Mark Empson has published a nice list of firewall ports used by Windows Server 2008.
|
Possible Rule name |
Description |
Port |
Path |
|
Active Directory Domain Controller – LDAP (TCP-In) |
Inbound rule for the Active Directory Domain Controller service to allow remote LDAP traffic. (TCP 389) |
389 |
%systemroot%\System32\lsass.exe |
|
Active Directory Domain Controller – LDAP (UDP-In) |
Inbound rule for the Active Directory Domain Controller service to allow remote LDAP traffic. (UDP 389) |
389 |
%systemroot%\System32\lsass.exe |
|
Active Directory Domain Controller – LDAP for Global Catalog (TCP-In) |
Inbound rule for the Active Directory Domain Controller service to allow remote Global Catalog traffic. (TCP 3268) |
3268 |
%systemroot%\System32\lsass.exe |
|
Active Directory Domain Controller – NetBIOS name resolution (UDP-In) |
Inbound rule for the Active Directory Domain Controller service to allow NetBIOS name resolution. (UDP 138) |
138 |
System |
|
Active Directory Domain Controller – SAM/LSA (NP-TCP-In) |
Inbound rule for the Active Directory Domain Controller service to be remotely managed over Named Pipes. (TCP 445) |
445 |
System |
|
Active Directory Domain Controller – SAM/LSA (NP-UDP-In) |
Inbound rule for the Active Directory Domain Controller service to be remotely managed over Named Pipes. (UDP 445) |
445 |
System |
|
Active Directory Domain Controller – Secure LDAP (TCP-In) |
Inbound rule for the Active Directory Domain Controller service to allow remote Secure LDAP traffic. (TCP 636) |
636 |
%systemroot%\System32\lsass.exe |
|
Active Directory Domain Controller – Secure LDAP for Global Catalog (TCP-In) |
Inbound rule for the Active Directory Domain Controller service to allow remote Secure Global Catalog traffic. (TCP 3269) |
3269 |
%systemroot%\System32\lsass.exe |
|
Active Directory Domain Controller – W32Time (NTP-UDP-In) |
Inbound rule for the Active Directory Domain Controller service to allow NTP traffic for the Windows Time service. (UDP 123) |
123 |
%systemroot%\System32\svchost.exe |
|
Active Directory Domain Controller (RPC) |
Inbound rule to allow remote RPC/TCP access to the Active Directory Domain Controller service. |
Dynamic RPC |
%systemroot%\System32\lsass.exe |
|
Active Directory Domain Controller (RPC-EPMAP) |
Inbound rule for the RPCSS service to allow RPC/TCP traffic to the Active Directory Domain Controller service. |
135 |
%systemroot%\System32\svchost.exe |
|
Active Directory Domain Controller (TCP-Out) |
Outbound rule for the Active Directory Domain Controller service. (TCP) |
Any |
%systemroot%\System32\lsass.exe |
|
Active Directory Domain Controller (UDP-Out) |
Outbound rule for the Active Directory Domain Controller service. (UDP) |
Any |
%systemroot%\System32\lsass.exe |
|
DNS (TCP, Incoming) |
DNS inbound |
53 |
%systemroot%\System32\dns.exe |
|
DNS (UDP, Incoming) |
DNS inbound |
53 |
%systemroot%\System32\dns.exe |
|
DNS (TCP, outbound) |
DNS outbound |
53 |
%systemroot%\System32\dns.exe |
|
DNS (UDP, outbound) |
DNS outbound |
53 |
%systemroot%\System32\dns.exe |
|
DNS RPC, incoming |
Inbound rule for the RPCSS service to allow RPC/TCP traffic to the DNS Service |
135 |
%systemroot%\System32\dns.exe |
|
DNS RPC, incoming |
Inbound rule to allow remote RPC/TCP access to the DNS service |
Dynamic RPC |
%systemroot%\System32\dns.exe |
Nice reference Mark. I was just looking for a similar list for Windows Server 2003 R2 Domain Controllers, and had to pull the information from a variety of sources. I couldn’t find a nice summary like you’ve made.
August 12, 2009 at 4:43 am
People that are interessted in ports used by W2K8 probably like the following articel.
It also works for w2k8 dc`s!
http://support.microsoft.com/kb/224196#appliesto