Ports and Services Report 1.15 PDF

GE Controls Solutions
Ports and Services

Required for Normal and Emergency
Operations
GE Controls Solutions has compiled a list of the TCP/IP and UDP/IP ports and system
services that reflect default configurations for the devices and software indicate.
Adapting the NERC Cyber Security Infrastructure Protection (CIP) and NEI 08-09
terminologies, GE Controls Solutions defines:
Ports as open ports on the access control list (firewall) into and out of the
electronic security perimeter, and
Services as running services on the operating systems which support critical
applications (that is, services running on critical cyber assets or critical digital
assets.)
GE Controls Solutions provides the enclosed report based on the hardware platform,
the selection of options, and default configurations.
This list is a working document as we continuously improve the list for later releases
of GE Controls Solutions Offerings and ensure completeness and accuracy. Your
partnership is reviewing the list that is generated for your assets and notifying us of
any discrepancies will greatly help GE Controls Solutions Services ongoing effort in
improving the ports and services list. Please send comments and changes to Steve
Copelin, GE Energy Services, at security@ge.com
Page 1 of 676
Page 2 of 676
GE Ports and Services Version 1.1.5 18-Sep-17
Device Type:
Active Directory
Device Specifics:
Active Directory 2003
Port: TCP 25
Service/Program:
smtp
Description:
Port is used by SMTP (Simple Mail Transfer Protocol) which allows email messages to be
sent between mail servers. In some cases, it might be possible that SMTP is used to send
system generated messages such as alarms to email clients or text messengers. This is
extremely rare and end-users should be aware if these systems are in place.
Vulnerability:
There are dozens of worms, Trojans, and backdoors that use this port for a plethora of
pernicious purposes.
Enable/Disable: Conditions:
Disable-Enable In exceptional cases where messaging or texting
services are used, a more secure methodology should
be considered to replace the existing system.
Procedure to Disable:
Reboot Required?:
Page 3 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 3268
Service/Program:
LDAP GC
Description:
Port used by Windows for Directory, Replication, User and Computer Authentication,
Group Policy, Trusts.
Vulnerability:
Enable TCP Port 3268 is required to support Policies, Trusts,
Authentication and Directory Services
Reboot Required?:
Page 4 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 3269
Service/Program:
LDAP GC SSL
Description:
Vulnerability:
Reboot Required?:
Page 5 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 389
Service/Program:
ldap
Description:
Vulnerability:
Reboot Required?:
Page 6 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 464
Service/Program:
Kerberos
Description:
Port is used by Kerberos change/set password function
Vulnerability:
Enable TCP Port 464 is required for the Kerberos change/set
password function
Reboot Required?:
Page 7 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 53
Service/Program:
DNS Service
Description:
Port used by Windows for User and Computer Authentication, Name Resolution, Trusts
Vulnerability:
Enable TCP Port 53 iis required for DNS (Domain Name
Service) to function
Reboot Required?:
Page 8 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 5722
Service/Program:
RPC
Description:
File Replication
Vulnerability:
Enable TCP Port 5722 is required for RPC file replication
Reboot Required?:
Page 9 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 636
Service/Program:
LDAP SSL
Description:
Vulnerability:
Reboot Required?:
Page 10 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 88
Service/Program:
Kerberos
Description:
Port used by Windows for User and Computer Authentication, Forest Level Trusts
Vulnerability:
Enable TCP Port 88 is required for Kerberos User and
Computer Authentication and Forest level Trusts
Reboot Required?:
Page 11 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 9389
Service/Program:
SOAP
Description:
Port is used by Active Directory Web Management Services
Vulnerability:
Enable TCP Port 9389 is required to support Active Directory
Web Management Services
Reboot Required?:
Page 12 of 676
Device Type:
Active Directory
Device Specifics:
Port: UDP 389
Service/Program:
ldap
Description:
Vulnerability:
Enable UDP Port 389 is required to support Policies, Trusts,
Reboot Required?:
Page 13 of 676
Device Type:
Active Directory
Device Specifics:
Port: UDP 464
Service/Program:
Kerberos
Description:
Vulnerability:
Enable UDP Port 464 is required for the Kerberos change/set
password function
Reboot Required?:
Page 14 of 676
Device Type:
Active Directory
Device Specifics:
Port: UDP 53
Service/Program:
DNS Service
Description:
Vulnerability:
Enable UDP Port 53 is required for DNS (Domain Name
Reboot Required?:
Page 15 of 676
Device Type:
Active Directory
Device Specifics:
Port: UDP 88
Service/Program:
Kerberos
Description:
Vulnerability:
Enable UDP Port 88 is required for Kerberos User and
Reboot Required?:
Page 16 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 25
Service/Program:
smtp
Description:
Vulnerability:
Reboot Required?:
Page 17 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 3268
Service/Program:
LDAP GC
Description:
Vulnerability:
Reboot Required?:
Page 18 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 3269
Service/Program:
LDAP GC SSL
Description:
Vulnerability:
Reboot Required?:
Page 19 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 389
Service/Program:
ldap
Description:
Vulnerability:
Reboot Required?:
Page 20 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 464
Service/Program:
Kerberos
Description:
Vulnerability:
password function
Reboot Required?:
Page 21 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 47001
Service/Program:
WinRM
Description:
Windows Remote Management Service used for managing Windows Servers locally and
remotely
Vulnerability:
Enable TCP Port 47001 is required to support common
Windows Hardware management features
Reboot Required?:
Page 22 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 53
Service/Program:
DNS Service
Description:
Vulnerability:
Enable TCP Port 53 iis required for DNS (Domain Name
Reboot Required?:
Page 23 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 5722
Service/Program:
RPC
Description:
File Replication
Vulnerability:
Enable TCP Port 5722 is required for RPC file replication
Reboot Required?:
Page 24 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 593
Service/Program:
RPCEPTMapper
Description:
Port used for DCOM support in RPC over http
Vulnerability:
Enable TCP Port 593 is required to support DCOM support in
RPC over HTTP
Reboot Required?:
Page 25 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 636
Service/Program:
LDAP SSL
Description:
Vulnerability:
Reboot Required?:
Page 26 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 88
Service/Program:
Kerberos
Description:
Vulnerability:
Reboot Required?:
Page 27 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 9389
Service/Program:
SOAP
Description:
Port is used by Active Directory Web Management Services
Vulnerability:
Enable TCP Port 9389 is required to support Active Directory
Web Management Services
Reboot Required?:
Page 28 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 9876
Service/Program:
WinRM
Description:
Port used by Windows for Windows Hardware Management features
Vulnerability:
Enable TCP Port 9876 is required to support common
Windows Hardware management features
Reboot Required?:
Page 29 of 676
Device Type:
Active Directory
Device Specifics:
Port: UDP 389
Service/Program:
ldap
Description:
Vulnerability:
Enable UDP Port 389 is required to support Policies, Trusts,
Reboot Required?:
Page 30 of 676
Device Type:
Active Directory
Device Specifics:
Port: UDP 464
Service/Program:
Kerberos
Description:
Vulnerability:
password function
Reboot Required?:
Page 31 of 676
Device Type:
Active Directory
Device Specifics:
Port: UDP 53
Service/Program:
DNS Service
Description:
Vulnerability:
Reboot Required?:
Page 32 of 676
Device Type:
Active Directory
Device Specifics:
Port: UDP 5355
Service/Program:
DNS Cache
Description:
Port used for Domain Name Service Cache communication
Vulnerability:
Enable TCP Port 5355 is required to support DNS (Domain
Name Service)
Reboot Required?:
Page 33 of 676
Device Type:
Active Directory
Device Specifics:
Port: UDP 88
Service/Program:
Kerberos
Description:
Vulnerability:
Reboot Required?:
Page 34 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 3268
Service/Program:
LDAP GC
Description:
Vulnerability:
Reboot Required?:
Page 35 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 3269
Service/Program:
LDAP GC SSL
Description:
Vulnerability:
Reboot Required?:
Page 36 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 389
Service/Program:
ldap
Description:
Vulnerability:
Reboot Required?:
Page 37 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 464
Service/Program:
Kerberos
Description:
Vulnerability:
password function
Reboot Required?:
Page 38 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 53
Service/Program:
DNS Service
Description:
Vulnerability:
Reboot Required?:
Page 39 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 593
Service/Program:
RPCEPTMapper
Description:
Port used for DCOM support in RPC over http
Vulnerability:
Enable TCP Port 593 is required to support DCOM support in
RPC over HTTP
Reboot Required?:
Page 40 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 636
Service/Program:
LDAP SSL
Description:
Vulnerability:
Reboot Required?:
Page 41 of 676
Device Type:
Active Directory
Device Specifics:
Port: TCP 88
Service/Program:
Kerberos
Description:
Vulnerability:
Reboot Required?:
Page 42 of 676
Device Type:
Active Directory
Device Specifics:
Port: UDP 123
Service/Program:
ntp
Description:
Port is used by the Network Time Protocol (NTP) for synchronizing the time system across
all devices on the network that are time stamping data.
Vulnerability:
In addition to a few reported Trojans and threats, attackers can alter the time on host
systems to achieve a variety of undesirable outcomes such as making logs inaccurate,
keeping Kerberos tickets alive longer than their configured life and forcing schedule tasks
to stop or run at incorrect times.
Enable UDP Port 123-NTP is required to support NTP
(Network Time Protocol) which is required on GE
systems. GE strongly recommends the use of secure
time servers provided on the GE provided LAN
(UDH/PDH) as well as blocking Port 123 from access by
untrusted computers or networks.
Reboot Required?:
Page 43 of 676
Device Type:
Active Directory
Device Specifics:
Port: UDP 53
Service/Program:
DNS Service
Description:
Vulnerability:
Reboot Required?:
Page 44 of 676
Device Type:
Active Directory
Device Specifics:
Port: UDP 88
Service/Program:
Kerberos
Description:
Vulnerability:
Reboot Required?:
Page 45 of 676
Device Type:
Advantech Keypad
Device Specifics:
Exciter Keypad
Port: TCP 443
Service/Program:
https
Description:
Port is used by secure/encrypted HTML (i.e. HTTPS). This is used extensively by secure
websites and for secure transmission of data over the internet.
Vulnerability:
Several known vulnerabilities are associated with this port.
Disable Note that if this port is disabled, you will not be able to
use browser access to secure internet sites or to
provide secure internet service access through IIS or
similar services. GE does not recommend using these
services.
If local requirements for this port exist, then every

precaution to address the known vulnerabilities (OS
Patching, virus passive and active protection, firewalls,
software versions/patches) are implemented.
Reboot Required?:
Page 46 of 676
Device Type:
Advantech Keypad
Device Specifics:
Exciter Keypad
Port: TCP 80
Service/Program:
http
Description:
Port is used for http client (typically browsers) to interface to http services such as IIS,
Apache or Silverlight/WebSlinger.
Vulnerability:
Numerous known vulnerabilities.
Disable
Reboot Required?:
Page 47 of 676
Device Type:
Advantech Keypad
Device Specifics:
Exciter Keypad
Port: UDP 123
Service/Program:
ntp
Description:
Vulnerability:
Reboot Required?:
Page 48 of 676
Device Type:
Advantech Keypad
Device Specifics:
Exciter Keypad
Port: UDP 161
Service/Program:
snmp
Description:
Port may be used by Simple Network Management Protocol (SNMP) to communicate
logging and management network information via the network.
Vulnerability:
There are many vulnerabilities reported for this port.
Disable-Enable Unless the system is configured to use the GE Network
Monitoring Services, the HMI should have this port
Disabled.
GE recommends that SNMP be Disabled on all network
appliances unless the GE Network Monitoring Services
or local IT systems require the use of these services.
GE recommends and offers RADIUS, SSH and Syslog
solutions for these devices that are more secure.
If SNMP is used by the device, care should be taken to
only allow connections on this port from trusted
computers or networks.
Reboot Required?:
Page 49 of 676
Device Type:
Aux I/O Modules
Device Specifics:
VersaMax
Port: TCP 21
Service/Program:
ftp
Description:
Port is used by ftp (File Transfer Protocol) service. This protocol is used to transfer files to
and from the host device.
Vulnerability:
Numerous vulnerabilities reported for this port. In addition to the Trojan and worm type
vulnerabilities, the non-encrypted nature of the protocol allows for a variety of snooping
and injection attacks. The nature of the use of this port is also problematic since
malicious files can be uploaded into the target device.
Disable-Enable Disable ftp in favor of RADIUS or device proprietary
management of configuration files. Optionally,
temporarily enabling ftp for a required purpose, then
disabling it would be preferable to leaving the service
open all the time.
Reboot Required?:
Page 50 of 676
Device Type:
Aux I/O Modules
Device Specifics:
VersaMax
Port: UDP 18246
Service/Program:
EGD
Description:
Port is used by Ethernet Global Data (EGD) service which is used extensively for data
transfers between Controllers and HMIs.
Vulnerability:
Disable-Enable When EGD services are in use Port 18246 is required.
Care should be taken to block access to this port from
untrusted computers and networks.
Reboot Required?:
Page 51 of 676
Device Type:
Aux I/O Modules
Device Specifics:
VersaMax
Port: UDP 91-97
Service/Program:
Description:
Ports used for communication from Proficy ME to VersaMax modules.
Vulnerability:
Disable-Enable Should ONLY be present in systems running VersaMax
I/O
Reboot Required?:
Page 52 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: NONE n/a
Service/Program:
Toolbox.exe
Description:
Ports are used by Toolbox application. OS Assigned Ephemeral Ports may be assigned for
Client Side Connections.
Vulnerability:
No known vulnerabilities have been associated with these ports.
Disable-Enable These ports are required by workstations that are
using the GE eTCSS Toolbox application. If the
workstation is not using this application, then these
ports are not required and should be Disabled.
When the ports are Enabled, care should be taken to
block access to these ports from untrusted computers
and networks.
Reboot Required?:
Page 53 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: NONE n/a
Service/Program:
GeCssHmiFileUtil
Description:
This service creates the CIMPLICITY project files related to communciation to
WorkstationST.
Vulnerability:
Disable-Enable Enabled automatically when running Workstation HMI
in project mode. Should NOT be present in an
Advanced Viewer only application.
Reboot Required?:
Page 54 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: NONE n/a
Service/Program:
GeCssTci.exe
Description:
Required for GE Energy WorkstationST
Vulnerability:
Enable
Reboot Required?:
Page 55 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: NONE n/a
Service/Program:
GESimAlm.exe
Description:
Only present when ControlST controller simulation is running.
Vulnerability:
Disable-Enable Enable when running controller simulation
Reboot Required?:
Page 56 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: NONE n/a
Service/Program:
GESimApp.exe
Description:
Only present when ControlST controller simulation is running.
Vulnerability:
Reboot Required?:
Page 57 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: NONE n/a
Service/Program:
WorkstationSTService.exe
Description:
Main Workstation Service that monitors and manages all other Workstation services. OS
Assigned Ephemeral Ports may be assigned for Client Side Connections.
Vulnerability:
Enable
Reboot Required?:
Page 58 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: NONE n/a
Service/Program:
PerformanceCounter.exe
Description:
Only present when WorkstationST Performance Counter is running
Vulnerability:
Disable-Enable Enable when running WorkstationST Performance
Counters
Reboot Required?:
Page 59 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: NONE n/a
Service/Program:
RecorderDiagnosticUpload.exe
Description:
Required for Toolbox recorder feature.
Vulnerability:
Enable
Reboot Required?:
Page 60 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: NONE n/a
Service/Program:
SimulatorUI.exe
Description:
Only present on systems running controller simulations
Vulnerability:
Reboot Required?:
Page 61 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: NONE n/a
Service/Program:
SMSvcHost.exe
Description:
This is part of the Microsoft .NET framework required to run ControlST and WorkstationST
Vulnerability:
Enable
Reboot Required?:
Page 62 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP 1616
Service/Program:
GeCssAmGateway
Description:
Port is used only when Acoustic Monitoring Gateway feature is configured (AMG).
Vulnerability:
No known vulnerabilities have been associated with this port.
Disable-Enable This service can be disabled by deselecting this feature
in Workstation and performing a Workstation Build
and Download.
Reboot Required?:
Page 63 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP 4840
Service/Program:
OPC.Ua.DiscoveryServer.exe
Description:
Port, when present, used by ControlST software and is an integral part of the
communication system OPC UA. OS Assigned Ephemeral Ports may be assigned for Client
Side Connections.
Vulnerability:
Enable GE systems using ControlST 4.5 and up require the use
of this port for OPC UA. GE strongly recommends that
this port be blocked from access by untrusted
computers and networks. The use of strong passwords
and best practice password management as well as
restrictive file sharing strategies are also strongly
recommended.
Reboot Required?:
Page 64 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP 4843
Service/Program:
opcua-tls
Description:
Port, when present, used by ControlST software and is an integral part of the
communication system OPC UA
Vulnerability:
of this port for OPC UA. GE strongly recommends that
recommended.
Reboot Required?:
Page 65 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP 49152-65538 (See
Service/Program:
EgdCfgServer.exe
Description:
Port is used as the EGD Configuration Server port. OS Assigned Ephemeral Ports may be
assigned for Client Side Connections.
Vulnerability:
Disable-Enable If the device is not using WorkstationST or is not using
the WorkstationST EGD Configuration Server feature,
Port 7938 should be Disabled.
If the device is running the WorkstationST EGD
Configuration Server feature, Port 7937 is required and
should be Enabled. Care should be taken to assure
that this port is blocked from access by untrusted
computers and networks. NOTE: There should only be
One WorkstationST computer configured as an EGD
Configuration Server in a system.
Reboot Required?:
Page 66 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP 501-503
Service/Program:
GeCssModbus
Description:
Port 502 is the STANDARD IANA listed Modbus port. This port is also used by asa-appl-
pronto which is the reason for the backup ports of 501 and 503. OS Assigned Ephemeral
Ports may be assigned for Client Side Connections (to controllers)
Vulnerability:
Port 502 does have reported vulnerabilities.
There are no specific vulnerabilities listed for Ports 501 and 503.
Disable-Enable If Ports 501, 502 or 503 are not used for Modbus
Communications, the port should be Disabled.
If any of these ports are used for Modbus

