TCP Ports 1025, 1032, 1090 and 1208 on a DC?

Can someone tell me what services use the subject TCP ports on a Windows
2003 domain controller?

--
Will

Will wrote:
> Can someone tell me what services use the subject TCP ports on a Windows
> 2003 domain controller?
>
Check this KB

--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)

Tomasz Onyszko wrote:
> Will wrote:
>> Can someone tell me what services use the subject TCP ports on a Windows
>> 2003 domain controller?
>>
> Check this KB
>
Sorry, I forgot about the link to KB:
http://support.microsoft.com/?kbid=832017 (sorry Will)

--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)

There are a lot of ports in that document, but none of them are the ones in
my original question.

The ports in question are opened by a Windows 2003 DC, and at least the 1090
port is apparently in use by FRS between two domain controllers.

--
Will


"Tomasz Onyszko" <T.Onyszko_nospam_@w2k.pl> wrote in message
news:(E-Mail Removed)...
> Tomasz Onyszko wrote:
> > Will wrote:
> >> Can someone tell me what services use the subject TCP ports on a
Windows
> >> 2003 domain controller?
> >>
> > Check this KB
> >
> Sorry, I forgot about the link to KB:
> http://support.microsoft.com/?kbid=832017 (sorry Will)
>
> --
> Tomasz Onyszko
> http://www.w2k.pl/blog/ - (PL)
> http://blogs.dirteam.com/blogs/tomek/ - (EN)

Hi
By default, Active Directory replication over RPC (Remote Procedure Calls)
takes place dynamically over an available port via the RPC Endpoint Mapper
(RPCSS) using port 135;

Application protocol Protocol Ports
Global Catalog Server TCP 3269
Global Catalog Server TCP 3268
LDAP Server TCP 389
LDAP Server UDP 389
LDAP SSL TCP 636
LDAP SSL UDP 636
IPsec ISAKMP UDP 500
NAT-T UDP 4500
RPC TCP 135
RPC randomly allocated high TCP ports TCP 1024 - 65536

832017 Service overview and network port requirements for the Windows
Server system
http://support.microsoft.com/default...b;EN-US;832017

224196 Restricting Active Directory replication traffic to a specific port
http://support.microsoft.com/default...b;EN-US;224196




--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"Will" <westes-(E-Mail Removed)> wrote in message
news:A5OdnV-(E-Mail Removed)...
> There are a lot of ports in that document, but none of them are the ones
> in
> my original question.
>
> The ports in question are opened by a Windows 2003 DC, and at least the
> 1090
> port is apparently in use by FRS between two domain controllers.
>
> --
> Will
>
>
> "Tomasz Onyszko" <T.Onyszko_nospam_@w2k.pl> wrote in message
> news:(E-Mail Removed)...
>> Tomasz Onyszko wrote:
>> > Will wrote:
>> >> Can someone tell me what services use the subject TCP ports on a
> Windows
>> >> 2003 domain controller?
>> >>
>> > Check this KB
>> >
>> Sorry, I forgot about the link to KB:
>> http://support.microsoft.com/?kbid=832017 (sorry Will)
>>
>> --
>> Tomasz Onyszko
>> http://www.w2k.pl/blog/ - (PL)
>> http://blogs.dirteam.com/blogs/tomek/ - (EN)
>
>

So if I am understanding this correctly, FRS was accessed via RPC, and RPC
just randomly allocated port 1090 for further communication. If we reboot
that Windows 2003 computer, all of those ports are likely to change on the
next file replication? Bummer.

ISA Server 2004 has a way to cope with such dynamic port allocations via RPC
and will dynamically open just the ports that RPC wants to open, but a
simple firewall like Windows Firewall will simply never cut the mustard
unless you leave huge ranges of ports open, which defeats the whole reason
for a firewall.

Securing RPC itself is just about impossible. We found a way to do it with
ISA Server 2004, but it was hellishly low level and tedious to work with,
extremely difficult to debug, etc. It was the kind of thing you might use
in a DMZ, and even then probably not worth the work, and would probably
compromise functionality until you reverse engineered many different RPCs.

