What are Active Directory and PKI
When it comes to managing and securing a corporate network, understanding the critical ports required for Active Directory and Public Key Infrastructure (PKI) is essential. Ports Required for Active Directory and PKI play a crucial role in enabling seamless communication between various network components and services.
Active Directory, the cornerstone of many Windows-based infrastructures, relies on specific ports to facilitate user authentication, directory services, and domain management. Similarly, PKI, responsible for digital certificates and secure communications, utilizes particular ports to ensure the integrity and confidentiality of sensitive data.
Knowing the required ports and their functions can help IT administrators implement robust security measures, optimize network performance, and troubleshoot connectivity issues more effectively. This knowledge is vital for maintaining a secure and efficient enterprise environment.
Key Takeaways
- Active Directory requires RPC and SMB ports for domain controller communication, along with ports for ADWS, DNS, LDAP, and more.
- PKI requires ports for services like IIS, Certificate Authority, OCSP, and CRL distribution.
- Proper planning of port requirements is crucial for the security, performance, and stability of Active Directory and PKI.
- Firewalls, routers, and security devices need to be configured to allow required port traffic.
- Only open the bare minimum ports based on specific needs to avoid security risks.
Active Directory Port Requirements
Active Directory is Microsoft’s directory service that stores user accounts, passwords, and network resources. It uses various protocols and services that require access through specific ports.
LDAP and Global Catalog
- TCP 389: LDAP is used to access the directory database to read and write directory information. LDAP queries utilize TCP port 389 by default.
- TCP 3268: Global Catalog queries use TCP 3268 to search multiple domains efficiently. Global Catalog contains a partial replica of all domain directory partitions.
DNS
- TCP/UDP 53: DNS name resolution requires TCP and UDP port 53 for clients to communicate with DNS servers. DNS is critical for Active Directory domain services and replication.
Kerberos Authentication
- TCP/UDP 88: Kerberos authentication uses TCP and UDP port 88 for ticket-granting ticket requests. Port 88 must open between clients and domain controllers.
SMB and RPC
- TCP 445: SMB communication for file and printer sharing utilizes TCP port 445. SMB is required for Active Directory replication.
- TCP 135: RPC dynamic port allocation requires TCP 135 to be open. Many AD services use RPC for communication.
AD Web Services
- TCP 9389: ADWS allows the management of AD via web services. ADWS listens on TCP 9389 by default.
AD DS
- TCP 636: LDAPS encrypted LDAP communication uses TCP 636. Required for secure LDAP binds between DCs.
- TCP 5722: AD DS Replication Traffic connects DCs for replication using TCP 5722.
Additional Ports
- TCP 5985: WinRM listens on 5985 for PowerShell remoting used for remote administration.
- UDP 123: NTP time synchronization utilizes UDP port 123. Accurate time is crucial for AD Kerberos authentication.
- TCP 135 and dynamic ports: The endpoint mapper for RPC services requires TCP 135 and a range of dynamic ports.
Public Key Infrastructure Port Requirements
Public Key Infrastructure (PKI) provides certificate authorities with the ability to issue and manage digital certificates. PKI depends on various services and protocols that use specific ports.
Certificate Authority
Certificate Revocation Services
- TCP 80: Certificate revocation list (CRL) distribution points are accessed via HTTP using TCP port 80 by default.
- TCP 135 and dynamic ports: CRL publication uses RPC dynamic port allocation with TCP 135 open.
Online Certificate Status Protocol (OCSP)
- TCP 80 or 443: OCSP responses are retrieved by clients using either TCP 80 or 443 based on configuration.
Important PKI Services
- TCP 389: AD CS registration and AD CS web enrollment use LDAP TCP 389.
- TCP 5722: PKI health uses AD DS replication traffic over TCP 5722.
- TCP 5985: Certificate Authority remote administration requires WinRM TCP 5985.
- TCP 135 and dynamic ports: Numerous PKI services like autoenrollment use RPC dynamic ports with TCP 135.
Additional Considerations for Ports
Here are some other important points for managing Active Directory and PKI ports:
- Only open the bare minimum ports required for services in use to improve security. Unnecessary open ports increase the attack surface.
- Configure firewalls, routers, and security devices to allow only traffic to required ports. Block all other traffic by default.
- Group and isolate services that use dynamic RPC ports to restrict exposure to other systems.
- Consider using non-default port assignments for services like LDAPS, HTTPS, or ADWS for additional security.
- Monitor traffic to identify unnecessary ports in use. Close any unneeded open ports to prevent potential abuse.
- Document all open ports with business justifications, configurations, and review processes. Maintain updated records.
- Review required ports regularly and validate business needs to keep ports open as changes occur over time.
Final Words
Properly configuring ports for Active Directory and PKI is crucial for security, performance, and stability. Use this comprehensive list of required ports as a reference when evaluating and designing changes to port access. Only open the bare minimum ports necessary, with all other traffic denied by default.
Review port requirements regularly and monitor traffic patterns to identify and close unneeded open ports. With the right ports opened and securely managed, Active Directory and PKI services will function seamlessly.
Frequently Asked Questions about Ports for AD and PKI
What are the key ports I need open for Active Directory?
The most essential ports for Active Directory are TCP 389 (LDAP), 3268 (Global Catalog), 53 (DNS), 88 (Kerberos), 135 (RPC endpoint mapper), 445 (SMB/CIFS), 5722 (AD DS replication) and UDP 53, 88, 123 (NTP).
What ports does a domain controller need to open?
Domain controllers require ports for services like LDAP (389, 3268), Kerberos (88), RPC (135 and dynamic ports), SMB (445), DNS (53), AD DS Replication (5722), WinRM (5985) and NTP (123) to function properly and replicate between other DCs.
What firewall ports should be open for PKI?
Important firewall ports to open for PKI include 80 and 443 for Certificate Authority web enrollment, CRL and OCSP, 389 for LDAP, 5722 for replication, 5985 for remote admin, and 135 and dynamic ports for RPC services.
Can I change default ports like LDAP or HTTPS?
Yes, you can optionally change default ports, but this requires additional configuration on clients and servers to ensure they connect properly to the non-standard ports.
Should I isolate services like PKI and AD DS replication traffic?
It’s a best practice to isolate replication traffic and other dynamic RPC ports to only communicate within the AD environment and not expose them externally.
How often should I review and validate open ports?
Review required ports at least every 6 months for any changes needed. Validate all open ports to confirm they have an ongoing business justification and close any unnecessary ports immediately.
What tools can help manage and monitor open ports?
Use port scanners like nmap to validate open ports. Manage port access lists on firewalls, routers, and security groups. Monitor traffic patterns with SIEM or network performance tools.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
