Default Open Ports in Windows

One of the truly rewarding aspects of the goal to "write what you don't know" is that as you go through the process of learning enough about a topic to write about it, you are constantly surprised by new unknowns along the way.

I'm working towards a better understanding of Nmap's plumbing, but to do that justice I spent some time in the lab documenting the default state of various Windows operating systems and configurations.

Scan Results

Nmap settings: nmap -Pn -sU -sS -T4 -p 1-65535

Scans were performed from a Linux host on the same subnet as the target VM.

Target	Open TCP	Open UDP
Windows 7, Standalone	None	None
Windows 7, Domain Member	135	None
Windows 10, Standalone	None	None
Windows 10, Domain Member	135	None
Server 2008 R2, Standalone	135, 445	None
Server 2008 R2, Domain Member	135, 445	None
Server 2008 R2, Domain Controller	53, 88, 135, 389, 445, 464, 593, 636, 3268, 3269, 5722, 9389	53, 123, 389
Server 2016, Standalone	135, 139, 445, 5985	137
Server 2016, Domain Member	5985	None
Server 2016, Domain Controller	53, 88, 135, 139, 389, 445, 464, 593, 636, 3268, 3269, 5985, 9389	53, 123, 137, 389

Some Notes

Standalone Windows 7/10 used the "Public" location when prompted.
File and Print Sharing opens: tcp/135, tcp/445, tcp/139, tcp/5985.
Server 2016 DCs have tcp/139 open as well as tcp/137. 2008R2 DCs do not.

What do we need so many ports for?!

Port	Protocol	Description
53	TCP/UDP	DNS
88	TCP	Kerberos
123	UDP	NTP
135	TCP	RPC
137	UDP	NetBIOS Name Services (NBNS). Translate names to IPs.
139	TCP	NetBIOS Session Services (NBSS). Establish sessions.
389	TCP/UDP	LDAP
445	TCP	SMB
464	TCP	Kerberos Password
593	TCP	RPC over HTTPS
636	TCP	LDAPS
3268	TCP	Global Catalog
3269	TCP	Global Catalog
5722	TCP	RPC (DFSR)
5785	TCP	WinRM
9389	TCP	Active Directory Web Services

Thanks

@pixlblur for saving me from doing a few scans

Default Open Ports in Windows

Scan Results

Some Notes

Thanks

References