--
Will

"Jorge Silva" <(E-Mail Removed)> wrote in message
news:OzW$(E-Mail Removed)...
> Hi
> By default, Active Directory replication over RPC (Remote Procedure Calls)
> takes place dynamically over an available port via the RPC Endpoint Mapper
> (RPCSS) using port 135;
>
> Application protocol Protocol Ports
> Global Catalog Server TCP 3269
> Global Catalog Server TCP 3268
> LDAP Server TCP 389
> LDAP Server UDP 389
> LDAP SSL TCP 636
> LDAP SSL UDP 636
> IPsec ISAKMP UDP 500
> NAT-T UDP 4500
> RPC TCP 135
> RPC randomly allocated high TCP ports TCP 1024 - 65536
>
> 832017 Service overview and network port requirements for the Windows
> Server system
> http://support.microsoft.com/default...b;EN-US;832017
>
> 224196 Restricting Active Directory replication traffic to a specific port
> http://support.microsoft.com/default...b;EN-US;224196
>
>
>
>
> --
> I hope that the information above helps you
>
> Good Luck
> Jorge Silva
> MCSA
> Systems Administrator
>
> "Will" <westes-(E-Mail Removed)> wrote in message
> news:A5OdnV-(E-Mail Removed)...
> > There are a lot of ports in that document, but none of them are the ones
> > in
> > my original question.
> >
> > The ports in question are opened by a Windows 2003 DC, and at least the
> > 1090
> > port is apparently in use by FRS between two domain controllers.
> >
> > --
> > Will
> >
> >
> > "Tomasz Onyszko" <T.Onyszko_nospam_@w2k.pl> wrote in message
> > news:(E-Mail Removed)...
> >> Tomasz Onyszko wrote:
> >> > Will wrote:
> >> >> Can someone tell me what services use the subject TCP ports on a
> > Windows
> >> >> 2003 domain controller?
> >> >>
> >> > Check this KB
> >> >
> >> Sorry, I forgot about the link to KB:
> >> http://support.microsoft.com/?kbid=832017 (sorry Will)
> >>
> >> --
> >> Tomasz Onyszko
> >> http://www.w2k.pl/blog/ - (PL)
> >> http://blogs.dirteam.com/blogs/tomek/ - (EN)
> >
> >
>
>

Hi

> ISA Server 2004 has a way to cope with such dynamic port allocations via
> RPC
> and will dynamically open just the ports that RPC wants to open, but a
> simple firewall like Windows Firewall will simply never cut the mustard
> unless you leave huge ranges of ports open, which defeats the whole reason
> for a firewall.

Are you saying that you have ISA between DCs on same site or between sites?
I don't see at first glance why you would want a ISA between DCs n same
Site, however between sites you you can create rules between networks that
allow you to pass the RPC traffic with no problems.

> Securing RPC itself is just about impossible. We found a way to do it
> with
> ISA Server 2004, but it was hellishly low level and tedious to work with,
> extremely difficult to debug, etc. It was the kind of thing you might use
> in a DMZ, and even then probably not worth the work, and would probably
> compromise functionality until you reverse engineered many different RPCs.

well you should only protect RPC traffic on untrusted networks, were the
RPC traffic isn't needed