Communications, the port should remain Enabled;
however the system firewalls should be configured to
only allow traffic between the devices that require it.
Reboot Required?:
Page 67 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP 5150
Service/Program:
GeCssSdb
Description:
Port is used by the GE System Database (SDB) Server when enabled in Workstation. This
service (GeCssSdb.exe) manages the System Database used by all legacy controllers which
includes Mark VI, EX2100, and LCI_LS2100 controllers.
Vulnerability:
There are known vulnerabilities associated with this port.
Disable-Enable If the workstation has SDB configuration requirements
as noted in the Description, this port should be
Enabled. Otherwise, the port should be Disabled.
If Enabled, care should be taken to block access to this
port from untrusted computers and networks.
Reboot Required?:
Page 68 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP 5310-5312
Service/Program:
GE System Data Interface
Description:
Ports are used by the GE proprietary System Data Interface (SDI) protocol. This protocol
is used for system maintenance, configuration, data transfers, and alarming diagnostics.
OS Assigned Ephemeral Ports may be assigned for Client Side Connections. OS Assigned
Ephemeral Ports may be assigned for Client Side Connections.
Vulnerability:
No known vulnerabilities have been associated with these ports. This protocol is
unencrypted so it is exposed to possible reverse engineering and spoofing attacks.
Enable Ports 5310, 5311, and 5312 are required for normal
operations and must be Enabled. Care should be taken
to block access to these ports from untrusted
computers and networks.
A secure, certificate based version of this protocol is
being developed for current products (June 2012) but
will not be available in legacy systems. A service
maintenance program may be available for site
upgrades of Mark VIe controllers. Due to controller
processing capabilities, encryption of this protocol will
not be employed.
Reboot Required?:
Page 69 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP 5311
Service/Program:
WorkstationSTService.exe
Description:
Main Workstation Service that monitors and manages all other Workstation services. OS
Vulnerability:
Enable Port 5311 is required on all WorkstationST configured
systems. When enabled, care should be taken to block
access to this port from untrusted computers or
networks.
Reboot Required?:
Page 70 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP 5631
Service/Program:
awhost32.exe - PCAnywhere Host
Description:
Port is used by the GE On-Site Monitoring (OSM) system to enable remote configuration
access to the OSM computer. In some implementations, PCAnywhere clients are installed
on HMI systems to expand the ability to do remote diagnostics and configurations on HMI
systems. OS Assigned Ephemeral Ports may be assigned for Client Side Connections.
Vulnerability:
When configured as recommended (only allowing EXACT IP addresses), there are no
vulnerabilities associated with this port.
Disable-Enable If the device does not use OSM, Port 5631 should be
Disabled.
If there are requirements to remotely configure an
HMI box or use it to perform remote diagnostic
activities, Port 5631 should ONLY be Enabled for use
on a limited and monitored basis through an
appropriately secure private connection (i.e. VPN).
Reboot Required?:
Page 71 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP 64121
Service/Program:
GeCssOpcUAServer
Description:
Port is used only when OPC UAServer feature is enabled (OPC UA). OS Assigned
Vulnerability:
and Download.
Reboot Required?:
Page 72 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP 64123
Service/Program:
GeCssControlSystemHealth
Description:
Port is used only when Control System Health feature is enabled. (Device Side Server
Port). OS Assigned Ephemeral Ports may be assigned for Client Side Connections.
Vulnerability:
and Download.
Reboot Required?:
Page 73 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP 7050
Service/Program:
GeCssControlSystemHealth
Description:
Port is used only when Control System Health feature is enabled. (Workstation Side
Server Port). OS Assigned Ephemeral Ports may be assigned for Client Side Connections.
Vulnerability:
and Download.
Reboot Required?:
Page 74 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP 7070
Service/Program:
almrcv.exe
Description:
Port is used by the GE Alarm Receiver Subsystem. OS Assigned Ephemeral Ports may be
Vulnerability:
Enable This port is required. Care should be taken to assure
that this port is blocked form access by untrusted
Reboot Required?:
Page 75 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP 7071
Service/Program:
GE wkstnST Cimplicity Ext Alarm Mgr
Description:
Port is used as the Cimplicity External Alarm Manager subsystem only found in
WorkstationST configured systems using project based Cimplicity configurations. OS
Vulnerability:
Disable-Enable If the HMI is not using WorkstationST or is not using a
Cimplicity project based configuration that is receiving
alarms, Port 7071 should be Disabled or the External
Alarm Manager configuration in WorkstationST (send
alarms to Cimplicity) should be turned off.
If the HMI is using WorkstationST and a Cimplicity
project based configuration, Port 7071 should be
Enabled. Care should be taken to assure that this port
is blocked from access by untrusted computers and
networks.
Reboot Required?:
Page 76 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP 7072
Service/Program:
GeCssAlarmServer.exe
Description:
Port is used as the WorkstationST Alarm Server Client Port. This is the port WorkstationST
Alarm Clients connect to in order to receive alarm information from the WorkstationST
Alarm Server. OS Assigned Ephemeral Ports may be assigned for Client Side Connections.
Vulnerability:
Reboot Required?:
Page 77 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP 7073
Service/Program:
GE wkstnST Alarm Svr Status Client
Description:
Port is used as the WorkstationST Alarm Server Status Client Port. WorkstationST Alarm
Clients connects to this port to get status information from the WorkstationST Alarm
Server. OS Assigned Ephemeral Ports may be assigned for Client Side Connections.
Vulnerability:
Reboot Required?:
Page 78 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP 7077
Service/Program:
GE wkstnST Network Status Monitor Overview
Description:
Port is used as the WorkstationST Network Status Monitor Overview Port. WorkstationST
Network Status Monitor system uses this port to provide Network Status Monitor
Overview Data to Network Status Monitoring Clients. OS Assigned Ephemeral Ports may
be assigned for Client Side Connections.
Vulnerability:
Disable-Enable If the HMI is not using WorkstationST or is not using
the WorkstationST Network Status Monitoring
Feature, Port 7077 should be Disabled.
If the HMI is using the WorkstationST Network Status
Monitoring Feature, Port 7077 is required and should
be Enabled. Care should be taken to assure that this
port is blocked from access by untrusted computers
and networks.
Reboot Required?:
Page 79 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP 7078
Service/Program:
GE wkstnST Network Status Monitor Alarm
Description:
Port is used as the WorkstationST Network Status Monitor Alarm Port. WorkstationST
Network Status Monitor system uses this port to provide Network Status Monitor Alarm
Data to Network Status Monitoring Clients. OS Assigned Ephemeral Ports may be
Vulnerability:
and networks.
Reboot Required?:
Page 80 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP 7079
Service/Program:
GE wkstnST Network Status Monitor Detail Data
Description:
Port is used as the WorkstationST Network Status Monitor Detail Data Port.
WorkstationST Network Status Monitor system uses this port to provide Network Status
Monitor Detail Data to Network Status Monitoring Clients. OS Assigned Ephemeral Ports
may be assigned for Client Side Connections.
Vulnerability:
and networks.
Reboot Required?:
Page 81 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP 7090
Service/Program:
GeCssDeviceManagerGateway
Description:
Port is used only when Device Manager Gateway feature is enabled. OS Assigned
Vulnerability:
and Download.
Reboot Required?:
Page 82 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP 768
Service/Program:
GeCssGsm
Description:
Port is used for the GSM protocol when GSM feature is enabled in Workstation.
Vulnerability:
No reported vulnerabilities associated with this port.
Enable If the GSM protocol is being used, the port is required.
Reboot Required?:
Page 83 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP 770
Service/Program:
GeCssOSMInterface
Description:
Port is used only when On Site Monitoring feature is configured (OSM)
Vulnerability:
and Download.
Reboot Required?:
Page 84 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP 7937
Service/Program:
GeCssOpcServer
Description:
Port is used as the Ethernet Global Data (EGD) Configuration Server Response port. OS
Vulnerability:
Enable Port 7937 is required by the system to work properly.
Care should be taken to assure that this port is blocked
from access by untrusted computes and networks.
Reboot Required?:
Page 85 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP 7938
Service/Program:
EgdCfgServer.exe
Description:
Port is used as the EGD Configuration Server port. OS Assigned Ephemeral Ports may be
Vulnerability:
Disable-Enable If the device is not using WorkstationST or is not using
the WorkstationST EGD Configuration Server feature,
If the device is running the WorkstationST EGD
Configuration Server feature, Port 7937 is required and
should be Enabled. Care should be taken to assure
computers and networks. NOTE: There should only be
One WorkstationST computer configured as an EGD
Configuration Server in a system.
Reboot Required?:
Page 86 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP 8085
Service/Program:
CMSRemotingService.exe
Description:
Port is used by the CMS Remoting Service.
Vulnerability:
Disable
Reboot Required?:
Page 87 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP, UDP 18310
Service/Program:
GeCssOpcServer.exe
Description:
Port is used for the WorkstationST Intercon which is used to pass data between all
WorkstationST services. All ControlST services may use this port. OS Assigned Ephemeral
Ports may be assigned for Client Side Connections.
Vulnerability:
networks.
Reboot Required?:
Page 88 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Service/Program:
GeCssRecorderServer.exe
Description:
Vulnerability:
networks.
Reboot Required?:
Page 89 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Service/Program:
WorkstationSTAlarmViewer.exe
Description:
Vulnerability:
networks.
Reboot Required?:
Page 90 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Service/Program:
WorkstationStatusMonitor.exe
Description:
Vulnerability:
networks.
Reboot Required?:
Page 91 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Service/Program:
WorkstationSTservice.exe
Description:
Vulnerability:
networks.
Reboot Required?:
Page 92 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: TCP, UDP 49152-65535 (See
Service/Program:
WorkstationSTservice.exe
Description:
Vulnerability:
networks.
Reboot Required?:
Page 93 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Service/Program:
WorkstationSTAlarmViewer.exe
Description:
Vulnerability:
networks.
Reboot Required?:
Page 94 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Service/Program:
GeCssOpcServer.exe
Description:
Vulnerability:
networks.
Reboot Required?:
Page 95 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Service/Program:
GeCssRecorderServer.exe
Description:
Vulnerability:
networks.
Reboot Required?:
Page 96 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Service/Program:
GeCssHmiServer.exe
Description:
Vulnerability:
networks.
Reboot Required?:
Page 97 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Service/Program:
CimView.exe
Description:
Vulnerability:
networks.
Reboot Required?:
Page 98 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: UDP 11020
Service/Program:
GeCssAmGateway
Description:
Port is used only when Acoustic Monitoring Gateway feature is configured (AMG).
Vulnerability:
Disable-Enable UDP Port 11020 - GeCssAmGateway should only be
enabled on systems running WorkstationST running
GeCssAmGateway (AMG) feature enabled.
This service can be disabled by deselecting this feature in Workstation and performing a
Workstation Build and Download.
Reboot Required?:
Page 99 of 676
Device Type:
Control Software
Device Specifics:
ControlST
Port: UDP 123
Service/Program:
ntp
Description:
all devices on the network that are time stamping data. OS Assigned Ephemeral Ports
Vulnerability:
Reboot Required?:
Page 100 of 676

Device Type:
Control Software
Device Specifics:
ControlST
Port: UDP 161
Service/Program:
snmp
Description:
logging and management network information via the network. OS Assigned Ephemeral
Vulnerability:
Disabled.
Reboot Required?:
Page 101 of 676

Device Type:
Control Software
Device Specifics:
ControlST
Port: UDP 18246
Service/Program:
GeCssOpcServer
Description:
transfers between Controllers and HMIs. Port 18246 is associated with GeCssOpcServer.
OS Assigned Ephemeral Ports may be assigned for Client Side Connections.
Vulnerability:
Enable Port 18246 is required. Care should be taken to block
access to this port from untrusted computers and
networks.
Reboot Required?:
Page 102 of 676

Device Type:
Control Software
Device Specifics:
ControlST
Port: UDP 18310
Service/Program:
GeCssHMIServer
Description:
WorkstationST services. This service monitors and controls downloads of CIMPCLITY
database information for CIMPLICITY project based systems. OS Assigned Ephemeral
Vulnerability:
Disable-Enable Enabled automatically when running Workstation HMI
in project mode. Should NOT be present in an
Advanced Viewer only application. Port 18310 is
required on all WorkstationST configured systems.
When enabled, care should be taken to block access to
this port from untrusted computers or networks.
Reboot Required?:
Page 103 of 676

Device Type:
Control Software
Device Specifics:
ControlST
Port: UDP 18310
Service/Program:
GE wkstnST IntraComm
Description:
Vulnerability:
networks.
Reboot Required?:
Page 104 of 676

Device Type:
Control Software
Device Specifics:
ControlST
Port: UDP 18310
Service/Program:
GeCssHmiServer.exe
Description:
Vulnerability:
networks.
Reboot Required?:
Page 105 of 676

Device Type:
Control Software
Device Specifics:
ControlST
Port: UDP 18310
Service/Program:
CimView.exe
Description:
Vulnerability:
networks.
Reboot Required?:
Page 106 of 676

Device Type:
Control Software
Device Specifics:
ControlST
Port: UDP 18310
Service/Program:
EgdCfgServer.exe
Description:
Vulnerability:
networks.
Reboot Required?:
Page 107 of 676

Device Type:
Control Software
Device Specifics:
ControlST
Port: UDP 18310
Service/Program:
GeCssHmiFileUtil.exe
Description:
Vulnerability:
networks.
Reboot Required?:
Page 108 of 676

Device Type:
Control Software
Device Specifics:
ControlST
Port: UDP 4500
Service/Program:
svchost
Description:
Port used by IKE (Internet Key Exchange) and AuthIP (Authenticated Internet Protocol)
required by IPsec keying (Internet Protocol Security). This service is critical for IPsec to
provide authentication and encryption services.
Vulnerability:
password function to controllers that support security
protocols.
Reboot Required?:
Page 109 of 676

Device Type:
Control Software
Device Specifics:
ControlST
Port: UDP 500
Service/Program:
ikeext
Description:
Port, when present, used by IKE (Internet Key Exchange) and AuthIP (Authenticated
Internet Protocol) required by Ipsec keying (Internet Protocol Security). This service is
critical for Ipsec to provide authentication and encryption services.
Vulnerability:
of this port for IKE, AuthIP and IPsec). GE strongly
recommends that this port be blocked from access by
untrusted computers and networks. The use of strong
passwords and best practice password management as
well as restrictive file sharing strategies are also
strongly recommended.
Reboot Required?:
Page 110 of 676

Device Type:
Control Software
Device Specifics:
ControlST
Port: UDP 5320
Service/Program:
DataHistorian.exe
Description:
Port is used by the GE Data Historian application. This application is used to record high
speed trip logging data critical for post trip analysis. OS Assigned Ephemeral Ports may be
Vulnerability:
Disable-Enable If the DataHistorian service is not running on the HMI,
this port should be Disabled.
DataHistorian is an important tool for post event
processing and if configured on an HMI, Port 5320
should remain Enabled.
Reboot Required?:
Page 111 of 676

Device Type:
Control Software
Device Specifics:
ControlST
Port: UDP 5353
Service/Program:
cvslock.exe
Description:
Port is used by cvslock.exe which is part of the Configuration Management Server (CMS)
system.
Vulnerability:
Disable-Enable If the device is using the CMS system, Port 5353 should
be Enabled. When enabled, care should be taken to
block access to this port from untrusted computers
and networks.
If the device does not use CMS system, this port is not
required and should be Disabled.
Reboot Required?:
Page 112 of 676

Device Type:
Control Software
Device Specifics:
ControlST
Port: UDP 5632
Service/Program:
Description:
Vulnerability:
Disabled.
Reboot Required?:
Page 113 of 676

Device Type:
Control Software
Device Specifics:
ControlST
Port: UDP 7936
Service/Program:
ADL
Description:
Port is used by GE Proprietary Asynchronous Drive Language (ADL). Required for Legacy
(Mark VI-Innovation) Network compatibility.
Vulnerability:
Enable UDP Port 7936 and the ADL service are located on the
controller and are not Windows accessible.
Reboot Required?:
Page 114 of 676

Device Type:
Control Software
Device Specifics:
ControlST
Port: UDP 7937
Service/Program:
GeCssOpcServer
Description:
Port is used by EGD Writes - Command Message Protocol (CMP) to write data to a EGD
device. OS Assigned Ephemeral Ports may be assigned for Client Side Connections.
Vulnerability:
Reboot Required?:
Page 115 of 676

Device Type:
Control Software
Device Specifics:
ControlST
Port: UDP 7938
Service/Program:
almrcv.exe
Description:
Port is used by the GE Alarm Protocol (ALM) to send alarm messages to alarm servers and
clients. OS Assigned Ephemeral Ports may be assigned for Client Side Connections.
Vulnerability:
Enable UDP Port 7938 is required by the system to work
properly. Care should be taken to assure that this port
is blocked from access by untrusted computes and
networks.
Reboot Required?:
Page 116 of 676

Device Type:
Control Software
Device Specifics:
ControlST
Port: UDP 9
Service/Program:
DISCARD
Description:
This port is used by GE network scanning utilities to locate devices on the network. This
utility sends data to UDP Port 9 simply to force an ARP on the network and subsequently
to detect the presence of nodes on the network via the ARP tables.
Vulnerability:
None. Since UDP does not respond, there is no useful information that an attacker can
get form sending data to this port.
Enable
N/A
Reboot Required?:
Page 117 of 676

Device Type:
Control Software
Device Specifics:
eTCSS
Port: NONE n/a
Service/Program:
AMEVENT.EXE
Description:
AM Gateway Event Manager. Only present on eTCSS based computers running Acoustic
Monitoring Gateway functions.
Vulnerability:
Disable-Enable Should only be present on eTCSS systems running
Acoustic Monitoring Gateway (AMGateway) modules.
Reboot Required?:
Page 118 of 676

Device Type:
Control Software
Device Specifics:
eTCSS
Port: NONE n/a
Service/Program:
TCI
Description:
Turbine Control Interface. This is the central communications (external and interprocess)
system for eTCSS platforms (legacy).
Vulnerability:
Enable Required for eTCSS to function.
Reboot Required?:
Page 119 of 676

Device Type:
Control Software
Device Specifics:
eTCSS
Port: NONE n/a
Service/Program:
TCI
Description:
Turbine Control Interface. This is the central communications (external and interprocess)
system for eTCSS platforms (legacy).
Vulnerability:
Disable-Enable Only enabled in cases where a hybrid ControlST and
eTCSS systems (WindowsXP only) were built to support
Mark V and Mark IV interfaces in a ControlST
environment.
Reboot Required?:
Page 120 of 676

Device Type:
Control Software
Device Specifics:
eTCSS
Port: TCP 3683-3685
Service/Program:
Toolbox.exe
Description:
Ports are used by eTCSS (classic) Toolbox application. OS Assigned Ephemeral Ports may
be assigned for Client Side Connections.
Vulnerability:
Disable-Enable These ports are required by workstations that are
using the GE eTCSS Toolbox application. If the
workstation is not using this application, then these
ports are not required and should be Disabled.
When the ports are Enabled, care should be taken to
block access to these ports from untrusted computers
and networks.
Reboot Required?:
Page 121 of 676

Device Type:
Control Software
Device Specifics:
eTCSS
Port: TCP 37
Service/Program:
Time Protocol
Description:
Port is used by the time protocol for requesting time from a device (returns number of
minutes since midnight Jan. 1, 1900). This port is also used for time synchronization
between devices on a LAN.
Vulnerability:
There are known vulnerabilities reported for this port.
Disable-Enable (a) If not used, Disable.
(b) If not used but cannot be disabled; care should be
taken to block this port from access by untrusted
(c) If required for proper operation of the control
system; care should be taken to block this port from
access by untrusted computers and networks.
Reboot Required?:
Page 122 of 676

Device Type:
Control Software
Device Specifics:
eTCSS
Port: TCP 501-503
Service/Program:
modbus
Description:
pronto which is the reason for the backup ports of 501 and 503.
Vulnerability:

Reboot Required?:
Page 123 of 676

Device Type:
Control Software
Device Specifics:
eTCSS
Port: TCP 5150
Service/Program:
DBServer.exe
Description:
Port is used by the GE System Database (SDB) Server. This service (DBServer.exe)
manages the System Database used by all eTCSS generation controllers which includes
Mark VI, EX2100, and LCI_LS2100 controllers. This will certainly be found on eTCSS
generation systems. OS Assigned Ephemeral Ports may be assigned for Client Side
Connections.
Vulnerability:
Disable-Enable If the workstation has SDB configuration requirements
as noted in the Description, this port should be
Enabled. Otherwise, the port should be Disabled.
If Enabled, care should be taken to block access to this
Reboot Required?:
Page 124 of 676

Device Type:
Control Software
Device Specifics:
eTCSS
Port: TCP 5310-5312
Service/Program:
Description:
OS Assigned Ephemeral Ports may be assigned for Client Side Connections. OS Assigned
Vulnerability:
not be employed.
Reboot Required?:
Page 125 of 676

Device Type:
Control Software
Device Specifics:
eTCSS
Port: TCP 5320
Service/Program:
DataHistorian.exe
Description:
Port is used by the GE Data Historian application. This application is used to record high
speed trip logging data critical for post trip analysis. OS Assigned Ephemeral Ports may be
Vulnerability:
Disable-Enable If the DataHistorian service is not running on the HMI,
this port should be Disabled.
DataHistorian is an important tool for post event
processing and if configured on an HMI, Port 5320
should remain Enabled.
Reboot Required?:
Page 126 of 676

Device Type:
Control Software
Device Specifics:
eTCSS
Port: TCP 5631
Service/Program:
Description:
Vulnerability:
Disabled.
Reboot Required?:
Page 127 of 676

Device Type:
Control Software
Device Specifics:
eTCSS
Port: TCP 7070
Service/Program:
almrcv.exe
Description:
Port is used by the GE Alarm Receiver Subsystem. OS Assigned Ephemeral Ports may be
Vulnerability:
that this port is blocked form access by untrusted
Reboot Required?:
Page 128 of 676

Device Type:
Control Software
Device Specifics:
eTCSS
Port: TCP 768
Service/Program:
gsm.exe
Description:
Port is used for the GSM protocol.
Vulnerability:
No reported vulnerabilities associated with this port.
Enable If the GSM protocol is being used, the port is required.
Reboot Required?:
Page 129 of 676

Device Type:
Control Software
Device Specifics:
eTCSS
Port: TCP 8085
Service/Program:
CMSRemotingService.exe
Description:
Port is used by the CMS Remoting Service.
Vulnerability:
Disable
Reboot Required?:
Page 130 of 676

Device Type:
Control Software
Device Specifics:
eTCSS
Port: UDP 11011-11018
Service/Program:
CDMCpmPush
Description:
Port is used only when Combustion Dynamics Monitoring screens / function is present.
Moves data from CDM system into CIMPLICITY project.
Vulnerability:
Disable-Enable UDP Ports 11011 - 11018 - CDMCpmPush should only
be enabled on systems of this type configured with
Combustion Dynamics Monitoring (CDM)
This service can be disabled by removing the CDM configuration from the project and un-
installing feature from the computer.
Reboot Required?:
Page 131 of 676

Device Type:
Control Software
Device Specifics:
eTCSS
Port: UDP 11020
Service/Program:
AMGATE
Description:
Port is used only when Acoustic Monitoring Gateway function is configured (AMG). You
will also see client side OS Assigned Ephemeral Ports for Client Side Connections.
Vulnerability:
Disable-Enable UDP Port 11020 - AMGATE should only be enabled on
systems of this type configured when Acoustic
Monitoring Gateway feature is enabled.
This service can be disabled by removing the AMG configuration from the project and un-
installing feature from the computer.
Reboot Required?:
Page 132 of 676

Device Type:
Control Software
Device Specifics:
eTCSS
Port: UDP 123
Service/Program:
ntp
Description:
Vulnerability:
Reboot Required?:
Page 133 of 676

Device Type:
Control Software
Device Specifics:
eTCSS
Port: UDP 161
Service/Program:
snmp
Description:
logging and management network information via the network. OS Assigned Ephemeral
Vulnerability:
Disabled.
Reboot Required?:
Page 134 of 676

Device Type:
Control Software
Device Specifics:
eTCSS
Port: UDP 18246
Service/Program:
EGD
Description:
transfers between Controllers and HMIs. In eTCSS based systems, Port 18246 is
associated with the ICN Service.
Vulnerability:
networks.
Reboot Required?:
Page 135 of 676

Device Type:
Control Software
Device Specifics:
eTCSS
Port: UDP 18246
Service/Program:
icn_dc.exe
Description:
Port is used by Project based Cimplicity EGD driver. OS Assigned Ephemeral Ports may be
Vulnerability:
Enable This is required for EGD to function in a Cimplicity
Project based system using eTCSS (CIMPCLITY 6.1,
eTCSS) for EGD communications to fucntion properly.
Reboot Required?:
Page 136 of 676

Device Type:
Control Software
Device Specifics:
eTCSS
Port: UDP 37
Service/Program:
Time Protocol
Description:
Vulnerability:
Reboot Required?:
Page 137 of 676

Device Type:
Control Software
Device Specifics:
eTCSS
Port: UDP 5353
Service/Program:
cvslock.exe
Description:
Port is used by cvslock.exe which is part of the Configuration Management Server (CMS)
system.
Vulnerability:
Disable-Enable If the device is using the CMS system, Port 5353 should
be Enabled. When enabled, care should be taken to
block access to this port from untrusted computers
and networks.
If the device does not use CMS system, this port is not
required and should be Disabled.
Reboot Required?:
Page 138 of 676

