Windows Tip Sheet

Security, Security, Security

Ports are a good way in, and often remain unchecked.

Are you tired of hearing about security, yet? It seems every new week brings a new e-mail virus, security patch, or Windows hack—if not all three! This week I've been helping a customer clean up their environment. We discovered that the MyDoom virus—remember that one?—was still up and running on a number of their machines. Fortunately, they had antivirus software that could remove the thing. Pity, the software hadn't been updated to prevent MyDoom in the first place, but oh, well. I mention it because many of the MyDoom variants open backdoors on computers, allowing the virus' author to access the computers remotely. This is done by opening a TCP port, and it's that port that led us to discover MyDoom on those computers in the first place.

Check Yer Ports
Ports, as you know, are the key to TCP/IP communications. All Windows computers open a number of ports for both connectionless User Datagram Protocol (UDP) traffic and for connection-oriented Transport Control Protocol (TCP) traffic. IIS, for example, usually listens on TCP port 80 for incoming HTTP traffic. It's a great idea to occasionally check your computers—especially servers—to see what ports they're listening on. That way, you can spot any unexpected ports and lock them down, if necessary. And the good news is that checking ports won't cost you a dime: Just run netstat -a from a command-line window.

Expect to see a number of ports open on the typical Windows Server 2003 or Windows XP computer. TCP port 3389 is for Remote Desktop traffic, 80 is for Web servers and 20 and 21 are for FTP servers, and so forth. Watch primarily for ports listed as "LISTENING," since those are the ports on which new traffic can be accepted by the computer. Expect to see a lot of "ESTABLISHED" connections on odd-numbered ports: Those are generally RPC traffic, which selects a port somewhat at random to work with.

You should also expect to see a lot of port numbers, as opposed to names. Windows knows a few number-to-name translations and will list them in the netstat -a output, but for the most part you just get numbers. You can translate those numbers into protocol names by using the chart at This helpful list, maintained by the Internet Assigned Numbers Authority, is updated very frequently. It doesn't seek to be authoritative, but rather comprehensive. In other words, you may see multiple protocols listed for a single port number, meaning two different application manufacturers happened to pick that port for their product. That doesn't happen often, since manufacturers use this list to look for port conflicts before selecting ports for their products to use.

Micro Tip Sheet

Tired of typing "cd" to change directories at the command line? Install Microsoft's "Command Window Here" power toy. You'll be able to right-click folders in Explorer and open a command-line window in the right folder to start with.

Ever wonder why Windows Update and Software Update Services can't also process updates for things like Microsoft Office? Wonder no more, because Windows Update 5 and Software Update Services 2.0 are coming very soon, and they'll handle a much broader range of updates. [Also see "Software Update Services Overhauled," at—Editor.]

More Resources
Use a port scanner, such as the free one from, to remotely check the computers on your network for open ports.

Visit for information on viruses, like MyDoom, which may open ports on your network.

About the Author

With more than fifteen years of IT experience, Don Jones is one of the world’s leading experts on the Microsoft business technology platform. He’s the author of more than 35 books, including Windows PowerShell: TFM, Windows Administrator’s Scripting Toolkit, VBScript WMI and ADSI Unleashed, PHP-Nuke Garage, Special Edition Using Commerce Server 2002, Definitive Guide to SQL Server Performance Optimization, and many more. Don is a top-rated and in-demand speaker and serves on the advisory board for TechMentor. He is an accomplished IT journalist with features and monthly columns in Microsoft TechNet Magazine, Redmond Magazine, and on Web sites such as TechTarget and Don is also a multiple-year recipient of Microsoft’s prestigious Most Valuable Professional (MVP) Award, and is the Editor-in-Chief for Realtime Publishers.

comments powered by Disqus
Upcoming Events

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.