--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"Will" <westes-(E-Mail Removed)> wrote in message
news:-(E-Mail Removed)...
> So if I am understanding this correctly, FRS was accessed via RPC, and RPC
> just randomly allocated port 1090 for further communication. If we
> reboot
> that Windows 2003 computer, all of those ports are likely to change on the
> next file replication? Bummer.
>
> ISA Server 2004 has a way to cope with such dynamic port allocations via
> RPC
> and will dynamically open just the ports that RPC wants to open, but a
> simple firewall like Windows Firewall will simply never cut the mustard
> unless you leave huge ranges of ports open, which defeats the whole reason
> for a firewall.
>
> Securing RPC itself is just about impossible. We found a way to do it
> with
> ISA Server 2004, but it was hellishly low level and tedious to work with,
> extremely difficult to debug, etc. It was the kind of thing you might use
> in a DMZ, and even then probably not worth the work, and would probably
> compromise functionality until you reverse engineered many different RPCs.
>
> --
> Will
>
> "Jorge Silva" <(E-Mail Removed)> wrote in message
> news:OzW$(E-Mail Removed)...
>> Hi
>> By default, Active Directory replication over RPC (Remote Procedure
>> Calls)
>> takes place dynamically over an available port via the RPC Endpoint
>> Mapper
>> (RPCSS) using port 135;
>>
>> Application protocol Protocol Ports
>> Global Catalog Server TCP 3269
>> Global Catalog Server TCP 3268
>> LDAP Server TCP 389
>> LDAP Server UDP 389
>> LDAP SSL TCP 636
>> LDAP SSL UDP 636
>> IPsec ISAKMP UDP 500
>> NAT-T UDP 4500
>> RPC TCP 135
>> RPC randomly allocated high TCP ports TCP 1024 - 65536
>>
>> 832017 Service overview and network port requirements for the Windows
>> Server system
>> http://support.microsoft.com/default...b;EN-US;832017
>>
>> 224196 Restricting Active Directory replication traffic to a specific
>> port
>> http://support.microsoft.com/default...b;EN-US;224196
>>
>>
>>
>>
>> --
>> I hope that the information above helps you
>>
>> Good Luck
>> Jorge Silva
>> MCSA
>> Systems Administrator
>>
>> "Will" <westes-(E-Mail Removed)> wrote in message
>> news:A5OdnV-(E-Mail Removed)...
>> > There are a lot of ports in that document, but none of them are the
>> > ones
>> > in
>> > my original question.
>> >
>> > The ports in question are opened by a Windows 2003 DC, and at least the
>> > 1090
>> > port is apparently in use by FRS between two domain controllers.
>> >
>> > --
>> > Will
>> >
>> >
>> > "Tomasz Onyszko" <T.Onyszko_nospam_@w2k.pl> wrote in message
>> > news:(E-Mail Removed)...
>> >> Tomasz Onyszko wrote:
>> >> > Will wrote:
>> >> >> Can someone tell me what services use the subject TCP ports on a
>> > Windows
>> >> >> 2003 domain controller?
>> >> >>
>> >> > Check this KB
>> >> >
>> >> Sorry, I forgot about the link to KB:
>> >> http://support.microsoft.com/?kbid=832017 (sorry Will)
>> >>
>> >> --
>> >> Tomasz Onyszko
>> >> http://www.w2k.pl/blog/ - (PL)
>> >> http://blogs.dirteam.com/blogs/tomek/ - (EN)
>> >
>> >
>>
>>
>
>

"Jorge Silva" <(E-Mail Removed)> wrote in message
news:#ppV#(E-Mail Removed)...
> Are you saying that you have ISA between DCs on same site or between
sites?
> I don't see at first glance why you would want a ISA between DCs n same
> Site, however between sites you you can create rules between networks that
> allow you to pass the RPC traffic with no problems.

No, the ISA Server separates clients from DCs. It does not separate DCs
from each other as long as they are in same domain.

--
Will

Will wrote:
> "Jorge Silva" <(E-Mail Removed)> wrote in message
> news:#ppV#(E-Mail Removed)...
>> Are you saying that you have ISA between DCs on same site or between
> sites?
>> I don't see at first glance why you would want a ISA between DCs n same
>> Site, however between sites you you can create rules between networks that
>> allow you to pass the RPC traffic with no problems.
>
> No, the ISA Server separates clients from DCs. It does not separate DCs
> from each other as long as they are in same domain.
>

What are You mean - as long as they are in the same domain?
OK - have You run dcdiag ? What was result?

--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)

"Tomasz Onyszko" <T.Onyszko_nospam_@w2k.pl> wrote in message
news:(E-Mail Removed)...
> Will wrote:
> > No, the ISA Server separates clients from DCs. It does not separate
DCs
> > from each other as long as they are in same domain.
>
> What are You mean - as long as they are in the same domain?
> OK - have You run dcdiag ? What was result?

I mean if two or more DCs are in the same domain, they are placed on the
same segment together, not behind separate firewall segments.

If DCs are in different forests, we tend to put them on their own segments.
I'm sure once we start getting fancy with federated trusts and what have you
that using a firewall to separate the DCs will create lots of learning
opportunities.

DCDiag /V runs fine.

--
Will