Device Type:
Control Software
Device Specifics:
eTCSS
Port: UDP 5632
Service/Program:
Description:
Vulnerability:
Disabled.
Reboot Required?:
Page 139 of 676

Device Type:
Control Software
Device Specifics:
eTCSS
Port: UDP 7936
Service/Program:
ADL
Description:
Vulnerability:
Reboot Required?:
Page 140 of 676

Device Type:
Control Software
Device Specifics:
eTCSS
Port: UDP 7937
Service/Program:
GE Command Message Protocol
Description:
device.
Vulnerability:
Reboot Required?:
Page 141 of 676

Device Type:
Control Software
Device Specifics:
eTCSS
Port: UDP 7938
Service/Program:
almrcv.exe
Description:
clients. OS Assigned Ephemeral Ports may be assigned for Client Side Connections.
Vulnerability:
Enable Required for eTCSS alarm clients to function.
Reboot Required?:
Page 142 of 676

Device Type:
Control Software
Device Specifics:
eTCSS
Port: UDP 9
Service/Program:
DISCARD
Description:
Vulnerability:
Enable
N/A
Reboot Required?:
Page 143 of 676

Device Type:
Control Software
Device Specifics:
Hart
Port: TCP 7080
Service/Program:
GE wkstnST HART
Description:
Port is used as the WorkstationST HART Protocol Message Server Status Port.
WorkstationST HART Protocol system uses this port to provide HART Message Server
Status data to HART Protocol Clients.
Vulnerability:
the WorkstationST HART Protocol, Port 7080 should be
Disabled.
If the HMI is using the WorkstationST HART Protocol,
Port 7080 is required and should be Enabled. Care
should be taken to assure that this port is blocked
from access by untrusted computers and networks.
Reboot Required?:
Page 144 of 676

Device Type:
Controller
Device Specifics:
EX2100
Port: TCP 13
Service/Program:
Day Time Protocol
Description:
Port is used by the daytime protocol, which reports the current time of day.
Vulnerability:
There are no significant vulnerabilities reported for this port, although attackers could use
this to "fingerprint" the operating system, based on the format of the data returned.
Disable
Reboot Required?:
Page 145 of 676

Device Type:
Controller
Device Specifics:
EX2100
Port: TCP 21
Service/Program:
ftp
Description:
Vulnerability:
Disable-Enable Use GE supplied scripts/procedures to Disable/Enable
the FTP service as needed for specific usage. Newer
generation controllers will use secure GE proprietary
protocols and certificates to secure data download
services that were once done via ftp (available June
2012).
Reboot Required?:
Page 146 of 676

Device Type:
Controller
Device Specifics:
EX2100
Port: TCP 23
Service/Program:
telnet
Description:
Port is used by the Telnet protocol and service. This is typically used to create a terminal
session with the host device to allow a command line interface to be established with that
device.
Vulnerability:
There are many vulnerabilities reported for this port. In addition to various Trojans and
worms, the non-encrypted nature of the protocol makes packet snooping for passwords
and data a danger as well. Finally, the protocol allows the establishing of a command line
interface to the device which has additional implications for how that device may be
altered or snooped.
the Telnet service as needed for specific usage. The
serial interface can also be used for many activities
that would be done through telnet. Newer generation
controllers will use SSH and certificates to secure the
services that were once done via Telnet (Available June
2012).
Reboot Required?:
Page 147 of 676

Device Type:
Controller
Device Specifics:
EX2100
Port: TCP 37
Service/Program:
Time Protocol
Description:
Vulnerability:
Reboot Required?:
Page 148 of 676

Device Type:
Controller
Device Specifics:
EX2100
Port: TCP 502
Service/Program:
modbus
Description:
pronto which is the reason for the backup ports of 501 and 503 (see below).
Port 501 is listed as STMF port, however GE occasionally uses this port as a Modbus TCP
backup port. STMF is the Simple Transportation Management Framework used for traffic
controllers. GE does not use Port 501 for this purpose.
Port 503 is listed as Intrinsa, however GE occasionally uses this port as a Modbus TCP
backup port.
Vulnerability:

Reboot Required?:
Page 149 of 676

Device Type:
Controller
Device Specifics:
EX2100
Port: TCP 5310-5312
Service/Program:
Description:
Vulnerability:
not be employed.
Reboot Required?:
Page 150 of 676

Device Type:
Controller
Device Specifics:
EX2100
Port: UDP 123
Service/Program:
ntp
Description:
Vulnerability:
Reboot Required?:
Page 151 of 676

Device Type:
Controller
Device Specifics:
EX2100
Port: UDP 18246
Service/Program:
EGD
Description:
associated with the ICN Service. In WorkstationST based systems, Port 18246 is
associated with GeCssOpcServer.
Vulnerability:
networks.
Reboot Required?:
Page 152 of 676

Device Type:
Controller
Device Specifics:
EX2100
Port: UDP 37
Service/Program:
Time Protocol
Description:
Vulnerability:
Reboot Required?:
Page 153 of 676

Device Type:
Controller
Device Specifics:
EX2100
Port: UDP 7936
Service/Program:
ADL
Description:
Vulnerability:
Reboot Required?:
Page 154 of 676

Device Type:
Controller
Device Specifics:
EX2100
Port: UDP 7937
Service/Program:
Description:
device.
Vulnerability:
Reboot Required?:
Page 155 of 676

Device Type:
Controller
Device Specifics:
EX2100
Port: UDP 7938
Service/Program:
ALM
Description:
clients.
Vulnerability:
networks.
Reboot Required?:
Page 156 of 676

Device Type:
Controller
Device Specifics:
EX2100
Port: UDP 9
Service/Program:
DISCARD
Description:
Vulnerability:
Enable Port can not be disabled because of limitations of this
controller card. Care should be taken to block access
to this port from untrusted computers and networks.
N/A
Reboot Required?:
Page 157 of 676

Device Type:
Controller
Device Specifics:
EX2100e
Port: TCP 13
Service/Program:
Day Time Protocol
Description:
Vulnerability:
Disable
Reboot Required?:
Page 158 of 676

Device Type:
Controller
Device Specifics:
EX2100e
Port: TCP 21
Service/Program:
ftp
Description:
Vulnerability:
2012).
Reboot Required?:
Page 159 of 676

Device Type:
Controller
Device Specifics:
EX2100e
Port: TCP 23
Service/Program:
telnet
Description:
device.
Vulnerability:
altered or snooped.
2012).
Reboot Required?:
Page 160 of 676

Device Type:
Controller
Device Specifics:
EX2100e
Port: TCP 37
Service/Program:
Time Protocol
Description:
Vulnerability:
Reboot Required?:
Page 161 of 676

Device Type:
Controller
Device Specifics:
EX2100e
Port: TCP 502
Service/Program:
modbus
Description:
backup port.
Vulnerability:

Reboot Required?:
Page 162 of 676

Device Type:
Controller
Device Specifics:
EX2100e
Port: TCP 5310-5312
Service/Program:
Description:
Vulnerability:
not be employed.
Reboot Required?:
Page 163 of 676

Device Type:
Controller
Device Specifics:
EX2100e
Port: TCP 65534
Service/Program:
Modbus/GE Command Message Protocol
Description:
Port is used for writing data to controllers as a result of modbus write requests.
Vulnerability:
No reported vulnerabilities have been associated with this port for QNX or derivative
operating systems such as the operating system used in the EX2100e device.
Disable-Enable If Modbus is used on the controller, this port is
required and must be enabled for use.
Reboot Required?:
Page 164 of 676

Device Type:
Controller
Device Specifics:
EX2100e
Port: TCP 7937
Service/Program:
EGD
Description:
Port is used as the Ethernet Global Data (EGD) Configuration Server Response port.
Vulnerability:
Reboot Required?:
Page 165 of 676

Device Type:
Controller
Device Specifics:
EX2100e
Port: UDP 123
Service/Program:
ntp
Description:
Vulnerability:
Reboot Required?:
Page 166 of 676

Device Type:
Controller
Device Specifics:
EX2100e
Port: UDP 18246
Service/Program:
EGD
Description:
Vulnerability:
networks.
Reboot Required?:
Page 167 of 676

Device Type:
Controller
Device Specifics:
EX2100e
Port: UDP 319-320
Service/Program:
Inter Process Communciations
Description:
Port 319 is used to receive event messages and Port 320 is used for general function
communications. OS Assigned Ephemeral Ports may be assigned for Client Side
Connections.
Vulnerability:
There are no reported vulnerabilities that use these ports.
Disable-Enable Used ONLY on the I/O net which is not acceptable
outside the control system cabinet. This should not be
disabled on the controller. If these ports do appear
anywhere other than the I/O Net, then it is not used
and should be Disabled.
Reboot Required?:
Page 168 of 676

Device Type:
Controller
Device Specifics:
EX2100e
Port: UDP 37
Service/Program:
Time Protocol
Description:
Vulnerability:
Reboot Required?:
Page 169 of 676

Device Type:
Controller
Device Specifics:
EX2100e
Port: UDP 514
Service/Program:
syslog
Description:
Port is used for writing syslog data to syslog data collectors.
Vulnerability:
Disable-Enable If syslog functions are being used to record events
prodcued by this controller, this port must be enabled.
Reboot Required?:
Page 170 of 676

Device Type:
Controller
Device Specifics:
EX2100e
Port: UDP 65534
Service/Program:
Description:
Vulnerability:
No reported vulnerabilities have been associated with this port for QNX or derivative
operating systems such as the operating system used in the EX2100e device.
Reboot Required?:
Page 171 of 676

Device Type:
Controller
Device Specifics:
EX2100e
Port: UDP 7936
Service/Program:
ADL
Description:
Vulnerability:
Reboot Required?:
Page 172 of 676

Device Type:
Controller
Device Specifics:
EX2100e
Port: UDP 7937
Service/Program:
Description:
device.
Vulnerability:
Reboot Required?:
Page 173 of 676

Device Type:
Controller
Device Specifics:
EX2100e
Port: UDP 7938
Service/Program:
ALM
Description:
clients.
Vulnerability:
networks.
Reboot Required?:
Page 174 of 676

Device Type:
Controller
Device Specifics:
EX2100e
Port: UDP 9
Service/Program:
DISCARD
Description:
Vulnerability:
N/A
Reboot Required?:
Page 175 of 676

Device Type:
Controller
Device Specifics:
LCI_LS2100
Port: TCP 13
Service/Program:
Day Time Protocol
Description:
Vulnerability:
Disable
Reboot Required?:
Page 176 of 676

Device Type:
Controller
Device Specifics:
LCI_LS2100
Port: TCP 21
Service/Program:
ftp
Description:
Vulnerability:
2012).
Reboot Required?:
Page 177 of 676

Device Type:
Controller
Device Specifics:
LCI_LS2100
Port: TCP 23
Service/Program:
telnet
Description:
device.
Vulnerability:
altered or snooped.
2012).
Reboot Required?:
Page 178 of 676

Device Type:
Controller
Device Specifics:
LCI_LS2100
Port: TCP 37
Service/Program:
Time Protocol
Description:
Vulnerability:
Reboot Required?:
Page 179 of 676

Device Type:
Controller
Device Specifics:
LCI_LS2100
Port: TCP 5310-5312
Service/Program:
Description:
Vulnerability:
not be employed.
Reboot Required?:
Page 180 of 676

Device Type:
Controller
Device Specifics:
LCI_LS2100
Port: UDP 123
Service/Program:
ntp
Description:
Vulnerability:
Reboot Required?:
Page 181 of 676

Device Type:
Controller
Device Specifics:
LCI_LS2100
Port: UDP 18246
Service/Program:
EGD
Description:
Vulnerability:
networks.
Reboot Required?:
Page 182 of 676

Device Type:
Controller
Device Specifics:
LCI_LS2100
Port: UDP 37
Service/Program:
Time Protocol
Description:
Vulnerability:
Reboot Required?:
Page 183 of 676

Device Type:
Controller
Device Specifics:
LCI_LS2100
Port: UDP 7936
Service/Program:
ADL
Description:
Vulnerability:
Reboot Required?:
Page 184 of 676

Device Type:
Controller
Device Specifics:
LCI_LS2100
Port: UDP 7937
Service/Program:
Description:
device.
Vulnerability:
Reboot Required?:
Page 185 of 676

Device Type:
Controller
Device Specifics:
LCI_LS2100
Port: UDP 7938
Service/Program:
ALM
Description:
clients.
Vulnerability:
networks.
Reboot Required?:
Page 186 of 676

Device Type:
Controller
Device Specifics:
LCI_LS2100
Port: UDP 9
Service/Program:
DISCARD
Description:
Vulnerability:
N/A
Reboot Required?:
Page 187 of 676

Device Type:
Controller
Device Specifics:
Mark VI
Port: TCP 13
Service/Program:
Day Time Protocol
Description:
Vulnerability:
Reboot Required?:
Page 188 of 676

Device Type:
Controller
Device Specifics:
Mark VI
Port: TCP 21
Service/Program:
ftp
Description:
Vulnerability:
2012).
Reboot Required?:
Page 189 of 676

Device Type:
Controller
Device Specifics:
Mark VI
Port: TCP 23
Service/Program:
telnet
Description:
device.
Vulnerability:
interface to the device which has additional implications for how that device
2012).
Reboot Required?:
Page 190 of 676

Device Type:
Controller
Device Specifics:
Mark VI
Port: TCP 37
Service/Program:
Time Protocol
Description:
Vulnerability:
Reboot Required?:
Page 191 of 676

Device Type:
Controller
Device Specifics:
Mark VI
Port: TCP 502
Service/Program:
modbus
Description:
backup port.
Vulnerability:

Reboot Required?:
Page 192 of 676

Device Type:
Controller
Device Specifics:
Mark VI
Port: TCP 5310
Service/Program:
Description:
Vulnerability:
not be employed.
Reboot Required?:
Page 193 of 676

Device Type:
Controller
Device Specifics:
Mark VI
Port: TCP 5311
Service/Program:
Description:
Vulnerability:
not be employed.
Reboot Required?:
Page 194 of 676

Device Type:
Controller
Device Specifics:
Mark VI
Port: TCP 5312
Service/Program:
Description:
Vulnerability:
not be employed.
Reboot Required?:
Page 195 of 676

Device Type:
Controller
Device Specifics:
Mark VI
Port: UDP 1024-5000
Service/Program:
Description:
OS Assigned Ephemeral Ports may be assigned for Client Side Connections in the Mark VI
controllers
Vulnerability:
Enable Ports are required. Care should be taken to assure
these ports are blocked form access by untrusted
N/A
Reboot Required?:
Page 196 of 676

Device Type:
Controller
Device Specifics:
Mark VI
Port: UDP 123
Service/Program:
ntp
Description:
Vulnerability:
Reboot Required?:
Page 197 of 676

Device Type:
Controller
Device Specifics:
Mark VI
Port: UDP 18246
Service/Program:
EGD
Description:
Vulnerability:
networks.
Reboot Required?:
Page 198 of 676

Device Type:
Controller
Device Specifics:
Mark VI
Port: UDP 37
Service/Program:
Time Protocol
Description:
Vulnerability:
Reboot Required?:
Page 199 of 676

Device Type:
Controller
Device Specifics:
Mark VI
Port: UDP 7
Service/Program:
ECHO
Description:
The Echo Protocol is a service in the Internet Protocol S. The server sends back an
identical copy of the data it received.
Vulnerability:
networks.
N/A
Reboot Required?:
Page 200 of 676

Device Type:
Controller
Device Specifics:
Mark VI
Port: UDP 7936
Service/Program:
ADL
Description:
Vulnerability:
Reboot Required?:
Page 201 of 676

Device Type:
Controller
Device Specifics:
Mark VI
Port: UDP 7937
Service/Program:
Description:
device.
Vulnerability:
Reboot Required?:
Page 202 of 676

Device Type:
Controller
Device Specifics:
Mark VI
Port: UDP 7938
Service/Program:
ALM
Description:
clients.
Vulnerability:
networks.
Reboot Required?:
Page 203 of 676

Device Type:
Controller
Device Specifics:
Mark VI
Port: UDP 9
Service/Program:
DISCARD
Description:
Vulnerability:
N/A
Reboot Required?:
Page 204 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSA
Port: TCP 13
Service/Program:
Day Time Protocol
Description:
Vulnerability:
Disable
Reboot Required?:
Page 205 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSA
Port: TCP 21
Service/Program:
ftp
Description:
Vulnerability:
2012).
Reboot Required?:
Page 206 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSA
Port: TCP 23
Service/Program:
telnet
Description:
device.
Vulnerability:
altered or snooped.
2012).
Reboot Required?:
Page 207 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSA
Port: TCP 37
Service/Program:
Time Protocol
Description:
Vulnerability:
Reboot Required?:
Page 208 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSA
Port: TCP 502
Service/Program:
modbus
Description:
backup port.
Vulnerability:

Reboot Required?:
Page 209 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSA
Port: TCP 5310-5312
Service/Program:
Description:
Vulnerability:
not be employed.
Reboot Required?:
Page 210 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSA
Port: TCP 65534
Service/Program:
Description:
Vulnerability:
Reboot Required?:
Page 211 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSA
Port: TCP 7937
Service/Program:
EGD
Description:
Vulnerability:
Reboot Required?:
Page 212 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSA
Port: UDP 123
Service/Program:
ntp
Description:
Vulnerability:
Reboot Required?:
Page 213 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSA
Port: UDP 18246
Service/Program:
EGD
Description:
Vulnerability:
networks.
Reboot Required?:
Page 214 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSA
Port: UDP 37
Service/Program:
Time Protocol
Description:
Vulnerability:
Reboot Required?:
Page 215 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSA
Port: UDP 5312
Service/Program:
GE System Data Interface Redirect
Description:
Vulnerability:
not be employed.
Reboot Required?:
Page 216 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSA
Port: UDP 65534
Service/Program:
Description:
Vulnerability:
Reboot Required?:
Page 217 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSA
Port: UDP 7936
Service/Program:
ADL
Description:
Vulnerability:
Reboot Required?:
Page 218 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSA
Port: UDP 7937
Service/Program:
Description:
device.
Vulnerability:
Reboot Required?:
Page 219 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSA
Port: UDP 7938
Service/Program:
ALM
Description:
clients.
Vulnerability:
networks.
Reboot Required?:
Page 220 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSB
Port: TCP 21
Service/Program:
ftp
Description:
Vulnerability:
2012).
Reboot Required?:
Page 221 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSB
Port: TCP 23
Service/Program:
telnet
Description:
device.
Vulnerability:
altered or snooped.
2012).
Reboot Required?:
Page 222 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSB
Port: TCP 37
Service/Program:
Time Protocol
Description:
Vulnerability:
Reboot Required?:
Page 223 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSB
Port: TCP 502
Service/Program:
modbus
Description:
backup port.
Vulnerability:

Reboot Required?:
Page 224 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSB
Port: TCP 5310-5312
Service/Program:
Description:
Vulnerability:
not be employed.
Reboot Required?:
Page 225 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSB
Port: TCP 65534
Service/Program:
Description:
Vulnerability:
Reboot Required?:
Page 226 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSB
Port: TCP 7937
Service/Program:
EGD
Description:
Vulnerability:
Reboot Required?:
Page 227 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSB
Port: UDP 123
Service/Program:
ntp
Description:
Vulnerability:
Reboot Required?:
Page 228 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSB
Port: UDP 18246
Service/Program:
EGD
Description:
Vulnerability:
networks.
Reboot Required?:
Page 229 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSB
Port: UDP 37
Service/Program:
Time Protocol
Description:
Vulnerability:
Reboot Required?:
Page 230 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSB
Port: UDP 514
Service/Program:
syslog
Description:
Vulnerability:
Reboot Required?:
Page 231 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSB
Port: UDP 5312
Service/Program:
GE System Data Interface Redirect
Description:
Vulnerability:
not be employed.
Reboot Required?:
Page 232 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSB
Port: UDP 65534
Service/Program:
Description:
Vulnerability:
Reboot Required?:
Page 233 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSB
Port: UDP 7936
Service/Program:
ADL
Description:
Vulnerability:
Reboot Required?:
Page 234 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSB
Port: UDP 7937
Service/Program:
Description:
device.
Vulnerability:
Reboot Required?:
Page 235 of 676

Device Type:
Controller
Device Specifics:
Mark VIe UCSB
Port: UDP 7938
Service/Program:
ALM
Description:
clients.
Vulnerability:
networks.
Reboot Required?:
Page 236 of 676

Device Type:
HMI
Device Specifics:
Cimplicity 6.1
Port: TCP 12305
Service/Program:
CimALM
Description:
Port is used by Cimplicity Alarm system.
Vulnerability:
Disable-Enable Typically, Cimplicity Alarm is not used and Port 12305
should be Disabled.
In rare cases where the Cimplicity Alarm system is
used, Port 12305 should be Enabled and care should
be taken to block this port from access by untrusted
Reboot Required?:
Page 237 of 676

Device Type:
HMI
Device Specifics:
Cimplicity 6.1
Port: TCP 18245
Service/Program:
hct_rp
Description:
Port is used by a Cimplicity Project (not Advanced Viewer) system ONLY when using the
GE Fanuc PLC SRTP protocol. OS Assigned Ephemeral Ports may also be present for Client
Side Connections.
Vulnerability:
Disable-Enable This service can be disabled by removing the SRTP
protocol from the project. Disabling without removing
will generate errors while starting CIMPLICITY project.
Reboot Required?:
Page 238 of 676

