we can open them?
Is the recommendation of closing non-used ports a good one?
Finally, based on the list of apps, what ports do these apps uses so we can open them?
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
6
4
3
13 Comments
Active 1 day ago
Windows Remote Desktop uses port 3389 by default. SQL Server uses port 1433 by default. If you have additional SQL Server instances then they will use a different, randomly selected port. Hyper-V doesn't use any ports in and of itself. I'm not 100% certain about the other services but I believe those are mostly outbound connections. To enhance your system's security you need only create inbound rules which shouldn't affect cloud services.
Active today
A recommendation to block outbound traffic is usually too much, unless you need to create a fully controlled network. As said above, you block inbound traffic first. Then you should know which ports are used - if someone needs to RDP into a machine, that (target) machine needs to have RDP opened for inbound. If there is no need to at any time (even for administrative tasks), the port should be blocked inbound.
In general, if you provide a service on a machine (RDP etc.), open the inbound port. Don't block outbound, unless there is a specific need.
In general, if you provide a service on a machine (RDP etc.), open the inbound port. Don't block outbound, unless there is a specific need.
Active today
Great info!
As for the apps:
Based on your recommendation, how can we determine inbound ports for the above apps or connections?
As for the apps:
- Remote Desktop
- SQL
- Google Drive
- OneDrive
- Mega cloud
- DropBox
- Box
- iCloud
- Hyper-V
- SQL
- Google Drive
- OneDrive
- Mega cloud
- DropBox
- Box
- iCloud
- Hyper-V
Based on your recommendation, how can we determine inbound ports for the above apps or connections?
Active today
The first comment enumerates the known ports. You don't need inbound rules for Cloud services.
Active today
What about hyper-v (especially if we connect to one outside our PC and also if we have one in our PC)
Active 1 day ago
Hyper-V doesn't inherently use any ports. The virtual machines that Hyper-V hosts may use ports. However the host firewall doesn't apply to the hosted VMs.
Active today
But if from within the VM there is malicious code and the VM has access to host or the PC connected to it, wouldn't that also infect the host? For example, we have a VM that you can ping the host or the PC you connecting from and in additional, the VM from within has access to the host drives. That said, the ports are not considered here?
Active 1 day ago
A VM is just like any other computer. It has no more access to the host machine than you give it. If you configure the VM to use the host's network adapter then it is as if the VM is on the same network and is subject to the same network rules as any other machine.
If it helps, for the purpose of networking thing of a VM as another physical computer sitting next to the current one and connected to the same network. That's the extent of it.
If it helps, for the purpose of networking thing of a VM as another physical computer sitting next to the current one and connected to the same network. That's the extent of it.
Active today
Understood.
To close the question, and going back to the original question, should we set as closed the following ports in our firewall apps?:
- Block 0-52 - (leave 53, dns open)
- Block 54-79 - (leave 80, http open)
- Block 81-442 - (leave 443, ssl open)
- Block 444-1432 - (leave 1433, sql open)
- Block 1434-3388 - (leave 3389, rdp open)
- Block 3390-8079 - (leave 8080, alt,port open)
- Block 8081-65535
(we have updated the list of "open" ports [SQL port 1433 and RDP port 3389] with EE comments placed)
To close the question, and going back to the original question, should we set as closed the following ports in our firewall apps?:
- Block 0-52 - (leave 53, dns open)
- Block 54-79 - (leave 80, http open)
- Block 81-442 - (leave 443, ssl open)
- Block 444-1432 - (leave 1433, sql open)
- Block 1434-3388 - (leave 3389, rdp open)
- Block 3390-8079 - (leave 8080, alt,port open)
- Block 8081-65535
(we have updated the list of "open" ports [SQL port 1433 and RDP port 3389] with EE comments placed)
Active 1 day ago
No port should be open unless you have a need for it.
Port 53 should be open only if the machine is a DNS server.
Ports 80 and 443 should only be open if the machine is hosting a website.
Port 1433 should only be open if the machine is hosting a SQL Server instance.
Port 3389 should only be open if the machine needs to accept Windows RDP requests.
Port 8080 should only be open if you need to host an additional website on this port.
Side note, it's generally considered poor security to host a SQL Server instance on the same machine as a website. If you must do this and the SQL Server instance is consumed only by the website then there is no need to open port 1433 since the IP address will be local (127.0.0.1) which should never be blocked.
Port 53 should be open only if the machine is a DNS server.
Ports 80 and 443 should only be open if the machine is hosting a website.
Port 1433 should only be open if the machine is hosting a SQL Server instance.
Port 3389 should only be open if the machine needs to accept Windows RDP requests.
Port 8080 should only be open if you need to host an additional website on this port.
Side note, it's generally considered poor security to host a SQL Server instance on the same machine as a website. If you must do this and the SQL Server instance is consumed only by the website then there is no need to open port 1433 since the IP address will be local (127.0.0.1) which should never be blocked.
Active today
This question we have placed in EE is for a computer that the we need to connect to via Remote Desktop (when in LAN) and connect to via TeamViewer (outside our LAN, i.e. From our home).
When we are connected to this computer via RDP or Teamviewer, we want to use it's MSSQL apps, some VMs and cloud services it has. These services are used when we sit down front of the PC or when connected.
Based on your comment, we can close all ports except 3389?
When we are connected to this computer via RDP or Teamviewer, we want to use it's MSSQL apps, some VMs and cloud services it has. These services are used when we sit down front of the PC or when connected.
Based on your comment, we can close all ports except 3389?
Featured Post
Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service. The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list. It is designed to be downloaded as a file, with primary intention…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you!
In this Micro Tutorial, you'll learn yo…
- Microsoft Applications
- Windows 10
- Windows OS
- Fonts Typography
- Windows 7, Microsoft Word
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month9 days, 22 hours left to enroll
623 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.