IT Connect
Information technology tools and resources at the UW

UW Network Port Blocking

Security enhancements to the UW Network

The University is making important security enhancements to protect the UW network against an increasing number of malicious attacks that put personal and University data, devices and systems at risk.

Overview

These network security changes include blocking traffic from the Internet into the UW network over specific network ports. Blocking inbound-traffic-only on the most frequently attacked network ports will occur in multiple phases:

  • Phase 1 Port Blocks: Remote desktop and file-sharing applications was completed on April 24, 2018
  • Phase 2 Port Blocks: Slated for implementation October 16, 2018
  • Phase 3 Port Blocks: Pending implementation in early 2019

Before the ports are blocked, significant advance notice will be provided to the University’s IT community.

If you have questions, concerns or recommendations about port blocking, please provide input to help@uw.edu. Please include “Network port blocking” in the subject line.

Phase 1 Port Blocks: Remote desktop and file-sharing applications

Implementation date: Completed April 24, 2018

Detailed information: UW Network Port Blocking Phase 1: Remote Desktop and File-Sharing Applications

List of blocked ports

Port Protocol Reason for Block
135
137
138
139
445
NetBIOS
RPCMS-DS SMB
Network Basic Input/Output System (NetBIOS) and Server Message Block (SMB) services provide file sharing and related services over the network. These services are constantly under attack from off-campus, are frequently vulnerable to attacks, exploits and malware, and can expose confidential or restricted data when improperly configured.
3389 RDP This is used for remote desktop connections to Windows computers. It is one of the most common ports used for “brute-force” or “dictionary” attacks (password guessing).
5900 VNC This is used by the Virtual Network Computing (VNC) protocol, which is used for remote desktop connections to computers running a VNC

Phase 2 Port Blocks: various including FTP, Telnet, and LDAP

Implementation date: Completed October 16, 2018

List of blocked ports

Port Protocol Reason for Block
19 CHARGEN Character Generator Protocol or chargen is a tiny network service often installed by default on servers that generates a stream of characters for testing network connectivity. It is often abused for amplification attacks and does not serve any useful purpose.
21 FTP Unsecured File Transfer Protocol or FTP  is an insecure network protocol used for remote file transfer with passwords transmitted in clear-text. In general where possible access using secure copy over Secure Shell (SSH — port 22) to provide access. There are some legitimate uses of FTP for sharing data sets, but many of these resources have moved to HTTP and this service may only be being offered for legacy reasons.

More Information: https://en.wikipedia.org/wiki/File_Transfer_Protocol

23 Telnet Unsecured version of Secure Shell or telnet  is an insecure network protocol used for remote access with passwords transmitted in clear-text. In general where possible access using secure shell (SSH — port 22) to provide access.

There are some legitimate uses of telnet on-campus for sharing data sets with external users

111 ONC/Sun RPC The Open Network Computing / Sun Remote Procedure Call protocol is often installed on Unix systems providing NFS services, commonly known as the port mapper service. This service should not be exposed to the Internet, as it provides a way for an attacker to consume resources, access disk, and other resources potentially with very little authentication.

More information: https://en.wikipedia.org/wiki/Open_Network_Computing_Remote_Procedure_Call

161
162
SNMP Simple Network Management Protocol  or SNMP are network management protocols, and are commonly used to discover networks and expose information.

Campus network equipment is protected but there may be other legitimate users of this on-campus that could be impacted (e.g., printers). However, printers should be on private IP addresses.

389
636
3268
3269
LDAP Light Directory Access Protocol or LDAP services are used for directory and authentication services, including Microsoft Active Directory.  In some cases, these protocols will send your password in the clear. In addition these are frequently the subject of “brute-force” or “dictionary” attacks (password guessing).

LDAP is discouraged for authentication as your credentials are exposed to the application using to authenticate (even if SSL or TLS is used). There are other legitimate uses of LDAP that might be impacted, however, especially cloud services.

593 RPC over HTTP Remote Procedure Call or RPC over HTTP. This protocol is typically installed on Microsoft servers running Exchange. It should not be exposed to the Internet for the same reasons as the ONC – Sun RPC mapper above.
5985
5986
WinRM Remote Management for Windows or WinRM is a protocol that can be used to remotely execute commands on Windows computers and is frequently misconfigured.
9100 PDL data stream Page Description Language (PDL) is used by some network printers. This port is often used to perform DDOS attacks or send malicious print jobs to the printer.

 

Phase 3 Proposed Port Blocks:

Implementation date: targeted for early 2019

List of ports

Port Protocol Reason for Block
0 N/A This is a reserved port and should not be used by applications.
88 Kerberos An authentication protocol. In addition, these are frequently the subject of a ‘dictionary attack’ where many different passwords are attempted. Some cloud-based services require access to this port in order to authenticate customers. This may require a cloud VPN solution as mitigation

Exemptions

If alternative solutions for service impacts due to port blocking are not available or will take more time to develop, a request for an exemption may be made. For more information on exemptions, including recommendations for other important security measures, please contact UW-IT’s Service Center at help@uw.edu with the subject line: “Network Port Blocking.”

UW unit exemptions will require the approval of your unit’s dean, director, or chair. All requests for exemptions within UW Medicine will be forwarded to UW Medicine ITS for approval.

Get Help/Questions

If you need help or have any questions or concerns, please contact help@uw.edu with the subject line: “Network port blocking.”

References