Device Type:
HMI
Device Specifics:
Cimplicity 6.1
Port: TCP 18245
Service/Program:
S90TCP.exe
Description:
Port is used ONLY when using the GE Fanuc PLC Series 90 protocol via the CIMPLICITY
project (devcom driver).
Vulnerability:
Disable-Enable This service can be disabled by removing the Series90
Reboot Required?:
Page 239 of 676

Device Type:
HMI
Device Specifics:
Cimplicity 6.1
Port: TCP 32000
Service/Program:
w32rtr.exe
Description:
Port is used by the Cimplicity Router subsystem w32rtr.exe which is responsible for a wide
range of intercommunication tasks between Cimplicity services and computers. OS
Vulnerability:
Enable Port 32000 is required on all Cimplicity HMI systems.
Reboot Required?:
Page 240 of 676

Device Type:
HMI
Device Specifics:
Cimplicity 6.1
Port: TCP 32256
Service/Program:
w32rtr.exe
Description:
Vulnerability:
Reboot Required?:
Page 241 of 676

Device Type:
HMI
Device Specifics:
Cimplicity 6.1
Port: TCP 4000
Service/Program:
Cimrtping
Description:
Port is used by the Cimplicity Router Service (Cimrtping) to determine the health of
redundant server connections for Cimplicity Viewers attached to the network.
Vulnerability:
There are many known vulnerabilities associated with this port.
Disable-Enable If the HMI system does not have Cimplicity Viewers
AND a redundant client network configuration, this
port is not required and should be Disabled.
Reboot Required?:
Page 242 of 676

Device Type:
HMI
Device Specifics:
Cimplicity 6.1
Port: TCP 501
Service/Program:
mbeth_rp
Description:
Port is used by Cimplicity Modbus Ethernet driver (DEVCOM). OS Assigned Ephemeral
Vulnerability:
Disable-Enable If the Cimplicity project is communicating with a
Modbus Ethernet device this service must be enabled.
If not it (Modbus Ethernet configuration) should be
removed from the project.
Reboot Required?:
Page 243 of 676

Device Type:
HMI
Device Specifics:
Cimplicity 6.1
Port: TCP 501-503
Service/Program:
modbus
Description:
Vulnerability:

Reboot Required?:
Page 244 of 676

Device Type:
HMI
Device Specifics:
Cimplicity 6.1
Port: TCP 8003
Service/Program:
fpserver.exe
Description:
Port is used by the Cimplicity Front Page Server (alarm paging service) (fpserver.exe).
Vulnerability:
Disable
Reboot Required?:
Page 245 of 676

Device Type:
HMI
Device Specifics:
Cimplicity 6.1
Port: UDP 32000
Service/Program:
w32rtr.exe
Description:
Vulnerability:
Reboot Required?:
Page 246 of 676

Device Type:
HMI
Device Specifics:
Cimplicity 6.1
Port: UDP 32256
Service/Program:
w32rtr.exe
Description:
Vulnerability:
Reboot Required?:
Page 247 of 676

Device Type:
HMI
Device Specifics:
Cimplicity 6.1
Port: UDP 7808
Service/Program:
GALMACK
Description:
Port used by eTCSS to acknowledge CIMPLICITY project based alarms across all HMI.
Vulnerability:
Disable-Enable This service can be disabled via eTCSS config files per
GALMACK documentation. It is only required when
CIMPCLICITY Project database points are generating
alarms.
Reboot Required?:
Page 248 of 676

Device Type:
HMI
Device Specifics:
Cimplicity 7.5
Port: TCP 12305
Service/Program:
CimALM
Description:
Vulnerability:
should be Disabled.
Reboot Required?:
Page 249 of 676

Device Type:
HMI
Device Specifics:
Cimplicity 7.5
Port: TCP 18245
Service/Program:
S90TCP.exe
Description:
GE Fanuc PLC Series 90 protocol.
Vulnerability:
Reboot Required?:
Page 250 of 676

Device Type:
HMI
Device Specifics:
Cimplicity 7.5
Port: TCP 18245
Service/Program:
hct_rp
Description:
Side Connections.
Vulnerability:
Reboot Required?:
Page 251 of 676

Device Type:
HMI
Device Specifics:
Cimplicity 7.5
Port: TCP 1947
Service/Program:
hasplms.exe
Description:
Port is used by the Sentinel HASP key license server which reads licensing information
from an attached USB 'key'.
Vulnerability:
No reported vulnerabilities are reported for this port.
Enable The software licensing provided by this service is
required for proper system function. This is ALWAYS a
local service, so this port is not used for any data flow
transactions between network peers.
Reboot Required?:
Page 252 of 676

Device Type:
HMI
Device Specifics:
Cimplicity 7.5
Port: TCP 32000
Service/Program:
w32rtr.exe
Description:
Vulnerability:
Reboot Required?:
Page 253 of 676

Device Type:
HMI
Device Specifics:
Cimplicity 7.5
Port: TCP 32256
Service/Program:
w32rtr.exe
Description:
Vulnerability:
Reboot Required?:
Page 254 of 676

Device Type:
HMI
Device Specifics:
Cimplicity 7.5
Port: TCP 501-503
Service/Program:
modbus
Description:
Vulnerability:

Reboot Required?:
Page 255 of 676

Device Type:
HMI
Device Specifics:
Cimplicity 7.5
Port: UDP 1947
Service/Program:
hasplms.exe
Description:
from an attached USB 'key'. OS Assigned Ephemeral Ports may be assigned for Client Side
Connections.
Vulnerability:
Reboot Required?:
Page 256 of 676

Device Type:
HMI
Device Specifics:
Cimplicity 7.5
Port: UDP 32000
Service/Program:
w32rtr.exe
Description:
Vulnerability:
Reboot Required?:
Page 257 of 676

Device Type:
HMI
Device Specifics:
Cimplicity 7.5
Port: UDP 32256
Service/Program:
w32rtr.exe
Description:
Vulnerability:
Reboot Required?:
Page 258 of 676

Device Type:
HMI
Device Specifics:
DNP3
Port: TCP 20000
Service/Program:
DNP3
Description:
Port is used for DNP3 protocol. The software generally associated with this port is
Triangle Microworks SDG (Scada Data Gateway) which provides an interface between OPC
and DNP3.
Vulnerability:
There are several known vulnerabilities associated with this port.
Disable-Enable In systems where DNP3 protocol is not being used,
In systems where DNP3 protocol is being used, Port
20000 is required and should be Enabled. Care should
be taken to block access to this port from untrusted
Reboot Required?:
Page 259 of 676

Device Type:
HMI
Device Specifics:
HMI CAP
Port: TCP 10080
Service/Program:
avgnsx.exe
Description:
Port is used by AVG Network Scanner.
Vulnerability:
Disable-Enable If the AVG Network Scanner is required (enabled in
AVG settings), Port 10080 should be Enabled. Care
should be taken to block access to this port from
If AVG Network Scanner is not required
(recommended - disable in AVG settings), Port 10080
should be Disabled.
Reboot Required?:
Page 260 of 676

Device Type:
HMI
Device Specifics:
HMI CAP
Port: TCP 10110
Service/Program:
avgemc.exe
Description:
Port is used by the AVG Email Scanner.
Vulnerability:
Disable TCP Port 10110 - avgemc.exe should be disabled. Turn
off the email scanning feature in the AVG configuration.
Reboot Required?:
Page 261 of 676

Device Type:
HMI
Device Specifics:
HMI CAP
Port: TCP 13128
Service/Program:
avgnsx.exe
Description:
Vulnerability:
should be Disabled.
Reboot Required?:
Page 262 of 676

Device Type:
HMI
Device Specifics:
HMI CAP
Port: TCP 18080
Service/Program:
avgnsx.exe
Description:
Vulnerability:
should be Disabled.
Reboot Required?:
Page 263 of 676

Device Type:
HMI
Device Specifics:
HMI CAP
Port: TCP, UDP n/a
Service/Program:
Smc.exe
Description:
Port is used by the Group Update Provider (GUP) proxy functionality of Symantec
Endpoint Protection (SEP) client. OS Assigned Ephemeral Ports may be assigned for Client
Side Connections.
Vulnerability:
Disable-Enable If Symantec endpoint protection is enabled this should
be present. This is installed on the HMI as part of the
product known as NET CAP.
Reboot Required?:
Page 264 of 676

Device Type:
HMI
Device Specifics:
OSM
Port: TCP 5631
Service/Program:
Description:
systems.
Vulnerability:
Disabled.
Reboot Required?:
Page 265 of 676

Device Type:
HMI
Device Specifics:
OSM
Port: UDP 5632
Service/Program:
Description:
systems.
Vulnerability:
Disabled.
Reboot Required?:
Page 266 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: NONE n/a
Service/Program:
sqlwriter.exe
Description:
???Microsoft SQL Server - Not sure how it is used by the system.
Vulnerability:
Enable
Reboot Required?:
Page 267 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: NONE n/a
Service/Program:
cimlayout.exe
Description:
Present when CimLayout (CIMPCLICITY) is running
Vulnerability:
Enable
Reboot Required?:
Page 268 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: NONE n/a
Service/Program:
cimplicity.exe
Description:
Required for CIMPLICITY
Vulnerability:
Enable
Reboot Required?:
Page 269 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: NONE n/a
Service/Program:
CimProxy.exe
Description:
Required For CIMPLICITY
Vulnerability:
Enable
Reboot Required?:
Page 270 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: NONE n/a
Service/Program:
iLicenseSvc.exe
Description:
Required for Proficy Licensing (CIMPLICITY)
Vulnerability:
Enable
Reboot Required?:
Page 271 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: NONE n/a
Service/Program:
pdfsvc.exe
Description:
Only present on systems with PDF complete installed. Essiential only for printing to PDF
files. If removed, do so from Printers and Devices manager.
Vulnerability:
Disable-Enable Enable when printing directly to PDF files, otherwise,
disable.
Reboot Required?:
Page 272 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: NONE n/a
Service/Program:
CCFLIC0.exe
Description:
Required for CIMPLICITY
Vulnerability:
Enable
Reboot Required?:
Page 273 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: NONE n/a
Service/Program:
schedul2.exe
Description:
Only on systems with Acronis backup software.
Vulnerability:
Disable-Enable Enable when running Acronis.
Reboot Required?:
Page 274 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: NONE n/a
Service/Program:
schedhlp.exe
Description:
Only on systems running Acronis
Vulnerability:
Reboot Required?:
Page 275 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: NONE n/a
Service/Program:
TimounterMonitor.exe
Description:
Only on systems containing Acronis
Vulnerability:
Reboot Required?:
Page 276 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: NONE n/a
Service/Program:
TrayMonitor.exe
Description:
Only on systems running Acronis
Vulnerability:
Reboot Required?:
Page 277 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: NONE n/a
Service/Program:
TrueImageMonitor.exe
Description:
Required for systems running Acronis.
Vulnerability:
Reboot Required?:
Page 278 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: NONE n/a
Service/Program:
unsecapp.exe
Description:
Required for Windows - Legacy Compatibility module.
Vulnerability:
Enable
Reboot Required?:
Page 279 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: NONE n/a
Service/Program:
amrp.exe
Description:
Present on CIMPLICITY when running in Project mode. This service is the Cimplcity Alarm
system.
Vulnerability:
Disable-Enable Enable when running as a project
Reboot Required?:
Page 280 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: NONE n/a
Service/Program:
OpcEnum.exe
Description:
Required for OPC device browsing to function.
Vulnerability:
Enable
Reboot Required?:
Page 281 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: NONE n/a
Service/Program:
ptopc.exe
Description:
Required for CIMPLICITY OPC Client interface to WST
Vulnerability:
Enable
Reboot Required?:
Page 282 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: NONE n/a
Service/Program:
emrp.exe
Description:
Only present on CIMPLICITY running as a Project. Runs event driven scripts and
event/action pairs configured in the Event Editor.
Vulnerability:
Reboot Required?:
Page 283 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: NONE n/a
Service/Program:
CimOPCClient.exe
Description:
Only present in CIMPLCITY PROJECT applications that use the OPC Client interface to bring
data into the point database.
Vulnerability:
Disable-Enable Enable when running as a project and the HMI is
interfacing to an OPC Server
Reboot Required?:
Page 284 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: NONE n/a
Service/Program:
ur.exe
Description:
Only present on CIMPLICITY running as a Project. Manages who is logged in/out of the
project in terms of project users.
Vulnerability:
Disable-Enable Enable when running AVG
Reboot Required?:
Page 285 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: NONE n/a
Service/Program:
dyn_dir.exe
Description:
Only present on CIMPLICITY running as a Project. Dynamic Director coordinates updates
of processes when in Dynamic Configuration mode.
Vulnerability:
Reboot Required?:
Page 286 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: NONE n/a
Service/Program:
pm_mcp.exe
Description:
Only present on CIMPLICITY running as a Project. Starts/stops the other processes that
comprise a project. Is primarily responsible for starting/stopping/ and health checking on
other processes.
Vulnerability:
Reboot Required?:
Page 287 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: NONE n/a
Service/Program:
ProficyDrivers.exe
Description:
Only on project based systems using PDS drivers (SRTP, BACNet, IEC61850). Disable
ProficyDrivers.exe service otherwise.
Vulnerability:
Reboot Required?:
Page 288 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: NONE n/a
Service/Program:
ptm_rp.exe
Description:
Only present on CIMPLICITY running as a Project. Manages all point values for all
configured points in a project. Provides this information to client processes as requested.
Vulnerability:
Reboot Required?:
Page 289 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: NONE n/a
Service/Program:
ptmdp.exe
Description:
Only present on CIMPLICITY running as a Project. Manages all calculated/virtual points.
Feeds the updated values back into Point Management for dissemination to interested
clients.
Vulnerability:
Reboot Required?:
Page 290 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: NONE n/a
Service/Program:
ptx_rp.exe
Description:
Only present on CIMPLICITY running as a Project. Manages most of the extended sub
attributes of individual points, things like some of the quality, alarm states, etc.
Vulnerability:
Reboot Required?:
Page 291 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: NONE n/a
Service/Program:
sqlservr.exe
Description:
???Microsoft SQL Server - Not sure how it is used by the system.
Vulnerability:
Enable
Reboot Required?:
Page 292 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: TCP 10212
Service/Program:
CimWebServer
Description:
Port is used by the Cimplicity Web Server
Vulnerability:
None reported.
Disable Cimplcity Web Server (CimWebServer) should not be
enabled or used.
Reboot Required?:
Page 293 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: TCP 12305
Service/Program:
CimALM
Description:
Vulnerability:
should be Disabled.
Reboot Required?:
Page 294 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: TCP 12396
Service/Program:
FxControl.exe
Description:
Proficy Machine Edition
Vulnerability:
Disable-Enable Necessary if running Proficy Machine Edition
Reboot Required?:
Page 295 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: TCP 18245
Service/Program:
S90TCP.exe
Description:
GE Fanuc PLC Series 90 protocol.
Vulnerability:
Reboot Required?:
Page 296 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: TCP 18245
Service/Program:
hct_rp
Description:
Side Connections.
Vulnerability:
Reboot Required?:
Page 297 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: TCP 1947
Service/Program:
hasplms.exe
Description:
Vulnerability:
Reboot Required?:
Page 298 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: TCP 32000
Service/Program:
w32rtr.exe
Description:
Vulnerability:
Reboot Required?:
Page 299 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: TCP 32256
Service/Program:
w32rtr.exe
Description:
Vulnerability:
Reboot Required?:
Page 300 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: TCP 501-503
Service/Program:
modbus
Description:
Vulnerability:

Reboot Required?:
Page 301 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: TCP 7627
Service/Program:
Web Services (HTTPS)
Description:
HP Web Jetadmin uses this port to communicate with HP FutureSmart devices and older
laser devices for some operations.
Vulnerability:
Several known vulnerabilities are associated with these ports.
Disable Care should be taken to assure these ports are
blocked form access by untrusted computers and
networks. If this feature must be used assign an
administrator password for access to the HP printer
connected to the controls network.
Reboot Required?:
Page 302 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: TCP 8081
Service/Program:
McAfee Agent
Description:
Inbound connec on from the ePO server/Agent Handler.This Port is necessary for
system using McAfee ePolicy Orchestrator and agents.
Vulnerability:
Reboot Required?:
Page 303 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: TCP 8082
Service/Program:
McAfee Agent
Description:
Inbound connec oto the agents. ePO server/Agent Handler.This Port is necessary for
Vulnerability:
Reboot Required?:
Page 304 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Service/Program:
w32rtr.exe
Description:
Vulnerability:
Reboot Required?:
Page 305 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: TCP,UDP 49152-65535 (See
Service/Program:
S90TCP.exe
Description:
Vulnerability:
Reboot Required?:
Page 306 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Service/Program:
AEClientHostService.exe
Description:
data into the point database. OS Assigned Ephemeral Ports may be assigned for Client
Side Connections.
Vulnerability:
Reboot Required?:
Page 307 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Service/Program:
TrapiServer.exe
Description:
Vulnerability:
Reboot Required?:
Page 308 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Service/Program:
OPCInt11.exe
Description:
Vulnerability:
Reboot Required?:
Page 309 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: TCP,UDP 8181
Service/Program:
AEClientHostService.exe
Description:
data into the point database. OS Assigned Ephemeral Ports may be assigned for Client
Side Connections.
Vulnerability:
Reboot Required?:
Page 310 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: UDP 1947
Service/Program:
hasplms.exe
Description:
Connections.
Vulnerability:
Reboot Required?:
Page 311 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: UDP 32000
Service/Program:
w32rtr.exe
Description:
Vulnerability:
Reboot Required?:
Page 312 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: UDP 32256
Service/Program:
w32rtr.exe
Description:
Vulnerability:
Reboot Required?:
Page 313 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: UDP 3702
Service/Program:
wsd
Description:
Web Services for Devices (Is this used for the Device Manager?)
Vulnerability:
UDP Port 3702 should only be present when
Reboot Required?:
Page 314 of 676

Device Type:
HMI
Device Specifics:
Win7 HMI 8.2
Port: UDP 67
Service/Program:
pxesrv.exe
Description:
Port is used by Acronis Fileserver (backup / restore) and provides bootps services of DHCP
Vulnerability:
There are no vulnerabilities associated with this port.
Disable-Enable Should only be present on systems with Acronis
backup software installed.
Reboot Required?:
Page 315 of 676

Device Type:
Hypervisor
Device Specifics:
ESXI 5.1
Port: TCP 22
Service/Program:
ssh
Description:
Port is used by Secure Network Services (ssh) aka Secure Shell.
Vulnerability:
Reboot Required?:
Page 316 of 676

Device Type:
Hypervisor
Device Specifics:
ESXI 5.1
Port: TCP 427
Service/Program:
svrloc
Description:
Port is used by Server Location Protocol or Server Location Protocol (SLP).
Vulnerability:
Enable
Reboot Required?:
Page 317 of 676

Device Type:
Hypervisor
Device Specifics:
ESXI 5.1
Port: TCP 443
Service/Program:
https
Description:
websites and for secure transmission of data over the internet, including various gaming
systems.
Vulnerability:
Enable
Reboot Required?:
Page 318 of 676

Device Type:
Hypervisor
Device Specifics:
ESXI 5.1
Port: TCP 5988
Service/Program:
wbem-http
Description:
Port used by Web Based Enterprise Management for CIM transactions over HTTP
Vulnerability:
Enable
Reboot Required?:
Page 319 of 676

Device Type:
Hypervisor
Device Specifics:
ESXI 5.1
Port: TCP 5989
Service/Program:
tcpwrapped
Description:
Port used by vCenter Server for CIM XML transactions over HTTPS
Vulnerability:
Enable
Reboot Required?:
Page 320 of 676

Device Type:
Hypervisor
Device Specifics:
ESXI 5.1
Port: TCP 80
Service/Program:
http
Description:
Port is used for Redirect Web Browser to HTTPS Service (443)
Vulnerability:
Enable
Reboot Required?:
Page 321 of 676

Device Type:
Hypervisor
Device Specifics:
ESXI 5.1
Port: TCP 8000
Service/Program:
http-alt
Description:
Port is used for client and server Requests from vMotion
Vulnerability:
Enable
Reboot Required?:
Page 322 of 676

Device Type:
Hypervisor
Device Specifics:
ESXI 5.1
Port: TCP 8100
Service/Program:
tcpwrapped
Description:
Port is used for Traffic between hosts for vSphere Fault Tolerance (FT)
Vulnerability:
Enabled by default. May be disabled in non redundant systems.
Disable-Enable
Reboot Required?:
Page 323 of 676

Device Type:
Hypervisor
Device Specifics:
ESXI 5.1
Port: TCP 8300
Service/Program:
tmi
Description:
Port used by Transport Management Interface
Vulnerability:
Enable
Reboot Required?:
Page 324 of 676

Device Type:
Hypervisor
Device Specifics:
ESXI 5.1
Port: TCP 902
Service/Program:
vmware-auth
Description:
Port used for connection to Managed hosts
Vulnerability:
Enable
Reboot Required?:
Page 325 of 676

Device Type:
Hypervisor
Device Specifics:
ESXI 5.1
Port: UDP 161
Service/Program:
snmp
Description:
Port is used for Simple Network Management Protocol. Only required for Network
Monitoring configured systems or when managed by site snmp tools.
Vulnerability:
Disable-Enable When SNMP services are being used.
Reboot Required?:
Page 326 of 676

Device Type:
Hypervisor
Device Specifics:
ESXI 5.1
Port: UDP 427
Service/Program:
svrloc
Description:
Port is used by Server Location Protocol or Server Location Protocol (SLP).
Vulnerability:
Enable
Reboot Required?:
Page 327 of 676

Device Type:
Hypervisor
Device Specifics:
ESXI 5.1
Port: UDP 53
Service/Program:
DNS Service
Description:
Port used for User and Computer Authentication, Name Resolution, Trusts
Vulnerability:
Enable
Reboot Required?:
Page 328 of 676

Device Type:
Hypervisor
Device Specifics:
ESXI 5.1
Port: UDP 68
Service/Program:
dhcpc
Description:
Port used by DHCP client
Vulnerability:
Enable
Reboot Required?:
Page 329 of 676

Device Type:
Hypervisor
Device Specifics:
vCenter Server 6x
Port: TCP 443
Service/Program:
https
Description:
The default port that the vCenter Server system uses to listen for connec ons from the
vSphere Web Client. To enable the vCenter Server system to receive data from the
vSphere Web Client, open port 443 in the firewall. vCenter Server is running on
SecurityST high availability (HA) systems.
Vulnerability:
Reboot Required?:
Page 330 of 676

Device Type:
Hypervisor
Device Specifics:
vCenter Server 6x
Port: TCP 6501
Service/Program:
Auto Deploy Service
Description:
vCenter Server is running on SecurityST high availability (HA) systems.
Vulnerability:
Reboot Required?:
Page 331 of 676

Device Type:
Hypervisor
Device Specifics:
vCenter Server 6x
Port: TCP 6502
Service/Program:
Auto Deploy Manager
Description:
Vulnerability:
Reboot Required?:
Page 332 of 676

Device Type:
Hypervisor
Device Specifics:
vCenter Server 6x
Port: TCP 7444
Service/Program:
Secure Token Service
Description:
Vulnerability:
Reboot Required?:
Page 333 of 676

Device Type:
Hypervisor
Device Specifics:
vCenter Server 6x
Port: TCP 8083
Service/Program:
http
Description:
vCenter Server requires prt 8083 for direct HTTP connec ons. Port 8083 redirects
requests to HTTPS port 443. This redirection is useful if you accidentally
usehttp://serverinstead ofhttps://server. vCenter Server is running on SecurityST high
availability (HA) systems.
Vulnerability:
Enable
Reboot Required?:
Page 334 of 676

Device Type:
Hypervisor
Device Specifics:
vCenter Server 6x
Port: TCP 8088
Service/Program:
vCenter Server
Description:
Workow Management Serve vCenter Server is runninon SecurityST high availability
(HA) systems..
Vulnerability:
Reboot Required?:
Page 335 of 676

Device Type:
Hypervisor
Device Specifics:
vCenter Server 6x
Port: TCP 9009
Service/Program:
vCenter Server
Description:
Used to allow a vCenter Server Appliance to communicate with the vSphere Web Client.
vCenter Server is running SecurityST on high availability (HA) systems.
Vulnerability:
Reboot Required?:
Page 336 of 676

Device Type:
Hypervisor
Device Specifics:
vCenter Server 6x
Port: TCP 9443
Service/Program:
vSphere Web Client
Description:
vSphere Web Client HTTP vCenter Server is runnin on SecurityST high availability (HA)
systems..
Vulnerability:
Reboot Required?:
Page 337 of 676

Device Type:
Hypervisor
Device Specifics:
vCenter Server 6x
Port: TCP/UDP 2020
Service/Program:
vCenter Server
Description:
Authen ca on framework managem vCenter Server is running SecurityST high
Vulnerability:
Reboot Required?:
Page 338 of 676

Device Type:
Hypervisor
Device Specifics:
vCenter Server 6x
Port: TCP/UDP 6500
Service/Program:
ESXi Dump Collector Port
Description:
Vulnerability:
Reboot Required?:
Page 339 of 676

Device Type:
Hypervisor
Device Specifics:
vCenter Server 6x
Port: TCP/UDP 902
Service/Program:
vCenter Server
Description:
The default port that the vCenter Server system uses to send data to managed hosts.
Managed hosts also send a regular heartbeat over UDP port 902 to the vCenter Server
system. vCenter Server is running on SecurityST high availability (HA) systems.
Vulnerability:
Reboot Required?:
Page 340 of 676

Device Type:
Hypervisor
Device Specifics:
vCenter Server 6x
Port: UDP 1514
Service/Program:
Syslog Collector
Description:
vSphere Syslog Collector TLS port for vCenter Server on Windows and vSphere Syslog
Service TLS port for vCenter Server Appliance. vCenter Server is running on SecurityST
high availability (HA) systems.
Vulnerability:
Reboot Required?:
Page 341 of 676

Device Type:
Hypervisor
Device Specifics:
vCenter Server 6x
Port: UDP 514
Service/Program:
Syslog Collector
Description:
vSphere Syslog Collector port for vCenter Server on Windows and vSphere Syslog Service
port for vCenter Server Appliance. vCenter Server is running on SecurityST high
Vulnerability:
Reboot Required?:
Page 342 of 676

Device Type:
Network Switch
Device Specifics:
AT8624T/2M
Port: TCP 23
Service/Program:
telnet
Description:
device.
Vulnerability:
altered or snooped.
Disable Disable Telnet in favor of SSH or serial only
configuration management.
Reboot Required?:
Page 343 of 676

Device Type:
Network Switch
Device Specifics:
AT8624T/2M
Port: TCP 80
Service/Program:
http
Description:
Vulnerability:
Disable-Enable All switches, routers, and time servers use an http
interface to allow configuration of those boxes from
anywhere on the network This is a legacy practice and
it is strongly recommended that the following courses
of action be considered:
(a) Disable the http and telnet interfaces and use a
fully serial interface configuration strategy. This is
generally not intrusive to the typical site operation
since switch configuration changes are rare after the
initial implementation of the system.
(b) Upgrade solutions are now available from GE that
allow RADIUS and SSH centralized management of
switches, routers, time servers, and their
configurations. Additional security network isolation
can also be integrated into the system for this
purpose. Contact the factory for details.
If Port 80 is enabled for any of the valid reasons listed

above, care should be taken to block access to Port 80
by untrusted computers and networks.
Reboot Required?:
Page 344 of 676

Device Type:
Network Switch
Device Specifics:
AT8624T/2M
Port: UDP 123
Service/Program:
ntp
Description:
Vulnerability:
Reboot Required?:
Page 345 of 676

Device Type:
Network Switch
Device Specifics:
AT8624T/2M
Port: UDP 161
Service/Program:
snmp
Description:
Vulnerability:
Disable-Enable GE recommends that SNMP be Disabled on all network
Reboot Required?:
Page 346 of 676

Device Type:
Network Switch
Device Specifics:
AT8624T/2M
Port: UDP 514
Service/Program:
syslog
Description:
Port is used by the syslog protocol and allows devices to report events to a central logger.
Vulnerability:
No reported vulnerabilities of this port.
Disable-Enable Port 514 is ONLY required on devices that are sending
or receiving syslog messages. When enabled, care
Otherwise, Disable.
Reboot Required?:
Page 347 of 676

Device Type:
Network Switch
Device Specifics:
Cisco
Port: TCP 22
Service/Program:
ssh
Description:
Vulnerability:
The known Trojan SKUN takes advantage of vulnerabilities associated with this port.
Other Trojans and threats have also been reported.
Enable Port is used to replace telnet and http configuration
access for network appliances and controllers using
this secure protocol.
Reboot Required?:
Page 348 of 676

Device Type:
Network Switch
Device Specifics:
Cisco
Port: UDP 123
Service/Program:
ntp
Description:
all devices on the network that are time stamping data. Critical for logging and
authetication.
Vulnerability:
Reboot Required?:
Page 349 of 676

Device Type:
Network Switch
Device Specifics:
Cisco
Port: UDP 161-162
Service/Program:
snmp
Description:
Ports are used for Simple Network Management Protocol. Only required for Network
Monitoring configured systems or when managed by site snmp tools.
Vulnerability:
Disable-Enable Enable when SNMP services are being used.
Reboot Required?:
Page 350 of 676

Device Type:
Network Switch
Device Specifics:
Cisco
Port: UDP 1645
Service/Program:
IAS - RADIUS
Description:
Legacy Port used by RADIUS Authentication
Vulnerability:
Disable-Enable When RADIUS services are being used.
Reboot Required?:
Page 351 of 676

Device Type:
Network Switch
Device Specifics:
Cisco
Port: UDP 1646
Service/Program:
IAS - RADIUS
Description:
Legacy Port used by RADIUS Accounting
Vulnerability:
Reboot Required?:
Page 352 of 676

Device Type:
Network Switch
Device Specifics:
Cisco
Port: UDP 1812
Service/Program:
IAS - RADIUS
Description:
Port used by RADIUS Authentication
Vulnerability:
Reboot Required?:
Page 353 of 676

Device Type:
Network Switch
Device Specifics:
Cisco
Port: UDP 1813
Service/Program:
IAS - RADIUS
Description:
Port used by RADIUS Accounting
Vulnerability:
Reboot Required?:
Page 354 of 676

Device Type:
Network Switch
Device Specifics:
Cisco
Port: UDP 1975
Service/Program:
IPC
Description:
Port is used by CISCO Cluster Management IPC (InterProcess Communication) processing.
Vulnerability:
Enable
Reboot Required?:
Page 355 of 676

Device Type:
Network Switch
Device Specifics:
Cisco
Port: UDP 2228
Service/Program:
CDP
Description:
Port is used by CISCO Discovery Protocol processing for directly connected neighbors
(other CISCO switches).
Vulnerability:
Disable This protocol should not be present.
no cdp run
Reboot Required?:
Page 356 of 676

Device Type:
Network Switch
Device Specifics:
Cisco
Port: UDP 514
Service/Program:
syslog
Description:
Vulnerability:
Reboot Required?:
Page 357 of 676

Device Type:
OIT
Device Specifics:
COI
Port: TCP 5310-5312
Service/Program:
Description:
Vulnerability:
not be employed.
Reboot Required?:
Page 358 of 676

Device Type:
OIT
Device Specifics:
COI
Port: TCP 80
Service/Program:
http
Description:
Vulnerability:
Disable
Reboot Required?:
Page 359 of 676

Device Type:
OIT
Device Specifics:
COI
Port: UDP 123
Service/Program:
ntp
Description:
Vulnerability:
Reboot Required?:
Page 360 of 676

Device Type:
OIT
Device Specifics:
COI
Port: UDP 500
Service/Program:
isakmp
Description:
Vulnerability:
Enable GE systems of this type require the use of this port for
IKE, AuthIP and IPsec). GE strongly recommends that
recommended.
Reboot Required?:
Page 361 of 676

Device Type:
OIT
Device Specifics:
COI
Port: UDP 7937
Service/Program:
Description:
device.
Vulnerability:
Reboot Required?:
Page 362 of 676

Device Type:
OSM
Device Specifics:
OSM
Port: TCP 1072
Service/Program:
jucheck
Description:
Port is used by the Java Update Checker
Vulnerability:
None reported.
TCP Port 1072 - jucheck should be Enabled only if Java
used on OSM - GE to confirm
Reboot Required?:
Page 363 of 676

Device Type:
OSM
Device Specifics:
OSM
Port: TCP 14000
Service/Program:
ihDataArchiver
Description:
Port is used by the Proficy Data Historian Server
Vulnerability:
None reported.
Enable
Reboot Required?:
Page 364 of 676

Device Type:
OSM
Device Specifics:
OSM
Port: TCP 1436
Service/Program:
HealthMonitor
Description:
Port is used by Health Monitor System
Vulnerability:
None reported.
Enable
Reboot Required?:
Page 365 of 676

Device Type:
OSM
Device Specifics:
OSM
Port: TCP 1487
Service/Program:
HealthMonitor
Description:
Port is used by Health Monitor System
Vulnerability:
None reported.
Enable
Reboot Required?:
Page 366 of 676

Device Type:
OSM
Device Specifics:
OSM
Port: TCP 1701
Service/Program:
jusched
Description:
Port is used by the Java Update Scheduler
Vulnerability:
None reported
Enable OSM requires this to be enabled to update the JAVA
system for updating the Remote management tools
engine.
Reboot Required?:
Page 367 of 676

Device Type:
OSM
Device Specifics:
OSM
Port: TCP 1947
Service/Program:
hasplms.exe
Description:
Vulnerability:
Reboot Required?:
Page 368 of 676

Device Type:
OSM
Device Specifics:
OSM
Port: TCP 25926
Service/Program:
AnalysisEngine
Description:
Port is used by the OSM Analysis Engine
Vulnerability:
Enable
Reboot Required?:
Page 369 of 676

Device Type:
OSM
Device Specifics:
OSM
Port: TCP 25927
Service/Program:
AnalysisEngine
Description:
Port is used by the OSM Analysis Engine
Vulnerability:
Enable
Reboot Required?:
Page 370 of 676

Device Type:
OSM
Device Specifics:
OSM
Port: TCP 2967
Service/Program:
Rtvscan
Description:
Port is used by the Symantec AntiVirus Scanner
Vulnerability:
Enable
Reboot Required?:
Page 371 of 676

Device Type:
OSM
Device Specifics:
OSM
Port: TCP 5152
Service/Program:
jqs.exe
Description:
Port is used by java runtime engine service (jqs.exe).
Vulnerability:
Enable Required for remote access management and data
tools.
Reboot Required?:
Page 372 of 676

Device Type:
OSM
Device Specifics:
OSM
Port: TCP 6150
Service/Program:
tomcat7
Description:
Port is used by the Commons Daemon service Runner
Vulnerability:
Enable
Reboot Required?:
Page 373 of 676

Device Type:
OSM
Device Specifics:
OSM
Port: TCP 770
Service/Program:
cadlock
Description:
Port is used by the GE OSM Inteface
Vulnerability:
Enable Port 770 is required by the system to work propelry.
form access by untrusted computers and networks.
Reboot Required?:
Page 374 of 676

Device Type:
OSM
Device Specifics:
OSM
Port: TCP 7937
Service/Program:
EGD
Description:
Port is used by the GE OSM Inteface
Vulnerability:
Reboot Required?:
Page 375 of 676

Device Type:
OSM
Device Specifics:
OSM
Port: TCP 80
Service/Program:
http
Description:
Port is used by local Web based services
Vulnerability:
Enable
Reboot Required?:
Page 376 of 676

Device Type:
OSM
Device Specifics:
OSM
Port: TCP 8005
Service/Program:
tomcat7
Description:
Vulnerability:
Enable
Reboot Required?:
Page 377 of 676

Device Type:
OSM
Device Specifics:
OSM
Port: TCP 8009
Service/Program:
tomcat7
Description:
Vulnerability:
Enable
Reboot Required?:
Page 378 of 676

Device Type:
OSM
Device Specifics:
OSM
Port: UDP 161
Service/Program:
snmp
Description:
Vulnerability:
Disabled.GE recommends that SNMP be Disabled on
all network appliances unless the GE Network
Monitoring Services or local IT systems require the use
Reboot Required?:
Page 379 of 676

Device Type:
OSM
Device Specifics:
OSM
Port: UDP 1947
Service/Program:
hasplms.exe
Description:
Connections.
Vulnerability:
Reboot Required?:
Page 380 of 676

Device Type:
OSM
Device Specifics:
OSM
Port: UDP 500
Service/Program:
isakmp
Description:
Vulnerability:
recommended.
Reboot Required?:
Page 381 of 676

Device Type:
OSM
Device Specifics:
OSM
Port: UDP 68
Service/Program:
bootpc
Description:
Port is used by the Bootstrap loader
Vulnerability:
Enable
Reboot Required?:
Page 382 of 676

Device Type:
PLC Systems
Device Specifics:
GE Fanuc PLC
Port: TCP 18245
Service/Program:
SRTP
Description:
Port is used by the Service Request Transfer Protocol (SRTP) in legacy GE Fanuc PLC
systems.
Vulnerability:
Disable-Enable If the device utilizes SRTP protocol, Port 18245 should
be Enabled. Care should be taken to block access to
this port from untrusted computers and networks.
If the device does not use SRTP protocol, Port 18245
should be Disabled.
Reboot Required?:
Page 383 of 676

Device Type:
Printers
Device Specifics:
HP Color LaserJet Pro M452dn
Port: TCP 1022-1023
Service/Program:
printer
Description:
Port is used root level access on HP Printers.
Vulnerability:
Disable Ports are not required. Care should be taken to assure
Reboot Required?:
Page 384 of 676

Device Type:
Printers
Device Specifics:
Port: TCP 515
Service/Program:
printer
Description:
Used for printing services, network protocol for submitting print jobs to a remote printer.
Vulnerability:
Reboot Required?:
Page 385 of 676

Device Type:
Printers
Device Specifics:
Port: TCP 631
Service/Program:
printer
Description:
TCP port for IPP. IPP is an Internet Printing Protocol implementation available on HP
Vulnerability:
Reboot Required?:
Page 386 of 676

Device Type:
Printers
Device Specifics:
Port: TCP 8080
Service/Program:
printer
Description:
HP Printer Web Services
Vulnerability:
Reboot Required?:
Page 387 of 676

Device Type:
Printers
Device Specifics:
Port: TCP 9100
Service/Program:
printer
Description:
Port is used for Printing on HP Printers
Vulnerability:
Reboot Required?:
Page 388 of 676

Device Type:
Printers
Device Specifics:
Port: UDP 10000
Service/Program:
ndmp
Description:
Network Data Management Protocal. Port is not necessary for printing applications.
Vulnerability:
Disable Ports are not required. Care should be taken to assure
Reboot Required?:
Page 389 of 676

Device Type:
Printers
Device Specifics:
Port: UDP 9200
Service/Program:
printer
Description:
Port is used for Printing on HP Printers
Vulnerability:
Reboot Required?:
Page 390 of 676

Device Type:
Router
Device Specifics:
AT-AR415
Port: TCP 23
Service/Program:
telnet
Description:
device.
Vulnerability:
altered or snooped.
Reboot Required?:
Page 391 of 676

Device Type:
Router
Device Specifics:
AT-AR415
Port: TCP 80
Service/Program:
http
Description:
Vulnerability:

Reboot Required?:
Page 392 of 676

Device Type:
Router
Device Specifics:
AT-AR415
Port: UDP 161
Service/Program:
snmp
Description:
Vulnerability:
Reboot Required?:
Page 393 of 676

Device Type:
Router
Device Specifics:
AT-AR415
Port: UDP 514
Service/Program:
syslog
Description:
Vulnerability:
Otherwise, Disable.
Reboot Required?:
Page 394 of 676

Device Type:
Router
Device Specifics:
AT-AR750
Port: TCP 23
Service/Program:
telnet
Description:
device.
Vulnerability:
altered or snooped.
Reboot Required?:
Page 395 of 676

Device Type:
Router
Device Specifics:
AT-AR750
Port: TCP 80
Service/Program:
http
Description:
Vulnerability:

Reboot Required?:
Page 396 of 676

Device Type:
Router
Device Specifics:
AT-AR750
Port: UDP 161
Service/Program:
snmp
Description:
logging and management network information via the network. .
Vulnerability:
Reboot Required?:
Page 397 of 676

Device Type:
Router
Device Specifics:
AT-AR750
Port: UDP 514
Service/Program:
syslog
Description:
Vulnerability:
Otherwise, Disable.
Reboot Required?:
Page 398 of 676

Device Type:
Router
Device Specifics:
AT-AR751
Port: TCP 80
Service/Program:
http
Description:
Vulnerability:

Reboot Required?:
Page 399 of 676

Device Type:
Router
Device Specifics:
AT-AR751
Port: UDP 161
Service/Program:
snmp
Description:
Vulnerability:
Reboot Required?:
Page 400 of 676

Device Type:
Router
Device Specifics:
AT-AR751
Port: UDP 514
Service/Program:
syslog
Description:
Vulnerability:
Otherwise, Disable.
Reboot Required?:
Page 401 of 676

Device Type:
Router
Device Specifics:
Fortinet 300C/D
Port: TCP 22
Service/Program:
ssh
Description:
Vulnerability:
Reboot Required?:
Page 402 of 676

Device Type:
Router
Device Specifics:
Fortinet 300C/D
Port: TCP 443
Service/Program:
ssh
Description:
Vulnerability:
Reboot Required?:
Page 403 of 676

Device Type:
Router
Device Specifics:
Fortinet 300C/D
Port: TCP 443
Service/Program:
https
Description:
Vulnerability:
Enable Port is used for configuration of Fortinet Firewalls.
Reboot Required?:
Page 404 of 676

