Filter Settings for Windows NT Services

Protocol and Ports that Control Access to Services

Internet Customer Unit

April 1999

Microsoft Corporation

Introduction

This document provides filter settings for network operators to review so that they can address security issues in their environment. They can then control the protocols and ports that are accessible on their servers running the Microsoft® Windows NT® Server operating system. Filter settings can be applied optionally on any of the following devices and software:

Note   This document contains information that requires periodic updates so the latest information on this topic can be provided. Use this document as a reference. Please check original source locations for the most recent filter setting updates.

NetBIOS Messages and Name Resolution Behavior

Network operators can apply the following registry key settings to control NetBIOS Messages and Name Resolution behavior on any computer running the Microsoft® Windows NT® Server operating system.

Messages

These settings prevent NetBIOS messages from being sent and listened to on a given server using the messenger service.

Hkey_Local_machine\System\CurrentControlSet
\Alerter
Start         = REG_DWORD   0x3
\Messenger
Start         = REG_DWORD   0x3

Name Resolution

These settings prevent the system from requesting and responding to NetBIOS Name Resolution lookups on user datagram protocol (UDP) ports 137 and 138 respectively.

Hkey_Local_machine\System\CurrentControlSet
\Browser   
Start         = REG_DWORD   0x3
\NetBT\Parameters
      EnableDNS       = REG_DWORD   0x1
      EnableLMHOSTS   = REG_DWORD   0x0
   NodeType      = REG_DWORD    0x2

Services Protocol and Port Usage

Referenced Protocol Numbers

   Tcp      = 6
   Udp      = 17
   Gre [pptp]   = 47

Table of Services/Protocols/Ports

Service Protocol Client / Server

Request Port

Service Port In Service Port Out
Browsing of NetBIOS over TCP/IP UDP (requests) 137 137 137
  UDP (datagram responses) 138 138 138
Content replication service TCP     507
Cybercash TCP (credit gateway) 8000
  TCP (admin) 8001
TCP (coin gateway) 8002
DHCP lease TCP (request) 67
  TCP (response) 68
DNS (client to server lookup) TCP or UDP (depends on software) 1024 – 5000 53 53
(server to server lookup) TCP or UDP (depends on software) 53 53 53
(primary to secondary zone transfer) TCP 53 53 1024 - 5000
(primary to secondary soa record transfer) UDP 53 53 53
File shares UDP (name lookup)     137
  TCP (session) 139
FTP-data TCP 20
FTP TCP 21
HTTP TCP 80
HTTP-Secure Sockets Layer (SSL) TCP 443
IMAP4 TCP 143
IRC TCP 531
ISPMOD (SBS 2nd tier DNS registration wizard) TCP 1234
LDAP TCP 389
LDAP (SSL) TCP 636
Membership DPA TCP 568
Membership MSN TCP 569
Microsoft Chat (michat) TCP (server to server) 6665
  TCP (client to server) 6667
NetBT UDP (name lookups) 137
  UDP (datagrams) 138
TCP (service sessions) 139
NetMeeting TCP (user location service) 522
  TCP (T.120) 1503
TCP (audio call ctrl) 1731
UDP (RTP audio stream) Dynamic
NetShow (with protocol rollover) UDP Tcp/1755 Tcp/1755 Udp/1755
  TCP   1755 1755
HTTP 80 80 80
Multicast
224.0.0.1 - 239.255.255.255
1 - 65000 1 – 65000 1 - 65000
DCOM 135 135 1024 – 5000
NNTP TCP     119
POP3 TCP 110
PPTP PPTP (protocol 47, GRE) 1723
Printer sharing UPD (name lookup) 137
  TCP (session) 139
RADIUS UDP (authentication) 1645 or 1812
  UDP (accounting) 1646 or 1813
Referral.microsoft.com (for Internet Explorer and SBS signup referrals) TCP 80
RPC (for example, userMgr, SrvMgr, and so on) TCP (port mapper) 135
  TCP (session ports) Dynamic
SMTP TCP 25
SNMP UDP 161
SNMP Trap UDP 162
SQL Server (namedPipes client, supports encryption over NetBEUI, IPX/SPX, TCP/IP) UDP (name lookup) 137
  TCP (session) 139
SQL Server (TCP client) UDP/TCP (name lookup) 53
  TCP (session) 1433
SQL Server (RPC client, supports encryption over NetBEUI, IPX/SPX, TCP/IP) UDP (name lookup) 137
  TCP (session mapper) 135
TCP (session) 1024-5000
(RPC client using a fixed port, see Knowledge Base article 164667) TCP (session queries) 1500
(RPC client using a fixed port, see Knowledge Base article 164667) TCP (session replication) 2500
Telnet TCP 23
Wins registration UDP (NetBIOS over TCP/IP name service) 137
Wins replication TCP 42
Windows Challenge/Response authentication TCP (NetBIOS over TCP/IP session service) 139
X400 TCP 102

Information in this document, including URL and other Internet web site references, is subject to change without notice.  The entire risk of the use or the results of the use of this resource kit remains with the user.  This resource kit is not supported and is provided as is without warranty of any kind, either express or implied.  The example companies, organizations, products, people and events depicted herein are fictitious.  No association with any real company, organization, product, person or event is intended or should be inferred.  Complying with all applicable copyright laws is the responsibility of the user.  Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document.  Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 1999-2000 Microsoft Corporation.  All rights reserved.

Microsoft, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries/regions.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.