Contents
Firewall Ports
It has been over three years since I had transitioned my career from a Senior IT Systems Engineer to one in Cybersecurity, and my day-to-day knowledge of Active Directory has slowly become a bit fuzzy. Recently, there was a need to look into what firewall ports were required for an Active Directory client machine and Domain Controller (DC) to communicate, and I was surprised that there was no clear, definite list available directly from Microsoft. I did find two articles:
- How to configure a firewall for Active Directory domains and trusts
- Service overview and network port requirements
There are many reasons why a firewall should restrict communication between two endpoints to just what is necessary, including security, compliance, and good housekeeping.
Active Directory
Microsoft’s Active Directory (AD) is a service that governs how resources can be utilized by a collection of users, groups, and computers. Enterprises use AD to authenticate, authorize, secure, and audit access within a security boundary — a Domain — to file servers, computers, emails, and more. You are given a user account (often referred to as your “network login”) to access what has been made available to you. A Domain Controller (DC) is the server that contains a copy of the AD database and is responsible for the replication of said data between all other DCs within the Domain.
To secure the company network, Active Directory uses Group Policy Objects (GPOs) to define various user- and computer-related settings, including firewall rules.
Tips: See my Active Directory Account Lockouts and Modifications article to learn how to analyze account events with Windows Event IDs and Logon Types. You can also visualize account lockout events with AD Lockout Splunk Dashboards to identify patterns. For investigating Group-related events, see my Group and Membership Changes post.
Ports: Client-DC Communication
To help with locating what ports are required for an AD client to communicate with its domain controller, we began by running a Nmap scan against the DC holding the PDC Emulator FSMO role. The PDC Emulator processes AD account lockouts.
Here is an example of a Nmap scan of a DC:
Starting Nmap 6.40 ( http://nmap.org ) at 2022-09-02 12:05 PDT Nmap scan report for YuenX-DC1 (192.168.123.10) Host is up (0.00047s latency). rDNS record for 192.168.123.10: YuenX-DC1.yuenx.com Not shown: 892 closed ports PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 88/tcp open kerberos-sec Windows 2003 Kerberos 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open netbios-ssn 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap | ssl-cert: Subject: commonName=ldaps.yuenx.com | Not valid before: 2022-01-01T12:14:44+00:00 |_Not valid after: 2024-02-04T14:31:28+00:00 3268/tcp open ldap 3269/tcp open globalcatLDAPssl? 3389/tcp open ms-wbt-server?
Cross-referencing the scan and the two Microsoft articles I had found, the required firewall ports are listed below:
| Server Port | Service | Protocol | Comment |
|---|---|---|---|
| 53 | DNS | TCP, UDP | |
| 88 | Kerberos | TCP, UDP | |
| 123 | W32Time (NTP or SNTP) | UDP | *Optional: Windows Server 2008 and later |
| 135 | RPC Endpoint Mapper | TCP | |
| 139 | NetBIOS | TCP | |
| 389 | LDAP | TCP, UDP | |
| 445 | SMB | TCP | |
| 464 | Kerberos Password Change | TCP, UDP | Windows Server 2008 and later |
| 636 | LDAP SSL | TCP | |
| 3268 | GC LDAP | TCP | Global Catalog |
| 3269 | GC LDAP SSL | TCP | Global Catalog Secure |
| 49152 - 65535 | RPC Dynamic (Ephemeral) | TCP, UDP | Windows Server 2000, Vista, and later |
| 1025 - 5000 | RPC Dynamic (Ephemeral) | TCP, UDP | Windows Server 2000-2008 only |
| 137-138 | NetBIOS Netlogon* | UDP | *Optional: Only when NetBIOS is required |
| Ping | ICMP | Windows Server 2003, XP only |
Notes
- Microsoft cautioned: “Not all the ports that are listed … are required in all scenarios. For example, if… you know that no clients use LDAP with SSL/TLS, you don’t have to open ports 636 and 3269”
- TCP/593 (RPC over HTTP) has been deprecated for Exchange Online/Microsoft 365
- TCP/3389 (RDP) is not needed by clients unless there is a need to perform a Remote Desktop connection to the DC. This is NOT advised for non-Active Directory administrators
RPC Dynamic (Ephemeral)
AD Users, Groups: SIDs with no Display Name
- Are the ephemeral ports required? Short answer: Yes
- RPC communication is done over those ports (range can be narrowed) and is utilized by “server applications and remote administration applications, such as [DHCP and WINS] Manager”
- A firewall administrator once refused to open the dynamic ports because he did not see any blocks in the logs at the time. For 5+ months, end users and AD administrators ran into intermittent, odd issues, including the inability to resolve SIDs when looking at resources’ Security permissions. Once another admin finally allowed those ports to go through, the AD issues went away
Credits:
– Featured Image by Israel Palacio via Unsplash
References
- Microsoft
- Complete List of Active Directory Ports and What They Do Explained
- Zscaler Private Access (ZPA): Active Directory