Device Type:
Security Server
Device Specifics:
NetCap Security Server 2003
Port: NONE n/a
Service/Program:
reminst
Description:
Windows Remote installation services
Vulnerability:
Enable Required on all NetCap and SecurityST
implementations for remote patch installation services
to function properly.
Reboot Required?:
Page 405 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 1100
Service/Program:
AjaxSwing, Tomcat - 12.1.1
Description:
Port may be used by Symantec Endpoint Protection-Tomcat web services. It is used
locally and does not require traversal of firewalls
Vulnerability:
Enable
Reboot Required?:
Page 406 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 1200
Service/Program:
Description:
Vulnerability:
Enable
Reboot Required?:
Page 407 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 1433
Service/Program:
ms-sql-s
Description:
Port is used by the Microsoft SQL Server (ms-sql-s, sqlserver.exe) for communication
between a Symantec Endpoint Protection Manager (SEPM) and a Microsoft SQL Database
Server if they reside on separate computers.
Vulnerability:
There are vulnerabilities associated with this port. Use of SQL itself presents possibilities
for SQL code injection attacks.
Disable-Enable For Security Servers, if the Database Server resides on
the same computer as the SEPM manager (typical),
Port 1433 is not required and should be Disabled.
If the Database Server resides on a separate computer,
MS-SQL services are required and should be Enabled.
Reboot Required?:
Page 408 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 1812
Service/Program:
IAS - RADIUS
Description:
Port is used for RADIUS communication between a Symantec Endpoint Protection
Manager (SEPM) and Enforcers for authenticating unique ID information with the
Vulnerability:
Disable-Enable If RADIUS is not being used to configure/manage
Symantec (standard), Port 1812 should be Disabled.
If RADIUS is in use, Port 1812 is required and should be
Enabled. Care should be taken to block access to this
Reboot Required?:
Page 409 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 25001
Service/Program:
Description:
Port is used by Acronis Advanced Backup and Recovery Workstation/Server software for
remote install.
Vulnerability:
Disable-Enable TCP Port 25001 is only required during remote
installation. Once installation is complete, Port 25001
should be Disabled.
Reboot Required?:
Page 410 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 2638
Service/Program:
dbsrv9.exe or dbsrv11.exe
Description:
Port is used for communication between an Embedded Database and the Symantec
Endpoint Protection Manager (SEPM).
Vulnerability:
Enable
Reboot Required?:
Page 411 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 443
Service/Program:
https
Description:
Port is used as an optional port for the Symantec Endpoint Protection IIS port. Port is
used by secure/encrypted HTML (i.e. HTTPS) communication between Symantec Endpoint
Protection Manager (SEPM) and Symantec Endpoint Protection (SEP) clients and Enforcers.
Vulnerability:
Disable-Enable Port 443 should be Enabled on the Security Server if
https is used. Otherwise, Disable Port 443.
Reboot Required?:
Page 412 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 47001
Service/Program:
WinRM
Description:
remotely
Vulnerability:
Enable
Reboot Required?:
Page 413 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 5120
Service/Program:
Shavlik Remote Scheduler
Description:
Port is used by the Shavlik Remote Scheduler (STSchedEx.exe), which is used to transfer
patches from the security server to the Shavlik clients for installation.
Vulnerability:
Enable This port is required for all Windows computers in
NetCap installations. Care should be taken to block
networks.
Reboot Required?:
Page 414 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 53
Service/Program:
DNS Service
Description:
Port is used by the Domain Name Service (DNS) system that provides common name
resolution to IP addresses and domains.
Vulnerability:
Numerous vulnerabilities are reported to use this port.
Disable-Enable In a WORKGROUP configured system, Port 53 is not
used and should be Disabled.
In a DOMAIN configured system using Active Directory,
this port should be Enabled and care should be taken
to block access to Port 53 from untrusted computers
and networks.
Reboot Required?:
Page 415 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 5355
Service/Program:
LLMNR
Description:
Port is used by Link-Local Multicast Name Resolution (LLMNR).
Vulnerability:
Disable By default, LLMNR is disabled in a domain
environment.
It should be Disabled in a stand-alone environment if
not already disabled.
Reboot Required?:
Page 416 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 80
Service/Program:
http
Description:
Vulnerability:
Enable ONLY used in NetCap servers. HTTP is used for
Symantec Endpoint Protection Manager (SEPM) IIS or
Tomcat or Shavlik NetChk Protect 7.8, Port 80 can be
Enabled. If enabled, care should be taken to block
networks.
Reboot Required?:
Page 417 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 8005
Service/Program:
Symantec Endpoint Protection Manager
Description:
Port is used by the Symantec Endpoint Protection Manager (Anti-Virus Protection).
Vulnerability:
Enable TCP Port 8005 should only be Enabled on the Security
Server. All other devices should Disable Port 8005.
Reboot Required?:
Page 418 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 8014
Service/Program:
Symantec Endpoint Protection IIS
Description:
Port is used as a Symantec Endpoint Protection IIS port for HTTPS communication
between a remote management console and the Symantec Endpoint Protection Manager
(SEPM). All login information and administrative communication takes place using this
secure port.
Vulnerability:
Reboot Required?:
Page 419 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 8443
Service/Program:
Symantec Endpoint Protection Tomcat
Description:
Port is used as the Symantec Endpoint Protection Tomcat port for HTTPS communication
secure port.
Vulnerability:
Server and SIEM. All other devices should Disable Port
8443.
Reboot Required?:
Page 420 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 8444
Service/Program:
Web Services for Symantec Endpoint Protection Center - 12.
Description:
Port may be used by Symantec Endpoint Protection Center Data Feed and Workflow
requests. This is not used for GE solution so it does not normally need to traverse
firewalls.
Vulnerability:
Enable
Reboot Required?:
Page 421 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 8445
Service/Program:
Symantec Endpoint Reporting Console - 12.1.1
Description:
Port may be used by Symantec Endpoint Protection Center Reporting Console for
processing Data Feed and Workflow requests. This is not used for GE solution so it does
not normally need to traverse firewalls.
Vulnerability:
Enable
Reboot Required?:
Page 422 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 9090
Service/Program:
SemSvc.exe
Description:
Port is used by Symantec Endpoint Protection as the initial HTTP communication between
a remote management console and the Symantec Endpoint Protection Manager (SEPM)
to display the login screen only.
Vulnerability:
Reboot Required?:
Page 423 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 9091
Service/Program:
Symantec Endpoint Protection
Description:
Port is used by Symantec Endpoint Protection.
Vulnerability:
Reboot Required?:
Page 424 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 9876
Service/Program:
agent.exe
Description:
Port is used by Acronis True Image agent which manages the automated backup system.
Vulnerability:
Enable TCP Port 9876 is required for the Backup and Disaster
Recovery portions of the NetCap solution. Care should
Reboot Required?:
Page 425 of 676

Device Type:
Security Server
Device Specifics:
Port: UDP 123
Service/Program:
ntp
Description:
Vulnerability:
Reboot Required?:
Page 426 of 676

Device Type:
Security Server
Device Specifics:
Port: UDP 39999
Service/Program:
Description:
Port is used for communication between the Symantec Endpoint Protection (SEP) Clients
and the Enforcer. This port is used to authenticate Clients by the Enforcer.
Vulnerability:
Enable
Reboot Required?:
Page 427 of 676

Device Type:
Security Server
Device Specifics:
Port: UDP 500
Service/Program:
isakmp
Description:
Vulnerability:
recommended.
Reboot Required?:
Page 428 of 676

Device Type:
Security Server
Device Specifics:
Port: UDP 514
Service/Program:
syslog
Description:
Vulnerability:
Otherwise, Disable.
Reboot Required?:
Page 429 of 676

Device Type:
Security Server
Device Specifics:
Port: UDP 52821
Service/Program:
Description:
Port is used by Kerberos computer network authentication protocol
Vulnerability:
Enable
Reboot Required?:
Page 430 of 676

Device Type:
Security Server
Device Specifics:
Port: UDP 5355
Service/Program:
LLMNR
Description:
Vulnerability:
environment.
Reboot Required?:
Page 431 of 676

Device Type:
Security Server
Device Specifics:
Port: UDP 9
Service/Program:
DISCARD
Description:
Vulnerability:
Enable
N/A
Reboot Required?:
Page 432 of 676

Device Type:
Security Server
Device Specifics:
Port: UDP 9876
Service/Program:
agent.exe
Description:
Vulnerability:
Enable UDP Port 9876 is required for the Backup and Disaster
Reboot Required?:
Page 433 of 676

Device Type:
Security Server
Device Specifics:
Port: NONE n/a
Service/Program:
reminst
Description:
Vulnerability:
Reboot Required?:
Page 434 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 1100
Service/Program:
Description:
Vulnerability:
Enable
Reboot Required?:
Page 435 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 1200
Service/Program:
Description:
Vulnerability:
Enable
Reboot Required?:
Page 436 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 1433
Service/Program:
ms-sql-s
Description:
Port is used by the Microsoft SQL Server (ms-sql-s, sqlserver.exe) for communication
between a Symantec Endpoint Protection Manager (SEPM) and a Microsoft SQL Database
Server if they reside on separate computers.
Vulnerability:
Disable-Enable For Security Servers, if the Database Server resides on
the same computer as the SEPM manager, TCP Port
1433 is not required and should be Disabled.
If the Database Server resides on a separate computer,
MS-SQL services are required and should be Enabled.
Reboot Required?:
Page 437 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 1812
Service/Program:
IAS - RADIUS
Description:
RADIUS communication between a Symantec Endpoint Protection Manager (SEPM) and
Enforcers for authenticating unique ID information with the Enforcer.
Vulnerability:
Disable-Enable If RADIUS is not being used on the device, TCP Port
1812 should be Disabled.
If RADIUS is in use, Port 1812 is required and should be
Enabled. Care should be taken to block access to this
Reboot Required?:
Page 438 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 25001
Service/Program:
Description:
Acronis Advanced Backup and Recovery Workstation/Server software for remote install.
Vulnerability:
Disable-Enable Port 25001 is only required during remote installation.
Once installation is complete, Port 25001 should be
Disabled.
Reboot Required?:
Page 439 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 2638
Service/Program:
dbsrv9.exe or dbsrv11.exe
Description:
Port is used for communication between an Embedded Database and the Symantec
Endpoint Protection Manager (SEPM).
Vulnerability:
Enable
Reboot Required?:
Page 440 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 3121
Service/Program:
NT Kernal + system
Description:
Vulnerability:
Enable
Reboot Required?:
Page 441 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 3122
Service/Program:
NT Kernal + system
Description:
Vulnerability:
Enable
Reboot Required?:
Page 442 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 443
Service/Program:
https
Description:
Port is used as an optional port for the Symantec Endpoint Protection IIS port. Port is
used by secure/encrypted HTML (i.e. HTTPS) communication between Symantec Endpoint
Protection Manager (SEPM) and Symantec Endpoint Protection (SEP) clients and Enforcers.
Vulnerability:
Disable-Enable TCP Port 443 should be Enabled on the Security Server
if https is used. Otherwise, Disable Port 443.
Reboot Required?:
Page 443 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 47001
Service/Program:
WinRM
Description:
remotely
Vulnerability:
Enable
Reboot Required?:
Page 444 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 5120
Service/Program:
Description:
Vulnerability:
Enable TCP Port 5120 is required for all Windows computers
in NetCap installations. Care should be taken to block
networks.
Reboot Required?:
Page 445 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 53
Service/Program:
DNS Service
Description:
Domain Name Service (DNS) system that provides common name resolution to IP
addresses and domains.
Vulnerability:
Enable TCP Port 53 is required for Active Directory, this port
should be Enabled and care should be taken to block
networks.
Reboot Required?:
Page 446 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 5355
Service/Program:
LLMNR
Description:
Link-Local Multicast Name Resolution (LLMNR).
Vulnerability:
environment.
Reboot Required?:
Page 447 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 80
Service/Program:
http
Description:
http client (typically browsers) to interface to http services such as IIS, Apache or
Silverlight/WebSlinger.
Vulnerability:
Enable ONLY used In NetCap servers. HTTP is used for
Symantec Endpoint Protection Manager (SEPM) IIS or
Tomcat or Shavlik NetChk Protect 7.8, Port 80 can be
Enabled. If enabled, care should be taken to block
networks.
Reboot Required?:
Page 448 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 8005
Service/Program:
Symantec Endpoint Protection Manager
Description:
Port is used by the Symantec Endpoint Protection Manager (Anti-Virus Protection).
Vulnerability:
Enable Port 8005 should only be Enabled on the Security
Reboot Required?:
Page 449 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 8014
Service/Program:
Symantec Endpoint Protection IIS
Description:
Port is used as a Symantec Endpoint Protection IIS port for HTTPS communication
secure port.
Vulnerability:
Reboot Required?:
Page 450 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 8443
Service/Program:
Description:
Symantec Endpoint Protection Tomcat port for HTTPS communication between a remote
management console and the Symantec Endpoint Protection Manager (SEPM). All login
information and administrative communication takes place using this secure port.
Vulnerability:
8443.
Reboot Required?:
Page 451 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 8444
Service/Program:
Web Services for Symantec Endpoint Protection Center - 12.
Description:
Port may be used by Symantec Endpoint Protection Center Data Feed and Workflow
requests. This is not used for GE solution so it does not normally need to traverse
firewalls.
Vulnerability:
Enable
Reboot Required?:
Page 452 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 8445
Service/Program:
Symantec Endpoint Reporting Console - 12.1.1
Description:
Port may be used by Symantec Endpoint Protection Center Reporting Console for
processing Data Feed and Workflow requests. This is not used for GE solution so it does
not normally need to traverse firewalls.
Vulnerability:
Enable
Reboot Required?:
Page 453 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 9090
Service/Program:
SemSvc.exe
Description:
Symantec Endpoint Protection as the initial HTTP communication between a remote
management console and the Symantec Endpoint Protection Manager (SEPM) to display
the login screen only.
Vulnerability:
Reboot Required?:
Page 454 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 9091
Service/Program:
Symantec Endpoint Protection
Description:
Symantec Endpoint Protection.
Vulnerability:
Reboot Required?:
Page 455 of 676

Device Type:
Security Server
Device Specifics:
Port: TCP 9876
Service/Program:
agent.exe
Description:
Vulnerability:
Reboot Required?:
Page 456 of 676

Device Type:
Security Server
Device Specifics:
Port: UDP 123
Service/Program:
ntp
Description:
Vulnerability:
Reboot Required?:
Page 457 of 676

Device Type:
Security Server
Device Specifics:
Port: UDP 1434
Service/Program:
sql browser service
Description:
Vulnerability:
Reboot Required?:
Page 458 of 676

Device Type:
Security Server
Device Specifics:
Port: UDP 39999
Service/Program:
Description:
Port is used for communication between the Symantec Endpoint Protection (SEP) Clients
and the Enforcer and is used to authenticate Clients by the Enforcer.
Vulnerability:
Enable
Reboot Required?:
Page 459 of 676

Device Type:
Security Server
Device Specifics:
Port: UDP 4500
Service/Program:
svchost
Description:
Vulnerability:
Reboot Required?:
Page 460 of 676

Device Type:
Security Server
Device Specifics:
Port: UDP 500
Service/Program:
isakmp
Description:
IKE (Internet Key Exchange) and AuthIP (Authenticated Internet Protocol) required by
Ipsec keying (Internet Protocol Security). This service is critical for Ipsec to provide
authentication and encryption services.
Vulnerability:
Enable UDP Port 500 is used for IKE, AuthIP and Ipsec. GE
strongly recommends that this port be blocked from
access by untrusted computers and networks. The use
of strong passwords and best practice password
management as well as restrictive file sharing
strategies are also strongly recommended.
Reboot Required?:
Page 461 of 676

Device Type:
Security Server
Device Specifics:
Port: UDP 514
Service/Program:
syslog
Description:
Vulnerability:
Disable-Enable UDP Port 514 is ONLY required on devices that are
sending or receiving syslog messages (i.e. network
devices and SIEM). When enabled, care should be
taken to block access to this port from untrusted
Otherwise, Disable.
Reboot Required?:
Page 462 of 676

Device Type:
Security Server
Device Specifics:
Port: UDP 52821
Service/Program:
Description:
Port is used by Kerberos computer network authentication protocol
Vulnerability:
Enable
Reboot Required?:
Page 463 of 676

Device Type:
Security Server
Device Specifics:
Port: UDP 52951
Service/Program:
Description:
Network Location Awareness
Vulnerability:
Disable-Enable UDP Port 52951 should only be enabled if Network
Location Awareness Services are required (RARE).
Otherwise, disable.
Reboot Required?:
Page 464 of 676

Device Type:
Security Server
Device Specifics:
Port: UDP 5355
Service/Program:
LLMNR
Description:
Link-Local Multicast Name Resolution (LLMNR).
Vulnerability:
environment.
Reboot Required?:
Page 465 of 676

Device Type:
Security Server
Device Specifics:
Port: UDP 9
Service/Program:
DISCARD
Description:
Vulnerability:
Enable
N/A
Reboot Required?:
Page 466 of 676

Device Type:
Security Server
Device Specifics:
Port: UDP 9876
Service/Program:
agent.exe
Description:
Vulnerability:
Enable UDP Port 9876 may be required for the Backup and
Disaster Recovery portions of the NetCap solution.
Reboot Required?:
Page 467 of 676

Device Type:
Security Servers (VMs)
Device Specifics:
SecurityST10
Port: NONE n/a
Service/Program:
sysdown
Description:
Server Shutdown service to increase safety and reliability of system shutdown
Vulnerability:
Disable-Enable Should only be present on HP Prolient Server
computer systems
Reboot Required?:
Page 468 of 676

Device Type:
Device Specifics:
SecurityST10
Port: NONE n/a
Service/Program:
reminst
Description:
Vulnerability:
Reboot Required?:
Page 469 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 1024-65535 (See
Service/Program:
Description:
OS Assigned Ephemeral Ports present in SecurityST system.
Vulnerability:
Reboot Required?:
Page 470 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 135
Service/Program:
RPC
Description:
Port used for Hyper-V Service (Virtual Machine Manager)
Vulnerability:
Enable
Reboot Required?:
Page 471 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 139
Service/Program:
netbios-dgm/ssn
Description:
Port is used by the NETBIOS Datagram/Session Service for file and printer sharing.
Vulnerability:
Enable
Reboot Required?:
Page 472 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 17
Service/Program:
gotd
Description:
This port may be present when communicating with Mark Vie Control Systems.
Vulnerability:
Reboot Required?:
Page 473 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 1801
Service/Program:
Msmq.exe
Description:
Required for Windows - Microsoft Message Queuing, provides a messaging service
between source and destination computers running distrubuted applications. OS
Vulnerability:
Enable Present on systems with Sophos Console Manager
Reboot Required?:
Page 474 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 19
Service/Program:
chargen
Description:
Vulnerability:
Reboot Required?:
Page 475 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 1947
Service/Program:
hasplms.exe
Description:
Vulnerability:
Enable
Reboot Required?:
Page 476 of 676

Device Type:
Device Specifics:
SecurityST10
Port: tcp 2020
Service/Program:
ftp
Description:
Client-to-server authenticated communication port. TCP Port that the Agent Handler uses
to communicate with the ePO server to get required information (such as LDAP servers)
This Port is necessary for system using McAfee ePolicy Orchestrator and agents.
Vulnerability:
Reboot Required?:
Page 477 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 2103
Service/Program:
Mqsvc.eve
Description:
Vulnerability:
Reboot Required?:
Page 478 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 2105
Service/Program:
Mqsvc.eve
Description:
Vulnerability:
Reboot Required?:
Page 479 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 2107
Service/Program:
Mqsvc.eve
Description:
Vulnerability:
Reboot Required?:
Page 480 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 22
Service/Program:
SSH, SFTP
Description:
Port used by Outgoing Secure FTP Services, CatTools SSH access
Vulnerability:
Enable
Reboot Required?:
Page 481 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 23
Service/Program:
Telnet
Description:
Port used by CatTools for Outgoing Telnet connections
Vulnerability:
Enable
Reboot Required?:
Page 482 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 25
Service/Program:
smtp
Description:
Port used by CatTools for Outgoing Email delivery
Vulnerability:
Enable
Reboot Required?:
Page 483 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 3389
Service/Program:
svchost.exe (RDP)
Description:
Port used by by Remote Administration Services
Vulnerability:
Enable
Reboot Required?:
Page 484 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 389
Service/Program:
Description:
LDAP server port. TCP port used to retrieve LDAP information from Active Directory
servers. This Port is necessary for system using McAfee ePolicy Orchestrator and agents.
Vulnerability:
Reboot Required?:
Page 485 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 389
Service/Program:
ldap
Description:
Port is used by vCenter Server for LDAP Directory Services
Vulnerability:
Enable
Reboot Required?:
Page 486 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 443
Service/Program:
apache.exe
Description:
Agent-server communication secure port. TCP port that the ePO Server service uses to
receive requests from agents and remote Agent Handlers. TCP port that the ePO server's
Software Manager uses to connect to McAfee. This Port is necessary for system using
McAfee ePolicy Orchestrator and agents.
Vulnerability:
Reboot Required?:
Page 487 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 443
Service/Program:
vCenter
Description:
Port used by vCenter Server to listen for connections from vSphere Client (Vitual Machine
management)
Vulnerability:
Enable
Reboot Required?:
Page 488 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 445
Service/Program:
smb
Description:
SMB Windows domain controller port. TCP port used for ePO console login when
authenticating Active Directory users. This Port is necessary for system using McAfee
ePolicy Orchestrator and agents.
Vulnerability:
Reboot Required?:
Page 489 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 49152
Service/Program:
wininit.exe
Description:
Port used by Windows Server 2008R2 Initialization (Dynamic)
Vulnerability:
Enable
Reboot Required?:
Page 490 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 49152-65535 (See
Service/Program:
CertificationManagerServiceNT.exe
Description:
Required for Sophos. Sophos Certification Manager - This service issues client computers
with certificates. Certificates are used to digitally sign messages to assert that messages
sent between Sophos Message Routers are genuine. When a client computer becomes
managed, it requests a certificate from the Sophos Certification Manager.
Vulnerability:
Reboot Required?:
Page 491 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 49153
Service/Program:
svchost.exe
Description:
Port used by Windows Event Log
Vulnerability:
Enable
Reboot Required?:
Page 492 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 49154
Service/Program:
lsass.exe
Description:
Port used by Local Security Authentication Server (Windows)
Vulnerability:
Enable
Reboot Required?:
Page 493 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 49155
Service/Program:
svchost.exe
Description:
Port used by Windows Scheduler
Vulnerability:
Enable
Reboot Required?:
Page 494 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 49156
Service/Program:
Msrpc
Description:
Required for Windows. Microsoft RPC (Microsoft Remote Procedure Call) present
Windows Server Domains
Vulnerability:
Reboot Required?:
Page 495 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 49180
Service/Program:
ManagementAgentNT.exe
Description:
Port used by Sophos Anti-virus
Vulnerability:
Enable
Reboot Required?:
Page 496 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 49181
Service/Program:
ManagementAgentNT.exe
Description:
Vulnerability:
Enable
Reboot Required?:
Page 497 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 49188
Service/Program:
services.exe
Description:
Vulnerability:
Enable
Reboot Required?:
Page 498 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 5120
Service/Program:
STSchedEx
Description:
Port used by vCenter Update Scheduler
Vulnerability:
Enable
Reboot Required?:
Page 499 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 51234
Service/Program:
SUM
Description:
Port used by Sophos Update Manager - Sophos Inter-process Communication only
Vulnerability:
Enable
Reboot Required?:
Page 500 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 5722
Service/Program:
DFSR
Description:
Port used by Windows Server 2008 R2 Domain Controller - Distributed File System
Replication
Vulnerability:
Enable
Reboot Required?:
Page 501 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 636
Service/Program:
Description:
SSL LDAP server port. TCP port used to retrieve LDAP information from Active Directory
servers. This Port is necessary for system using McAfee ePolicy Orchestrator and agents.
Vulnerability:
Reboot Required?:
Page 502 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 636
Service/Program:
SSL
Description:
Port used for vCenter Server Linked Mode, SSL port of the local instance
Vulnerability:
Enable
Reboot Required?:
Page 503 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 6501
Service/Program:
ESXi
Description:
Port used by vCenter Server Auto Deploy service
Vulnerability:
Enable
Reboot Required?:
Page 504 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 6502
Service/Program:
ESXi
Description:
Port used by vCenter Server Auto Deplay Management
Vulnerability:
Enable
Reboot Required?:
Page 505 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 7
Service/Program:
echo
Description:
The Echo Protocol is a service in the Internet Protocol. The server sends back an identical
copy of the data it received. Present when communicating with Mark Vie Control Systems.
Vulnerability:
Reboot Required?:
Page 506 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 7937
Service/Program:
nsrexecd.exe
Description:
Port used by Legato NetWorker
Vulnerability:
Enable
Reboot Required?:
Page 507 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 80
Service/Program:
macmnsvc.exe
Description:
Agent-server communication port. TCP port that the ePO Server service uses to receive
requests from agents. r. This Port is necessary for system using McAfee ePolicy
Orchestrator and agents.
Vulnerability:
Reboot Required?:
Page 508 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 80
Service/Program:
http
Description:
This port is used for enabling secure mode on the Mark Vie controllers. This port is
typically found on systems that use the Certificate Authority (AP3 or CA1).
Vulnerability:
Reboot Required?:
Page 509 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 8000
Service/Program:
splunkd.exe
Description:
Port used by SIEM clients to Splunk Search page (splunk data)
Vulnerability:
Enable
Reboot Required?:
Page 510 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 8081
Service/Program:
McAfee Agent
Description:
Inbound connec on from the ePO server/Agent Handler.This Port is necessary for
Vulnerability:
Reboot Required?:
Page 511 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 8082
Service/Program:
McAfee Agent
Description:
Inbound connec oto the agents. ePO server/Agent Handr. This Port is necessary for
Vulnerability:
Reboot Required?:
Page 512 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 8089
Service/Program:
splunkd.exe
Description:
Port used by Splunk SIEM deployment server
Vulnerability:
Enable
Reboot Required?:
Page 513 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 8192
Service/Program:
RMS
Description:
Port used by Remote Management System for Sophons Anti-virus
Vulnerability:
Enable
Reboot Required?:
Page 514 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 8194
Service/Program:
RMS
Description:
Port used by Remote Management System for Sophons Anti-virus
Vulnerability:
Enable
Reboot Required?:
Page 515 of 676

