Non standard port 9001 and 9030 TCP traffic observed permitted to DC

Bill Burr
Bill Burr used Ask the Experts™
on
We have been receiving alerts that a domain controller and other hosts have been communicating on port 9001 and 9030.  From a security perspective this is a concern as these are not standard ports and have been tied to tor relay ports.

The question is whether there are any known or valid services or benign reasons that would use ports 9001 or 9030 in a windows environment be it a DC or server 2008/2012/2016?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
does the DCs serve any other function?
Distinguished Expert 2018

Commented:
We have been receiving alerts that a domain controller and other hosts have been communicating on port 9001 and 9030.  From a security perspective this is a concern as these are not standard ports and have been tied to tor relay ports.
Tor is actually one program that uses both of those ports. And I've noticed you even tagged Tor as one of the topics on here.... which would actually encourage me to turn around and ask whether it's an authorized application in your environment.

Sharepoint is another that can use port 9001.
Distinguished Expert 2017
Commented:
forgot, run in an elevated command window
netstat -anb | more  and see which service is bound to port 9001, 9030
sysinternals include utilities such as tcpview, process explorer that might be useful in identifying the process that is bound/using port 9001, 9030...
Bill BurrIT Admin

Author

Commented:
Thanks guys - this is just what the dr ordered

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial