Re: Windows 2003 Server with ICF

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Miha Pihler (mihap-news_at_atlantis.si)
Date: 08/15/04 

Date: Sun, 15 Aug 2004 20:51:07 +0200

Hi Sam,

I wouldn't recommend enabling ICF on domain controllers (DCs). LAN should be
trusted part of the network.

Here is list of some TCP ports required by DCs

RPC endpoint mapper 135/tcp, 135/udp
NetBIOS name service 137/tcp, 137/udp
NetBIOS datagram service 138/udp
NetBIOS session service 139/tcp
RPC dynamic assignment 1024-65535/tcp
SMB over IP (Microsoft-DS) 445/tcp, 445/udp
LDAP 389/tcp
LDAP over SSL 636/tcp
Global catalog LDAP 3268/tcp
Global catalog LDAP over SSL 3269/tcp
Kerberos 88/tcp, 88/udp
DNS 53/tcp[1], 53/udp
WINS resolution (if required) 1512/tcp, 1512/udp
WINS replication (if required) 42/tcp, 42/udp
Network time protocol (NTP) 123/udp

Clients use broadcasts to discover DHCP servers.
For IIS if you use default installation you will have to open TCP port 80.
File server will be open if you open above ports.

Again, personally I wouldn't use any kind of filtering software on domain
controllers.

Mike

"Sam Cheung" <SamCheung@discussions.microsoft.com> wrote in message
news:B584457F-5364-48C0-A7AC-5A6070A7AC9B@microsoft.com...
> I have a network with some Win2k3 server and 100 winXP clients, which have
> function running as DC, DHCP server, DNS server, IIS, File Server...etc.
I
> also turn on the ICF function on each server to have higher protection.
> But I don't know which port I need to open of each services, can anyone
tell
> me which port and which type port (TCP/UDP) need to open for each
services?
>
>

Relevant Pages

  • RE: Printing from Win9x clients stops
    ... > and make sure this software does not interfere with SBS Server. ... > clients, please disable it and try again. ... Create a local printer and redirect the port to the network server. ...
    (microsoft.public.windows.server.sbs)
  • Re: Using Remote Desktop From an SBS Domain
    ... I should say bypassing my server not the router. ... Right click My Network Places...Properties. ... Internet connection, bypassing my SBS/ISA network all together. ... the port number you connect to from 80 to a port of your ...
    (microsoft.public.windows.server.sbs)
  • Re: ssh and ids
    ... "Hacker busts into your network and sets ... up an SSH server, RNA picks it up and can let you know that it detected ... But you can't stop with simple "port profiling". ... StealthWatch even takes it a step further ...
    (Focus-IDS)
  • Re: discovering a service behind a nated network
    ... you could use nmap or some other port scanning program ... > SSH onto the firewall and try to access the server from there, ... > works then it could be the translation on the gateway device not working ... > Network Security Specialist ...
    (Security-Basics)
  • RE: Printing from Win9x clients stops
    ... > cannot use the SBS Server shared printer. ... Create a local printer and redirect the port to the network server. ... If you are using LPR or printing to a JetDirect card using the ...
    (microsoft.public.windows.server.sbs)