Device Type:
Device Specifics:
SecurityST10
Port: tcp 8443
Service/Program:
apache.exe
Description:
Console-to-application server communication port. TCP port that the ePO Application
Server service uses to allow web browser UI access. This Port is necessary for system
using McAfee ePolicy Orchestrator and agents.
Vulnerability:
Reboot Required?:
Page 516 of 676

Device Type:
Device Specifics:
SecurityST10
Port: tcp 8444
Service/Program:
Tomcat7.exe
Description:
Client-to-server authenticated communication port. TCP Port that the Agent Handler uses
to communicate with the ePO server to get required information (such as LDAP servers)
This Port is necessary for system using McAfee ePolicy Orchestrator and agents.
Vulnerability:
Reboot Required?:
Page 517 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 8765
Service/Program:
semsvc.exe
Description:
Port is used by Symantec
Vulnerability:
Disable-Enable Present on systems with Symantec End Point
Protection manager.
Reboot Required?:
Page 518 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 9
Service/Program:
discard
Description:
to detect the presence of nodes on the network via the ARP tables. Present in Mark Vie
Control Systems.
Vulnerability:
Reboot Required?:
Page 519 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 902
Service/Program:
VMC
Description:
Port used for vCenter connection to Managed hosts. ESXi 5.x consoles.
Vulnerability:
Enable
Reboot Required?:
Page 520 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 903
Service/Program:
VMC
Description:
Port used for vCenter vSphere Client and ESX / ESXi hosts. Virtual machine consoles.
Vulnerability:
Enable
Reboot Required?:
Page 521 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 9090
Service/Program:
HTTP
Description:
Port used by vSphere Web Client (VMware)
Vulnerability:
Enable
Reboot Required?:
Page 522 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 912
Service/Program:
vmware-authd.exe
Description:
Port used for VMware Patch Management
Vulnerability:
Enable
Reboot Required?:
Page 523 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 9443
Service/Program:
HTTPS
Description:
Port used by vSphere Secure Web Client (VMware)
Vulnerability:
Enable
Reboot Required?:
Page 524 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP 9876
Service/Program:
agent.exe
Description:
Vulnerability:
Enable
Reboot Required?:
Page 525 of 676

Device Type:
Device Specifics:
SecurityST10
Service/Program:
SophosUpdateMgr.exe
Description:
Manages data and update distribution from Sophos.
Vulnerability:
Reboot Required?:
Page 526 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP/UDP 1433
Service/Program:
apache.exe
Description:
SQL server TCP port. TCP port used to communicate with the SQL server. This port is
specified or determined automatically during the setup process. This Port is necessary for
Vulnerability:
Reboot Required?:
Page 527 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP/UDP 1801
Service/Program:
Mqsvc.eve
Description:
Vulnerability:
Reboot Required?:
Page 528 of 676

Device Type:
Device Specifics:
SecurityST10
Port: TCP/UDP 49152-65535 (See
Service/Program:
Mqsvc.eve
Description:
Vulnerability:
Reboot Required?:
Page 529 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 10433
Service/Program:
VPN
Description:
Port used by FortiGate VPN Allowed Connection
Vulnerability:
Enable
Reboot Required?:
Page 530 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 123
Service/Program:
ntp
Description:
Vulnerability:
Reboot Required?:
Page 531 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 13
Service/Program:
daytime
Description:
Port is used by the daytime protocol, which reports the current time of day.Present when
communicating with Mark Vie Control Systems.
Vulnerability:
Reboot Required?:
Page 532 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 1333
Service/Program:
ANIXIS
Description:
Port used by ANIXZIX Password Policy Enforcer / Password Policy Client
Vulnerability:
Enable
Reboot Required?:
Page 533 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 137
Service/Program:
netbios-ns
Description:
Port used by NetBIOS name Service
Vulnerability:
Enable
Reboot Required?:
Page 534 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 1434
Service/Program:
apache.exe
Description:
SQL server UDP port. UDP port used to request the TCP port that the SQL instance hosting
the ePO database is using. This Port is necessary for system using McAfee ePolicy
Orchestrator and agents.
Vulnerability:
Reboot Required?:
Page 535 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 1434
Service/Program:
Description:
UDP port 1434 is used for SQL Server named instances. The SQL Server Browser service
listens on this port for incoming connections to a named instance. The service then
responds to the client with the TCP port number for the requested named instance. This
port can be found on systems using a sql database such as shavlik, acronis, etc.
Application typically found on SecurityST systems.
Vulnerability:
Reboot Required?:
Page 536 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 161
Service/Program:
snmp
Description:
Port used by Network management applications. OS Assigned Ephemeral Ports may be
Vulnerability:
Enable
Reboot Required?:
Page 537 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 17
Service/Program:
gotd
Description:
Vulnerability:
Reboot Required?:
Page 538 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 1812
Service/Program:
IAS - RADIUS
Description:
Port used by RADIUS Authentication
Vulnerability:
Enable
Reboot Required?:
Page 539 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 1813
Service/Program:
IAS - RADIUS
Description:
Port used by RADIUS Accounting
Vulnerability:
Enable
Reboot Required?:
Page 540 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 19
Service/Program:
chargen
Description:
Vulnerability:
Reboot Required?:
Page 541 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 389
Service/Program:
ldap
Description:
Port is used by vCenter Server for LDAP Directory Services
Vulnerability:
Enable
Reboot Required?:
Page 542 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 51234
Service/Program:
SUM
Description:
Port used by Sophos Update Manager - Sophos Inter-process Communication only
Vulnerability:
Enable
Reboot Required?:
Page 543 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 514
Service/Program:
syslog
Description:
Port used by System Logging Service - Syslog Server
Vulnerability:
Enable
Reboot Required?:
Page 544 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 54096
Service/Program:
lsass
Description:
Port used by Windows Local Security Authentication Server
Vulnerability:
Enable
Reboot Required?:
Page 545 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 54098
Service/Program:
SavService.exe
Description:
Port used by Sophos Anti-Virus
Vulnerability:
Enable
Reboot Required?:
Page 546 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 54099
Service/Program:
SavService.exe
Description:
Vulnerability:
Enable
Reboot Required?:
Page 547 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 54342
Service/Program:
swi_service.exe
Description:
Vulnerability:
Enable
Reboot Required?:
Page 548 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 54343
Service/Program:
swi_service.exe
Description:
Vulnerability:
Enable
Reboot Required?:
Page 549 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 54347
Service/Program:
SavService.exe
Description:
Vulnerability:
Enable
Reboot Required?:
Page 550 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 54348
Service/Program:
SavService.exe
Description:
Vulnerability:
Enable
Reboot Required?:
Page 551 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 54349
Service/Program:
splunk-admon.exe
Description:
Port used by Splunk SIEM
Vulnerability:
Enable
Reboot Required?:
Page 552 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 55017
Service/Program:
splunkd.exe
Description:
Port used by Splunk SIEM
Vulnerability:
Enable
Reboot Required?:
Page 553 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 56020
Service/Program:
WmiPrvSE.exe
Description:
Required for Windows - Windows Management Instrumentation Provider for Error
Reporting.
Vulnerability:
Enable
Reboot Required?:
Page 554 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 69
Service/Program:
TFTP
Description:
Port used by CatTools for Backups over TFTP
Vulnerability:
Enable
Reboot Required?:
Page 555 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 7
Service/Program:
echo
Description:
The Echo Protocol is a service in the Internet Protocol. The server sends back an identical
copy of the data it received. Present when communicating with Mark Vie Control Systems.
Vulnerability:
Reboot Required?:
Page 556 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 902
Service/Program:
VMC Heartbeat
Description:
Port used for vCenter Managed Hosts heartbeat to the vCenter Server System
Vulnerability:
Enable
Reboot Required?:
Page 557 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 9876
Service/Program:
agent.exe
Description:
Vulnerability:
Enable
Reboot Required?:
Page 558 of 676

Device Type:
Device Specifics:
SecurityST10
Port: UDP 9997
Service/Program:
SSL
Description:
Port used by Splunk SIEM default receiver port for forwarders to the Splunk indexer
before Splunk 5
Vulnerability:
Enable
Reboot Required?:
Page 559 of 676

Device Type:
SIEM
Device Specifics:
Tri-Geo SIEM
Port: TCP 10009
Service/Program:
unknown
Description:
Port usage is not documented by Solarwinds
Vulnerability:
Disable
Reboot Required?:
Page 560 of 676

Device Type:
SIEM
Device Specifics:
Tri-Geo SIEM
Port: TCP 10010
Service/Program:
unknown
Description:
Port usage is not docuemnted by Solarwinds
Vulnerability:
Disable
Reboot Required?:
Page 561 of 676

Device Type:
SIEM
Device Specifics:
Tri-Geo SIEM
Port: TCP 162
Service/Program:
Description:
Port is used for traffic from devices sending SNMP trap messages to the SolarWinds LEM
appliance.
Vulnerability:
None reported
Enable
Reboot Required?:
Page 562 of 676

Device Type:
SIEM
Device Specifics:
Tri-Geo SIEM
Port: TCP 25
Service/Program:
smtp
Description:
Vulnerability:
Reboot Required?:
Page 563 of 676

Device Type:
SIEM
Device Specifics:
Tri-Geo SIEM
Port: TCP 32022
Service/Program:
Tri-Geo Agent
Description:
Port is used by the Tri-Geo Agent installed on SIEM systems.
Vulnerability:
Enable Port 32022 is required on SIEM systems. Care should
Reboot Required?:
Page 564 of 676

Device Type:
SIEM
Device Specifics:
Tri-Geo SIEM
Port: TCP 32033
Service/Program:
Description:
Port is optionally used for SSH traffic to the SolarWinds LEM appliance.
Vulnerability:
Disable-Enable TCP Port 32033 is only required for SSH traffic to the
Solar Winds LEM applicance.
Reboot Required?:
Page 565 of 676

Device Type:
SIEM
Device Specifics:
Tri-Geo SIEM
Port: TCP 37890-37892
Service/Program:
Tri-Geo Agent
Description:
Ports are used by the Tri-Geo Agent installed on SIEM systems. These ports see traffic
from the SolarWinds LEM Agents to the SolarWinds LEM appliance.
Vulnerability:
Enable Ports 37890-37892 are required on SIEM systems.
Care should be taken to block access to these ports
from untrusted computers and networks.
Reboot Required?:
Page 566 of 676

Device Type:
SIEM
Device Specifics:
Tri-Geo SIEM
Port: TCP 37893-37896
Service/Program:
Tri-Geo Agent
Description:
Ports are used by the Tri-Geo Agent installed on SIEM systems. These ports see the return
traffic from the SolarWinds LEM appliance to the SolarWinds LEM Agents.
Vulnerability:
Enable Ports 37893-37896 are required on SIEM systems.
Care should be taken to block access to these ports
from untrusted computers and networks.
Reboot Required?:
Page 567 of 676

Device Type:
SIEM
Device Specifics:
Tri-Geo SIEM
Port: TCP 389
Service/Program:
ldap
Description:
Port is used by Lightweight Directory Access Protocol (LDAP). This protocol has a long and
storied history that goes back to before the Internet. In a nutshell, the LDAP protocol is
used to look up electronic directory information (originally focused on email, location,
etc.) much like a phone system directory service functions. Today this protocol can also
be used (custom applications) to look up other types of information from computer to
computer - application to application.
Vulnerability:
LDAP enabled systems may be vulnerable to code injection/buffer overrun types of
attacks, however this vulnerability is highly dependent on the underlying code/scripting.
Enable SIEM devices use Active Directory services therefore,
TCP Port 389 is required and should be Enabled.
Reboot Required?:
Page 568 of 676

Device Type:
SIEM
Device Specifics:
Tri-Geo SIEM
Port: TCP 51165
Service/Program:
Description:
Port is used by Tri-Geo Agent (Encrypted)
Vulnerability:
Enable TCP Port 51165 is only required when SIEM option is
installed.
Reboot Required?:
Page 569 of 676

Device Type:
SIEM
Device Specifics:
Tri-Geo SIEM
Port: TCP 514
Service/Program:
syslog
Description:
Vulnerability:
Enable Port 514 is required on SIEM devices that send or
receiving syslog messages. When enabled, care should
Reboot Required?:
Page 570 of 676

Device Type:
SIEM
Device Specifics:
Tri-Geo SIEM
Port: TCP 5433
Service/Program:
Description:
Port is used for traffic from SolarWinds LEM Reports to the SolarWinds LEM appliance.
Vulnerability:
Enable
Reboot Required?:
Page 571 of 676

Device Type:
SIEM
Device Specifics:
Tri-Geo SIEM
Port: TCP 8443
Service/Program:
Description:
Port is used for traffic from the SolarWinds LEM Console to the SolarWinds LEM appliance.
Vulnerability:
Enable Port 8443 should only be Enabled on the Security
8443.
Reboot Required?:
Page 572 of 676

Device Type:
SIEM
Device Specifics:
Tri-Geo SIEM
Port: UDP 514
Service/Program:
syslog
Description:
Vulnerability:
Otherwise, Disable.
Reboot Required?:
Page 573 of 676

Device Type:
Time Server
Device Specifics:
Meinburg
Port: TCP 137
Service/Program:
netbios-ns
Description:
Vulnerability:
In addition to numerous 'hacker' vulnerabilities, this port makes sessions available for file
and printer sharing to any TCP/IP network attached.
Enable GE systems require the use of file sharing so this port
must be available. GE strongly recommends that this
port be blocked from access by untrusted computers
and networks. The use of strong passwords and best
practice password management as well as restrictive
file sharing strategies are also strongly recommended.
Reboot Required?:
Page 574 of 676

Device Type:
Time Server
Device Specifics:
Meinburg
Port: TCP 139
Service/Program:
netbios-ssn
Description:
TCP NetBIOS connections are made over this port. These TCP connections form "NetBIOS
sessions" to support connection oriented file sharing activities. Files can transferred to the
time server through the GUI.
Vulnerability:
Disable-Enable GE systems require the use of file sharing so this port
Reboot Required?:
Page 575 of 676

Device Type:
Time Server
Device Specifics:
Meinburg
Port: TCP 21
Service/Program:
ftp
Description:
Vulnerability:
Disable-Enable Disable ftp in favor of RADIUS or device proprietary
management of configuration files. Optionally,
temporarily enabling ftp for a required purpose, then
disabling it would be preferable to leaving the service
open all the time.
Reboot Required?:
Page 576 of 676

Device Type:
Time Server
Device Specifics:
Meinburg
Port: TCP 22
Service/Program:
ssh
Description:
Port is used by Secure Network Services (ssh) aka Secure Shell. OS Assigned Ephemeral
Vulnerability:
Disable Future implementations of the system will replace
telnet and http configuration access for network
appliances and controllers using this secure protocol.
However, at this time these services are not
implemented except in customer NetCAP
implementations. If these services are being used in
your system, care should be taken to block access to
Reboot Required?:
Page 577 of 676

Device Type:
Time Server
Device Specifics:
Meinburg
Port: TCP 23
Service/Program:
telnet
Description:
device.
Vulnerability:
altered or snooped.
Disable
Reboot Required?:
Page 578 of 676

Device Type:
Time Server
Device Specifics:
Meinburg
Port: TCP 443
Service/Program:
https
Description:
Vulnerability:
Disable Note that if this port is disabled, you will not be able to
use browser access to secure internet sites or to
provide secure internet service access through IIS or
similar services. GE does not recommend using these
services.
If local requirements for this port exist, then every

precaution to address the known vulnerabilities (OS
Patching, virus passive and active protection, firewalls,
software versions/patches) are implemented.
Reboot Required?:
Page 579 of 676

Device Type:
Time Server
Device Specifics:
Meinburg
Port: TCP 445
Service/Program:
microsoft-ds
Description:
Port is used by direct TCP/IP networking in the operating system. OS Assigned Ephemeral
Vulnerability:
There are many known vulnerabilities listed for this port.
Disable-Enable Port 445 is used by the system and should be Enabled.
Care should be taken to block access to this port by
Reboot Required?:
Page 580 of 676

Device Type:
Time Server
Device Specifics:
Meinburg
Port: UDP 1024-65535 (See
Service/Program:
Description:
Ports may be opened during normal operation of time server on network.
Vulnerability:
There are many known vulnerabilities listed for these ports.
Enable GE strongly recommends that this port be blocked
from access by untrusted computers and networks.
Reboot Required?:
Page 581 of 676

Device Type:
Time Server
Device Specifics:
Meinburg
Port: UDP 123
Service/Program:
ntp
Description:
Vulnerability:
Reboot Required?:
Page 582 of 676

Device Type:
Time Server
Device Specifics:
Meinburg
Port: UDP 136
Service/Program:
PROFILE
Description:
Listed as PROFILE Naming system.
Vulnerability:
None listed.
Disable This port has no known vulnerabilities associated with
it, the equipment is not a GE manufactured product
and is a very special purpose item no longer in use by
GE. This has been used in very few applications.
Reboot Required?:
Page 583 of 676

Device Type:
Time Server
Device Specifics:
Meinburg
Port: UDP 161
Service/Program:
snmp
Description:
Vulnerability:
Reboot Required?:
Page 584 of 676

Device Type:
Time Server
Device Specifics:
Meinburg
Port: UDP 514
Service/Program:
syslog
Description:
Vulnerability:
Otherwise, Disable.
Reboot Required?:
Page 585 of 676

Device Type:
Time Server
Device Specifics:
Meinburg
Port: UDP 80
Service/Program:
http
Description:
Port is used by non-connection oriented http world wide web applications
Vulnerability:
Disable
Reboot Required?:
Page 586 of 676

Device Type:
Time Server
Device Specifics:
Symmetricon 1520-S200/S250
Port: TCP 13
Service/Program:
Day Time Protocol
Description:
Vulnerability:
Disable
Reboot Required?:
Page 587 of 676

Device Type:
Time Server
Device Specifics:
Port: TCP 22
Service/Program:
ssh
Description:
Port is used by Secure Network Services (ssh) aka Secure Shell. OS Assigned Ephemeral
Vulnerability:
Disable Future implementations of the system will replace
telnet and http configuration access for network
appliances and controllers using this secure protocol.
However, at this time these services are not
implemented except in customer NetCAP
implementations. If these services are being used in
your system, care should be taken to block access to
Reboot Required?:
Page 588 of 676

Device Type:
Time Server
Device Specifics:
Port: TCP 23
Service/Program:
telnet
Description:
device.
Vulnerability:
altered or snooped.
Reboot Required?:
Page 589 of 676

Device Type:
Time Server
Device Specifics:
Port: TCP 37
Service/Program:
Time Protocol
Description:
Vulnerability:
Reboot Required?:
Page 590 of 676

