AD Related network settings - ToddMaxey/Technical-Documentation GitHub Wiki
This response is divided into two major parts:
Ephemeral (dynamic) ports are assigned by the operating system when a network service does not request a specific port. Windows allows for controlling the start and end range of ephemeral ports for both TCP and UDP via registry settings.
For Windows Server 2008 and later (including Windows 10/11, Server 2016/2019/2022):
| Setting | Registry Path | Value Name | Type | Description |
|---|---|---|---|---|
| Start Port | HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | MaxUserPort | REG_DWORD | Highest port in the ephemeral range (default: 65535) |
| Number of Ports | HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | MaxUserPort | REG_DWORD | Number of ports used in the dynamic range |
| Start Port | HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | StartPort | REG_DWORD | (Less common; may require ReservedPorts setup) |
-
When constraining dynamic port ranges or assigning fixed ports, ensure:
-
Firewall exceptions are created.
-
Conflicts are avoided with reserved or ephemeral port ranges.
-
Group Policy, if applicable, is checked for overriding values.
-
-
For high-security environments, fixed port mapping via registry is critical to minimize firewall aperture and lateral threat exposure.