Home / server / Questions / 84078
Accepted
Max
Asked: 2009-11-13 07:54:09 +0800 CST

What tcp/ip ports should not be open on a windows webserver 2008?

  • 772

I am wondering what ports can / should be closed down on a windows webserver 2008. Port 80 of course not, and 3389 not, too, because I need a remote desktop connection.

netstat told me the server is listening on following ports:

  TCP    0.0.0.0:80             0.0.0.0:0              
  TCP    0.0.0.0:135            0.0.0.0:0              
  TCP    0.0.0.0:445            0.0.0.0:0              
  TCP    0.0.0.0:1311           0.0.0.0:0              
  TCP    0.0.0.0:3389           0.0.0.0:0              
  TCP    0.0.0.0:49152          0.0.0.0:0              
  TCP    0.0.0.0:49153          0.0.0.0:0              
  TCP    0.0.0.0:49154          0.0.0.0:0              
  TCP    0.0.0.0:49155          0.0.0.0:0              
  TCP    0.0.0.0:49156          0.0.0.0:0              
  TCP    0.0.0.0:49160          0.0.0.0:0              
  TCP    xxx.xxx.xxx.xxx:139       0.0.0.0:0           
  TCP    xxx.xxx.xxx.xxx:139       0.0.0.0:0           
  TCP    [::]:80                [::]:0                 
  TCP    [::]:135               [::]:0                 
  TCP    [::]:445               [::]:0                 
  TCP    [::]:1311              [::]:0                 
  TCP    [::]:3389              [::]:0                 
  TCP    [::]:49152             [::]:0                 
  TCP    [::]:49153             [::]:0                 
  TCP    [::]:49154             [::]:0                 
  TCP    [::]:49155             [::]:0                 
  TCP    [::]:49156             [::]:0                 
  TCP    [::]:49160             [::]:0

Anything that must not be active?

EDIT: Some clarifications:

What I want is a public webserver serving http (no https) requests and having remote desktop access to it. It would be no mail / exchange or intranet server.

windows-server-2008

2 Answers

  1. Best Answer

    The most secure web server is one with no ports open at all. But then this server has no interaction with the outside world. The answer to your question I guess is that only ports that need to be open, should be open.

    If netstat says those ports are open, then you need to understand what each of those ports are for and determine whether or not they need to be open, to allow the server to do what it needs to.

    Ultimately its all based on what your server needs to do. If its a web server, sure port 80 and 443 need to be open, but if its just an email gateway, then they don't.

    Have a clear idea of what your server needs to do, and then determine what ports you need open to do that. It may even be worth your while to close all your ports (aside from 3389 if you only have remote access) and then open only those you need to make things work.

    If your only serving HTTP pages, then the only port you need open is 80 (and 3389 for RDP). If your also serving DNS for these pages then you'll need the ports open for that, FTP etc

    • 2

  2. There are other questions that need to be answered first really.

    • Is this server on a domain?
    • Is it in a DMZ?
    • Are you serving HTTPS pages?
    • Is it serving internal intranet sites?
    • Is it serving public websites?
    • Is it doing both?

    445 is for Microsoft-DS (SMB over TCP). Do you need to access shares on this machine from the domain? Does this machine need to access shares in the domain?

    I would imagine you should open 443 too (HTTP over TLS/SSL)

    Again, more context will result in better answers

    • 0