Want to enable Windows Server firewall - how to know what ports to open

Question

For added security, we're thinking of enabling the firewalls on our 2016 and 2019 servers. Currently, they're all behind our edge router/firewall, and every server has its firewall disabled. Sometimes, if the firewall is enabled and you install a program, it'll ask to create firewall rules automatically, and you're all set.

I'm going through NETSTAT with many different options/switches (i.e. NETSTAT -ano |Findstr LISTENING) to find out what ports each server is listening on and documenting them in a spreadsheet. When I began to notice many ephemeral ports being used, I suddenly realized this might not be as easy as I though. Then I thought to come here and ask. I tried googling it but all I find is info on how to open a port on a firewall that's already enabled. I would like to try and find out all the ports my servers are listening on so I can create firewall rules prior to enabling the firewalls. Is there a better way to do this than NETSTAT?

Thanks!

Answer 1

If you have access to a Linux machine, you can remotely scan the opened ports on your Windows servers, you will need to install on the Linux machine "nmap" for example, for RHEL based OS will be #yum install nmap , after this the command will be like this #nmap 12X.xxx.xxx.xxx and the output will display you all the opened ports from the foreign host.

This is an alternative to netstat but will require a Linux machine.

Note: I found you can run it also on Windows based systems, please take a look of this link [1]

[1] https://nmap.org/book/inst-windows.html