UW Network Port Blocking

Last updated: August 12, 2022

Security enhancements to the UW Network

The University is making important security enhancements to protect the UW network against an increasing number of malicious attacks that put personal and University data, devices and systems at risk. These network security changes include blocking traffic from the Internet into the UW network over specific network ports. If you have questions, concerns or recommendations about port blocking, please provide input to help@uw.edu. Please include “Network port blocking” in the subject line.

List of Blocked Ports

Note: Port 0 was blocked on April 10, 2019. After investigating reported issues, the block was removed April 16, 2019.

Port Protocol Reason for Block Date Blocked
19 CHARGEN Character Generator Protocol or chargen is a tiny network service often installed by default on servers that generates a stream of characters for testing network connectivity. It is often abused for amplification attacks and does not serve any useful purpose. Oct 16, 2018
21 FTP Unsecured File Transfer Protocol or FTP  is an insecure network protocol used for remote file transfer with passwords transmitted in clear-text. In general where possible access using secure copy over Secure Shell (SSH — port 22) to provide access. There are some legitimate uses of FTP for sharing data sets, but many of these resources have moved to HTTP and this service may only be being offered for legacy reasons.

More Information: https://en.wikipedia.org/wiki/File_Transfer_Protocol

Oct 16, 2018
23 Telnet Unsecured version of Secure Shell or telnet  is an insecure network protocol used for remote access with passwords transmitted in clear-text. In general where possible access using secure shell (SSH — port 22) to provide access.

There are some legitimate uses of telnet on-campus for sharing data sets with external users

Oct 16, 2018
37 Time Protocol Time protocol use of this port is obsolete; this port gets 200GB+ of unsolicited, inbound traffic per day. Apr 10, 2019
88 Kerberos An authentication protocol. In addition, these are frequently the subject of a ‘dictionary attack’ where many different passwords are attempted. Some cloud-based services require access to this port in order to authenticate customers. This may require a cloud VPN solution as mitigation. Apr 10, 2019
111 ONC/Sun RPC The Open Network Computing / Sun Remote Procedure Call protocol is often installed on Unix systems providing NFS services, commonly known as the port mapper service. This service should not be exposed to the Internet, as it provides a way for an attacker to consume resources, access disk, and other resources potentially with very little authentication.

More information: https://en.wikipedia.org/wiki/Open_Network_Computing_Remote_Procedure_Call

Oct 16, 2018
135
137
138
139
445
NetBIOS
RPCMS-DS SMB
Network Basic Input/Output System (NetBIOS) and Server Message Block (SMB) services provide file sharing and related services over the network. These services are constantly under attack from off-campus, are frequently vulnerable to attacks, exploits and malware, and can expose confidential or restricted data when improperly configured. Apr 24, 2018
161
162
SNMP Simple Network Management Protocol  or SNMP are network management protocols, and are commonly used to discover networks and expose information.

Campus network equipment is protected but there may be other legitimate users of this on-campus that could be impacted (e.g., printers). However, printers should be on private IP addresses.

Oct 16, 2018
389
636
3268
3269
LDAP Light Directory Access Protocol or LDAP services are used for directory and authentication services, including Microsoft Active Directory.  In some cases, these protocols will send your password in the clear. In addition these are frequently the subject of “brute-force” or “dictionary” attacks (password guessing).

LDAP is discouraged for authentication as your credentials are exposed to the application using to authenticate (even if SSL or TLS is used). There are other legitimate uses of LDAP that might be impacted, however, especially cloud services.

Oct 16, 2018
593 RPC over HTTP Remote Procedure Call or RPC over HTTP. This protocol is typically installed on Microsoft servers running Exchange. It should not be exposed to the Internet for the same reasons as the ONC – Sun RPC mapper above. Oct 16, 2018
1900 SSDP/Universal Plug and Play Simple Service Discovery Protocol, discovery of universal plug and play (UPnP) devices. This port is being used for amplification attacks. Apr 10, 2019
3389 RDP This is used for remote desktop connections to Windows computers. It is one of the most common ports used for “brute-force” or “dictionary” attacks (password guessing). Apr 24, 2018
5900 VNC This is used by the Virtual Network Computing (VNC) protocol, which is used for remote desktop connections to computers running a VNC Apr 24, 2018
5985
5986
WinRM Remote Management for Windows or WinRM is a protocol that can be used to remotely execute commands on Windows computers and is frequently misconfigured. Oct 16, 2018
9100 PDL data stream Page Description Language (PDL) is used by some network printers. This port is often used to perform DDOS attacks or send malicious print jobs to the printer. Oct 16, 2018

 

Exemptions

If alternative solutions for service impacts due to port blocking are not available or will take more time to develop, a request for an exemption may be made. For more information on exemptions, including recommendations for other important security measures, please contact UW-IT’s Service Center at help@uw.edu with the subject line: “Network Port Blocking.”

UW unit exemptions will require the approval of your unit’s dean, director, or chair. All requests for exemptions within UW Medicine will be forwarded to UW Medicine ITS for approval.

Get Help/Questions

Detailed information related to blocks affecting rdp and smb: UW Network Port Blocking Phase 1: Remote Desktop and File-Sharing Applications

If you need help or have any questions or concerns, please contact help@uw.edu with the subject line: “Network port blocking.”