0

I'd like to block unused ports on my server so I monitor the ports with CurrPorts and I understand some processes like lsass.exe have some dynamic ports e.g 49158,49976,... These ports might change after a service restart.

I studied the Best practices for firewall rules configuration so I'd like to permit used ports and deny the others by switch ACL(Access Control List), For example:

switch(conf)>ip access-list extended Firewall
switch(conf-ipacc)>permit tcp any(source-ip) any(source-port) 192.168.5.10(server-ip) 53(server-local-port) priority 10
switch(conf-ipacc)>permit tcp any any 192.168.5.10 49158 priority 50
.
.
switch(conf-ipacc)>deny tcp any any 192.168.5.10 any priority 1000

Question:

What can I do for dynamic ports that are constantly changing?

OS: Windows Server 2012
Server IP address: 192.168.5.10
Switch: Cisco sg-300

Arani
  • 326
  • 3
  • 20

1 Answers1

2

You either need to allow the entire high-ports range (49152-65535), or follow the below procedure to limit RPC traffic to a custom range.

https://support.microsoft.com/en-us/help/154596/how-to-configure-rpc-dynamic-port-allocation-to-work-with-firewalls

In this example ports 5000 through 6000 inclusive have been arbitrarily selected to help illustrate how the new registry key can be configured. This is not a recommendation of a minimum number of ports needed for any particular system.

  1. Add the Internet key under: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc

  2. Under the Internet key, add the values "Ports" (MULTI_SZ), "PortsInternetAvailable" (REG_SZ), and "UseInternetPorts" (REG_SZ).

    For example, the new registry key appears as follows: Ports: REG_MULTI_SZ: 5000-6000 PortsInternetAvailable: REG_SZ: Y UseInternetPorts: REG_SZ: Y

  3. Restart the server. All applications that use RPC dynamic port allocation use ports 5000 through 6000, inclusive.

For Active Directory, there are numerous other ports that need to be allowed.

If you only need to allow access to specific, known systems, IPSEC would be a more secure option.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • @Tom: Vulnerable to what? You either are allowing access from specific computer(s) or you aren't. Also, those 150 ports that aren't being used aren't vulnerable because nothing would be listening on them. – Greg Askew Dec 26 '18 at 12:56
  • @Tom: A port isn't open if nothing is listening on it. You lack a fundamental understanding of Windows RPC dynamic port ranges. You also don't seem to understand that you need to supplement the network firewall/ACLs with the host-based firewall to allow communication. – Greg Askew Dec 29 '18 at 14:19
  • @Tom: All Windows computers have a host-based firewall. Same goes for Linux. – Greg Askew Jan 16 '19 at 13:44
  • Thank you, Greg. I studied more and I realized I was wrong so I deleted my comments and updated my question. The only problem was RPC dynamic ports that you refer to it. – Arani Feb 16 '19 at 11:52