I've always had trouble finding firewall port information for some windows-based software/services. For example,http://support.microsoft.com/kb/832017 gives me the ports but there's no differentiation between INTERNAL (e.g. LAN) and the ones that are EXTERNAL (to the internet). The firewall config from Desktop to AD Server will undoubtedly be different than from AD Server to AD Server and of course from AD DNS Server to the Internet.
I want to lock down the interfaces between my desktop computers and my servers and then also between servers as well (AD to AD, etc.).
I have a hardware firewall in between the desktops and servers, and the server switch has firewall embedded as well. I want to start with NO ports allowed and then only open up what is necessary to run the services on each server. I have a lot of SQL Server, AD, DNS, Exchange, Terminal Services, etc. servers and each one has a slightly different port configuration depending on whether or not it is talking to the internet (Exchange, DNS) or the local servers (Active Directory replication, CIFS shares) or desktops (SQL Server, Terminal ServiceS).
To make it a little more general (and useful to other people), I was hoping we could get a list of all the common Windows apps/services and the ports needed to the internet/dmz (in/out), to "trusted" LAN (server to server) (in/out), and then untrusted LAN (server to desktop).
Let me start off with a couple, please add them to the list. Also, please include whether or not this is a "default" service within Windows (e.g. Exchange isn't, but SMB would be).
Some I pulled from http://support.microsoft.com/kb/832017
http://technet.microsoft.com/en-us/library/bb124075(EXCHG.65).aspx
Remote Desktop - default if enabled
DMZ - None (usually)
T LAN - 3389 (TCP IN/OUT)
U LAN - None (or selected desktops; IT support etc.)
NT - NetBIOS - default if enabled
DMZ - None
T/U LAN - 137, 138 (UDP I/O), 139 (TCP I/O)
SMB - default
DMZ - None
T/U LAN - 445 (TCP I/O) ?
DNS - only if installed within AD
DMZ - 53 (TCP/UDP O)
T/U LAN - 53 (TCP/UDP I/O)
Best Answer
Your question isn't totally clear but I'll do my best...
One thing to remember is that any program can use any port it likes. That's how spyware and malware manage to thrive in some environments... by using common, well known ports and pretend to be something else.
A less malicious example would be the Skype program which will try to find a port to use but will ultimately use ports 80 (HTTP/web port) and 443 (SSL port) if it has to.
With that in mind... you should do a scan of the PC(s) in question using a program like nmap or nessus, etc... (there's A LOT of them out there) to find out what ports are open and then decide how you want to set up your firewall.
Here is a link to common port assignments to give you a starting point for what MIGHT be running on that port:
http://technet.microsoft.com/en-us/library/cc959833.aspx
For example, port 53 is commonly used for DNS. If you don't have any need for DNS or you don't have a DNS server running on that machine, you can block it.
Along that same line, you should make sure your server isn't running services it doesn't need to. If you see port 53 open on your server and you have a DNS server (you're not using) running turn it OFF. ;-)
Hope this helps.