Common Firewall rules on Windows Servers
Make sure the policy's ruleset is in accordance with the server's traffic requirements prior to activating the firewall. The ruleset should encompass the essential network ports, protocols, and services that are employed by the Firewall module and diverse components within the server operating systems, alongside server-based programs.
Note
Assignment of a port number does not imply an endorsement of an application or product, and the fact that network traffic is flowing to or from a registered port does not mean that it is "safe" traffic, nor that it necessarily corresponds to the assigned service.
Firewall and system administrators should choose how to configure their systems based on their knowledge of the traffic in question, not whether there is a port number registered or not.
Prior to activating the firewall, administrators are advised to thoroughly assess and establish the regulations that authorize or limit particular forms of network communication, taking into consideration the security and operational requirements of the system. This entails the evaluation of the communication patterns necessary for the server and its applications.
Important
You may need to allow one or more of the below rules and protocols for network connectivity in a segmented network, depending on the services you provide. The ports might change in the future or the underlying service might be customized to user another port. To find out more about the ports assigned to specific know applications you can visit IANA.org.
For more details regarding network ports, protocols, and services that are used by Microsoft client and server operating systems, server-based programs, and their subcomponents in the Microsoft Windows Server system visit this page.
The rules provided in the below table are recommendations. Using the correct rules for your specific application is crucial.
Application | Local port | Remote port | Protocol | Path | Direction | Description |
|---|---|---|---|---|---|---|
Allow | 1024-65535 | Any | UDP / TCP | %system%\svchost.exe | Both | Allows outgoing system traffic to be accepted. |
Allow | 1024-65535 | Any | UDP / TCP | system | Both | Allows the windows subsystem to access network resources. |
Allow | 1024-65535 | 1024-65535 | TCP | %system%\lsass.exe | Both | Allows Local Security Authority Subsystem Service (LSASS) to access network resources. |
Allow | 1024-65535 | 53 | UDP / TCP | %system%\spoolsv.exe | Both | Allows printer spooler service to connect network resources. |
Allow | 1024-65535 | 53 / 135 | UDP / TCP | %windir%\explorer.exe | Both | Allows printer spooler service to connect network resources. |
Allow | 1024-65535 | 53 | UDP / TCP | %system%\alg.exe | Both | Allows Application Layer Gateway Service to reach network resources. |
Allow | 1024-65535 | 53 | UDP | %windir%\ehome\mcx2prov.exe | Both | Allows MCX2 Provisioning library traffic (which is generally used for Microsoft Media Server) to access network resources. |
Allow | 1024-65535 | 53 | UDP | %windir%\ehome\ehshell.exe | Both | Allows MCX2 Provisioning library traffic (which is generally used for Microsoft Media Server) to access network resources. |
Allow | 53 | 1024-65535 | TCP | %system%\svchost.exe | Both | Allows incoming system traffic to be accepted. |
Allow | 53 | 1024-65535 | UDP/ TCP | %system%\svchost.exe | Both | Allows incoming DNS traffic to be accepted. |
Allow | 67 | 68 | UDP | %system%\svchost.exe | Both | Allows incoming DHCP traffic to be accepted. |
Allow | 68 | 67 | UDP | %system%\svchost.exe | Both | Allows incoming DHCP traffic to be accepted. |
Allow | 88 | 1024-65535 | Any | %system%\lsass.exe | Both | Allows Local Security Authority Subsystem Service (LSASS) to access network resources. |
Allow | 123 | 88 | UDP | %system%\svchost.exe | Both | Allows incoming NTP traffic to be accepted. |
Allow | 135 | Any | TCP | %system%\svchost.exe | Both | Allows incoming Microsoft EPMAP traffic to be accepted. |
Allow | 135 | Any | TCP | system | Both | Allows incoming DCE service traffic to be accepted. |
Allow | 137 | 137 | UDP | system | Both | Allows incoming NETBIOS traffic to be accepted. |
Allow | 138 | 138 | UDP | system | Both | Allows incoming NETBIOS Datagram service traffic to be accepted. |
Allow | 139 | Any | TCP | system | Both | Allows incoming NETBIOS Session service traffic to eb accepted. |
Allow | 445 | Any | TCP | system | Both | Allows incoming Microsoft DS Active Directory SMB services to be accepted. |
Allow | 500 | 500 | UDP | %system%\svchost.exe | Both | Allows ISAKMP/IKE traffic to be accepted. |
Allow | 500 | 1024-65535 | UDP | system | Both | Allows ISAKMP/IKE traffic to be accepted. |
Allow | 500 | 500 | UDP | %system%\lsass.exe | Both | Allows Local Security Authority Subsystem Service (LSASS) to access network resources. |
Allow | 1701 | 1701 | UDP | %system%\svchost.exe | Both | Allows L2TP traffic to be accepted. |
Allow | 1701 | 1024-65535 | UDP | system | Both | Allows L2TP traffic to be accepted. |
Allow | 1723 | 1024-65535 | TCP | system | Both | Allows the PPTP traffic to be accepted. |
Allow | 1900 | Any | UDP | %system%\svchost.exe | Both | Allows incoming SSDP traffic to be accepted. |
Allow | 2177 | Any | UDP / TCP | %system%\svchost.exe | Both | Allows incoming qWave traffic to be accepted. |
Allow RDP | 3389 | Any | UDP | Any | Both | Allows incoming RDP traffic to be accepted. |
Allow | 3389 | 3389 | TCP | system | Both | Allows incoming RDP traffic. |
Allow | 3390 | Any | TCP | %system%\svchost.exe | Both | Allows incoming RDP traffic to be accepted. |
Allow | 4500 | 4500 | UDP | %system%\svchost.exe | Both | Allows IPSEC NAT Traversal traffic to be accepted. |
Allow | 4500 | 1024-65535 | UDP | system | Both | Allows IPSEC NAT Traversal traffic to be accepted. |