Device Type:
Time Server
Device Specifics:
Port: UDP 123
Service/Program:
ntp
Description:
Vulnerability:
Reboot Required?:
Page 591 of 676

Device Type:
Time Server
Device Specifics:
Port: UDP 123
Service/Program:
ntp
Description:
Vulnerability:
Reboot Required?:
Page 592 of 676

Device Type:
Time Server
Device Specifics:
Port: UDP 13
Service/Program:
Day Time Protocol
Description:
Vulnerability:
Disable
Reboot Required?:
Page 593 of 676

Device Type:
Time Server
Device Specifics:
Port: UDP 161
Service/Program:
snmp
Description:
Vulnerability:
Reboot Required?:
Page 594 of 676

Device Type:
Time Server
Device Specifics:
Port: UDP 37
Service/Program:
Time Protocol
Description:
Vulnerability:
Reboot Required?:
Page 595 of 676

Device Type:
Time Server
Device Specifics:
Port: UDP 514
Service/Program:
syslog
Description:
Vulnerability:
Otherwise, Disable.
Reboot Required?:
Page 596 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
PsiService_2.exe
Description:
NOT required. WinDVD uses this to decode copy protected media. Remove service by
removing WinDVD from the computer.
Vulnerability:
Disable-Enable Enable for WindDVD - Not recommended
Reboot Required?:
Page 597 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
WmiApSrv.exe
Description:
Required by Windows in order to provide performance related information to WMI clients
(i.e. performance monitor). This service only runs when there are WMI hosts requiring
data.
Vulnerability:
Enable
Reboot Required?:
Page 598 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
iviRegMgr.exe
Description:
NOT Required. Disable in Services. WinDVD reqistration reminder. Can also remove
WinDVD to disable.
Vulnerability:
Disable-Enable Just disable it
Reboot Required?:
Page 599 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
LightScribeControlPanel.exe
Description:
Required only for HP Lightscribe to function
Vulnerability:
Disable-Enable Enable only if you use Lightscribe
Reboot Required?:
Page 600 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
lsm.exe
Description:
Required by Windows - Local Session Manager
Vulnerability:
Enable
Reboot Required?:
Page 601 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
LSSrvc.exe
Description:
Required only for HP LightScribe services to function. Can be disabled if not used.
Vulnerability:
Disable-Enable Enable only if you use Lightscribe
Reboot Required?:
Page 602 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
mms.exe
Description:
Only on systems running Acronis. This is the Managed machine system - Client side of
Acronis Backup Enterprise.
Vulnerability:
Disable-Enable Enable if you have Acronis installed
Reboot Required?:
Page 603 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
ielowutil.exe
Description:
Not required. Go to internet op ons > content > feeds and web slices > se ngs. In there
Uncheck automatically check feeds and web slices for updates. Kill the process or restart
computer and this process will be gone.
Vulnerability:
Disable-Enable Just disable it
Reboot Required?:
Page 604 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
NvXDSync.exe
Description:
Only present on systems containing NVIDIA graphics interface card/chipset
Vulnerability:
Disable-Enable Enable for Nvidea graphics
Reboot Required?:
Page 605 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
IAStorIcon.exe
Description:
Required on Intel RAID configured systems.
Vulnerability:
Enable
Reboot Required?:
Page 606 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
SearchIndexer.exe
Description:
Suggested for normal Windows function - Speeds up Explorer find capability. This service
can be turned off, however this will impact the speed of Explorer find function.
Vulnerability:
Enable
Reboot Required?:
Page 607 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
smss.exe
Description:
Required by Windows - Session Manager Sub Service
Vulnerability:
Enable
Reboot Required?:
Page 608 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
afcdpsrv.exe
Description:
Only present on systems that are running Acronis configured to use One Click backup
(NOT STANDARD).
Vulnerability:
Disable-Enable Enable when Acronis installed and you desire to use
one click backup.
Reboot Required?:
Page 609 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
sppsvc.exe
Description:
Required on Windows - Microsoft Software Protection Platform Service, which is used to
support the download, installation and enforcement of digital licenses for Windows and
Windows applications.
Vulnerability:
Enable
Reboot Required?:
Page 610 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
taskhost.exe
Description:
Required for Windows task management.
Vulnerability:
Enable
Reboot Required?:
Page 611 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
winlogon.exe
Description:
Required by Windows - Handles Windows login/logout
Vulnerability:
Enable
Reboot Required?:
Page 612 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
nvvsvc.exe
Description:
Only present on systems containing NVIDIA graphics interface card/chipset
Vulnerability:
Disable-Enable Enable for Nvidea graphics
Reboot Required?:
Page 613 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
BrcmMgmtAgent.exe
Description:
Only present on computers with Broadcom network interface cards / chipsets.
Vulnerability:
Disable-Enable Enable if Broadcom cards installed
Reboot Required?:
Page 614 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
avgchsva.exe
Description:
Only present on HMI with AVG anti virus running on it. It is the AVG Cache Server Service
which is important for AVG performance.
Vulnerability:
Reboot Required?:
Page 615 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
avgcsrva.exe
Description:
Only present on HMI with AVG anti virus running on it. It is the AVG Scanning Core -
server part.
Vulnerability:
Reboot Required?:
Page 616 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
AVGIDSMonitor.exe
Description:
Only present on HMI with AVG anti virus running on it. It is the AVG IDS (Identity Security
Monitor) that monitors and logs activites by all running programs.
Vulnerability:
Reboot Required?:
Page 617 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
avgrsa.exe
Description:
Only present on HMI with AVG anti virus running on it. It is the AVG Resident Shield
module which performs real-time virus checks when files are opened / executed.
Vulnerability:
Reboot Required?:
Page 618 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
avgtray.exe
Description:
Only present on HMI with AVG anti virus running on it. Displays the AGV tray icon.
Vulnerability:
Reboot Required?:
Page 619 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
avgwdsvc.exe
Description:
Only present on HMI with AVG anti virus running on it. AGV watchdog service
Vulnerability:
Reboot Required?:
Page 620 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
IPROSetMonitor.exe
Description:
Only present on systems with Intel Proset Network Interface Cards
Vulnerability:
Disable-Enable Enable if Intel PROset cards are in use
Reboot Required?:
Page 621 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
audiodg.exe
Description:
Required for Audio playback to occur-particularly important for WorkstationST audio
alarm system.
Vulnerability:
Enable
Reboot Required?:
Page 622 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
System
Description:
Microsoft required process for running services as "System" user. Many services may run
under System.
Vulnerability:
Enable
Reboot Required?:
Page 623 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
conhost.exe
Description:
Required for Windows - Console Host (related to csrss + security enhancements)
Vulnerability:
Enable
Reboot Required?:
Page 624 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
csrss.exe
Description:
Required by Windows - Client/Server Runtime Sub System
Vulnerability:
Enable
Reboot Required?:
Page 625 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
dwm.exe
Description:
Required for Windows - particularly Aero enabled systems. Desktop Windows
Management.
Vulnerability:
Enable
Reboot Required?:
Page 626 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
explorer.exe
Description:
Required by Windows - User interface to Files and other shared resources.
Vulnerability:
Enable
Reboot Required?:
Page 627 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
HPHC_Service.exe
Description:
NOT Required.
Vulnerability:
Disable-Enable Only enable if you want to use the HP Support Assistant
Reboot Required?:
Page 628 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
IAStorDataMgrSvc.exe
Description:
Required for Intel RAID configured systems.
Vulnerability:
Enable
Reboot Required?:
Page 629 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
HPDrvMntSvc.exe
Description:
Only present on HP systems. May not be required but is desireable for proper longterm
operation of the system.
Vulnerability:
Enable
Reboot Required?:
Page 630 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
spoolsv.exe
Description:
Required for Windows Printing Services.
Vulnerability:
Enable
Reboot Required?:
Page 631 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
eEyeUpdateSvc
Description:
eEye Update Service for centralized deployment of eEye rules and updates.
Vulnerability:
Disable-Enable Should only be present on NetCAP or HMI CAP enabled
systems in NetCAP enabled systems (not HMI CAP)
Reboot Required?:
Page 632 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
blinksvc
Description:
eEye Blink Engine used in NetCAP and HMI CAP enabled systems.
Vulnerability:
systems.
Reboot Required?:
Page 633 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
afcdpsrv
Description:
Acronis Nonstop Backup Service
Vulnerability:
Disable-Enable Can only be present if Acronis backup software is
installed. This is provides a continuous backup service
in real-time.
Should ONLY be present if Nonstop backup service is
enabled. GE does not recommend this setting and
suggests NOT enabling this service.
Reboot Required?:
Page 634 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
ADVAPP
Description:
Matrix File Transfer used in the deployment of software (and patches) across the network.
Vulnerability:
Disable-Enable Only enable on NetCap enabled systems.
Reboot Required?:
Page 635 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
ccSetMgr
Description:
Symantec Settings Manager
Vulnerability:
Disable-Enable Should ONLY be present on HMI computers in NetCap
installations
Reboot Required?:
Page 636 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
BlinkRM
Description:
eEye Blink Rule Manager used in NetCAP and HMI CAP enabled systems.
Vulnerability:
systems.
Reboot Required?:
Page 637 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
WmiPrvSE.exe
Description:
Required for Windows - Windows Management Instrumentation Provider for Error
Reporting.
Vulnerability:
Enable
Reboot Required?:
Page 638 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
Alerter
Description:
Required Windows process
Vulnerability:
Known attack vector. This process should never occupy large amounts of processor time.
Modern virus scanners will detect.
Enable
Reboot Required?:
Page 639 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
ccEvtMgr
Description:
Symantec Event Manager
Vulnerability:
installations
Reboot Required?:
Page 640 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
Symantec Antivirus
Description:
Symantec Antivirus scanning system.
Vulnerability:
installations
Reboot Required?:
Page 641 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
osppsvc
Description:
Microsoft Office Software Protection Platform
Vulnerability:
Disable-Enable Should ONLY be present on computers when Microsoft
Office components (Excel, Word, Office) are installed
on the computer
Reboot Required?:
Page 642 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: NONE n/a
Service/Program:
xntpd.exe
Description:
Used by Java services.
Vulnerability:
Disable-Enable Java is not required for GE Internet enabled reporting
to function. Other applications / client installed for
custom interfaces (rare) may required this service to
function.
Reboot Required?:
Page 643 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: TCP 135
Service/Program:
RPC
Description:
Port is used primarily by Remote Procedure Call (RPC) which in turn interacts with a
variety of services in the system. One of particular interest is the use of this port in
association with DCOM.
Vulnerability:
Numerous threats associated with this port.
Disable-Enable Port 135 is used by GE systems in relation to the OPC
subsystems. If your system is NOT using remote OPC
clients (any client not located on the computer where
the data resides), this port can be Disabled.
Operating system patches and Internet firewalls that
block this port from being visible from the internet or
other "local" threats such as plant LAN can also be
used to effectively secure the use of this port in
systems where DCOM/RPC requirements have been
implemented.
Reboot Required?:
Page 644 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: TCP 139
Service/Program:
netbios-dgm/ssn
Description:
Vulnerability:
Reboot Required?:
Page 645 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: TCP 1433
Service/Program:
ms-sql-s
Description:
Port is used by the Microsoft SQL Server (ms-sql-s).
Vulnerability:
Enable Proficy softwarem, including Historian boxes and
Cimplicity requires the MS-SQL services so this port
should be Enabled. Care should be taken to block
networks.
Reboot Required?:
Page 646 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: TCP 2000
Service/Program:
eeyeevnt.exe
Description:
Port is used by the eEye Blink software. Other uses are listed such as Remote Anywhere
and callbook; however, eEye Blink software is the only GE valid use for this port.
Vulnerability:
There are known vulnerabilities associated with this port, but not with the Blink
application used by GE on this port.
Disable-Enable eEye Blink is installed on Net CAP and HMI CAP
enabled systems and this should only be enabled ONLY
on those systems.
Reboot Required?:
Page 647 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: TCP 21
Service/Program:
ftp
Description:
Vulnerability:
Disable-Enable This port should be enabled ONLY on computers that
use the FTP protocol to send device specific
configuration files to controllers that also have ftp
enabled. Due to the highly vulnerable nature of this
protocol even that usage should be carefully
controlled and only enabled for the duration of the
required activity.
Reboot Required?:
Page 648 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: TCP 23
Service/Program:
telnet
Description:
device.
Vulnerability:
altered or snooped.
Disable-Enable This port should be enabled ONLY on computers that
use the Telnet protocol to interact with controllers
that also have telnet enabled for the purpose of
debugging and diagnostics. Due to the highly
vulnerable nature of this protocol even that usage
should be carefully controlled and only enabled for the
duration of the required activity.
Reboot Required?:
Page 649 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: TCP 24001
Service/Program:
fileserver.exe
Description:
Port is used by Acronis Fileserver (backup / restore).
Vulnerability:
There are no vulnerabilities associated with this port.
Reboot Required?:
Page 650 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: TCP 3389
Service/Program:
cryptsvc
Description:
Port used by windows for cryptological services. Has been observed running under
svchost as well as ms-term-serv RDP.
Vulnerability:
Reboot Required?:
Page 651 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: TCP 3389
Service/Program:
ms-term-serv
Description:
Port is used by Windows Remote Desktop and Remote Assistance which use RDP (Remote
Desktop Protocol). This is also used by Windows Terminal Server (NT Server, 2000 Server,
2003 Server).
Vulnerability:
There are known vulnerabilities associated with this port. The nature of remote desktop
itself poses significant risk since it allows remote users to take control of a local computer.
Disable
Reboot Required?:
Page 652 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: TCP 389
Service/Program:
ldap
Description:
Port is used by Lightweight Directory Access Protocol (LDAP). This protocol has a long and
storied history that goes back to before the Internet. In a nutshell, the LDAP protocol is
used to look up electronic directory information (originally focused on email, location,
etc.) much like a phone system directory service functions. Today this protocol can also
be used (custom applications) to look up other types of information from computer to
computer - application to application.
Vulnerability:
LDAP enabled systems may be vulnerable to code injection/buffer overrun types of
attacks, however this vulnerability is highly dependent on the underlying code/scripting.
Disable-Enable Unless using Microsoft Exchange or Active Directory in
your system, this port is not used and should be
Disabled. NetMeeting is not recommended.
If Active Directory is in use on this device, Port 389
should be Enabled.
Reboot Required?:
Page 653 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: TCP 445
Service/Program:
microsoft-ds
Description:
Port is used by direct TCP/IP networking in the Microsoft operating system. OS Assigned
Vulnerability:
Enable Port 445 is used by the system and should be Enabled.
Reboot Required?:
Page 654 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: TCP 47001
Service/Program:
System
Description:
Windows Remote Management. Windows Remote Management is one component of the
Windows Hardware Management features that manage server hardware locally and
remotely.
Vulnerability:
Enable Typically present on networks that have a SecurityST
system.
Reboot Required?:
Page 655 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: TCP 5120
Service/Program:
Description:
Vulnerability:
Enable This port is required for all Windows computers in
NetCap installations. Care should be taken to block
networks.
Reboot Required?:
Page 656 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: TCP 53
Service/Program:
DNS Service
Description:
Port is used by the Domain Name Service (DNS) system that provides common name
resolution to IP addresses and domains.
Vulnerability:
Disable-Enable In a WORKGROUP configured system, Port 53 is not
used and should be Disabled.
In a DOMAIN configured system using Active Directory,
this port should be Enabled and care should be taken
to block access to Port 53 from untrusted computers
and networks.
Reboot Required?:
Page 657 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: TCP 5357
Service/Program:
System
Description:
Port is used by wsd (Web Services for Devices), typically port discovery for printers.
Vulnerability:
There are known vulnerabilities associated with this port. Only local network access
should be allowed.
Enable This port may be required for network devices such as
printers. Port should be correctly mapped by the
Windows Firewall to only accept connections from the
local network.
Reboot Required?:
Page 658 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: TCP 80
Service/Program:
http
Description:
Vulnerability:
Disable-Enable If the computer is used to look at reports generated by
eTCSS and legacy Mark VI reporting then this port
should be enabled.
If the computer is used to view and configure switches
through the web interface, this port should be enabled.
When enabled, special care should be taken to block
access to Port 80 from untrusted compuers and
networks.
Reboot Required?:
Page 659 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: TCP 9876
Service/Program:
agent.exe
Description:
Vulnerability:
Reboot Required?:
Page 660 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: TCP n/a
Service/Program:
alg.exe
Description:
Required for Application Layer Gateway service used by built in Windows Firewall. OS
Assigned Ephemeral Ports may be assigned.
Vulnerability:
Disable-Enable If Windows firewall is in use (common) this service
must be running. This service may also used by
Internet Connection Sharing (rare, not
recommended). If neither of these services are
running, the alg.exe service may be disabled.
Reboot Required?:
Page 661 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Service/Program:
taskhost.exe
Description:
Required Windows Process. Windows uses taskhost.exe as the host for all DLL based
services that are run. Taskhost.exe may open multiple instances of itself in order to
handle DLLs that may be unrelated to one another.
Vulnerability:
The ability to load external DLLs gives taskhost.exe the risk of becoming corrupted or
infected by bad DLLs. Infection of this file is very rare, but more commonly a bad DLL will
be loaded and cause excessive Memory and CPU usage.
Enable
Reboot Required?:
Page 662 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: TCP, UDP n/a
Service/Program:
service.exe
Description:
Application service for Windows systems for managing services running at SYSTEM level.
Commonly OS Assigned Ephemeral Ports may be assigned for Client Side Connections with
this service.
Vulnerability:
There are well known vulnerabilies. VM Scanners will catch all known bad actors.
Disable-Enable Disable if reported as invalid by Virus scanners. The
internet contains resources to download a valid
service.exe and correct this issue IF it occurs.
Reboot Required?:
Page 663 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: TCP, UDP n/a
Service/Program:
svchost.exe
Description:
Provides hosting services for Windows systems to host a wide variety of application
services. OS Assigned Ephemeral Ports may be assigned for Client Side Connections with
this service.
Vulnerability:
Disable-Enable If the service(s)/port(s) being hosted are not valid for
your system configuration then the service being
hosted (NOT svchost) must be disabled or un-installed
from the system.
Reboot Required?:
Page 664 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: TCP, UDP n/a
Service/Program:
Smc.exe
Description:
Symantec Management Client. OS Assigned Ephemeral Ports may be assigned for Client
Side Connections.
Vulnerability:
installations
Reboot Required?:
Page 665 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: UDP 137
Service/Program:
netbios-ns
Description:
Port is used by the NETBIOS Name Service for file and printer sharing.
Vulnerability:
Reboot Required?:
Page 666 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: UDP 138
Service/Program:
netbios-dgm
Description:
Port is used by the NETBIOS Datagram Service for file and printer sharing.
Vulnerability:
Reboot Required?:
Page 667 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: UDP 1900
Service/Program:
svchost.exe
Description:
Port is used by Windows Remote Desktop and Remote Assistance which use RDP (Remote
Desktop Protocol). This is also used by Windows Terminal Server (NT Server, 2000 Server,
2003 Server). OS Assigned Ephemeral Ports may be assigned for Client Side Connections.
Vulnerability:
There are known vulnerabilities associated with this port. The nature of remote desktop
itself poses significant risk since it allows remote users to take control of a local computer.
Disable
Reboot Required?:
Page 668 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: UDP 3456
Service/Program:
inetinfo.exe
Description:
Port is used by IIS or similar web services to provide conferencing capability as well as
media services (video and sound). VAT (Video/Audio Tool) facilitates these services. OS
Vulnerability:
Disable
Reboot Required?:
Page 669 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: UDP 445
Service/Program:
microsoft-ds
Description:
Port is used by direct TCP/IP networking in the Microsoft operating system.
Vulnerability:
Enable Port 445 is used by the system and should be Enabled.
Reboot Required?:
Page 670 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: UDP 514
Service/Program:
syslog
Description:
Vulnerability:
Otherwise, Disable.
Reboot Required?:
Page 671 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: UDP 5355
Service/Program:
LLMNR
Description:
Vulnerability:
environment.
Reboot Required?:
Page 672 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: UDP 68
Service/Program:
bootpc
Description:
This is the bootstrap protocol client port used by client machines to obtain dynamic IP
addressing information from a BOOTP or DHCP server.
Vulnerability:
None reported.
Disable-Enable Most GE HMI systems use static IP addressing and
therefore do not require this port or associated
services. There are some I/O subsystems such as GE
VersaMax that can be configured to use a BOOTP
server. Unless it is known that an HMI is running a
BOOTP server, this port is not used and should be
Disabled.
Reboot Required?:
Page 673 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: UDP 69
Service/Program:
fileserver.exe
Description:
Port is used by Acronis Fileserver (backup / restore) and provides TFTP services
Vulnerability:
There are vulnerabilities associated with this port. May allow unauthorized access to
files. Care should be take to block access to this port from outside the local network.
Reboot Required?:
Page 674 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: UDP 9876
Service/Program:
agent.exe
Description:
Vulnerability:
Reboot Required?:
Page 675 of 676

Device Type:
Windows Computers
Device Specifics:
Windows Computers
Port: UDP n/a
Service/Program:
ntpq.exe
Description:
Required for NTP time syncronization queries. OS Assigned Ephemeral Ports may be
Vulnerability:
Enable
Reboot Required?:
Page 676 of 676

Ports and Services Report 1.15 PDF

Uploaded by

Copyright:

Available Formats

Ports and Services Report 1.15 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ports and Services Report 1.15 PDF

Uploaded by

Copyright:

Available Formats

What ports and services are discussed in the document?

What ports and services are discussed in the document?

What vulnerabilities are mentioned regarding specific ports?

What vulnerabilities are mentioned regarding specific ports?

GE Controls Solutions

Ports and Services

Port: TCP 3268

Port: TCP 3269

Port: TCP 389

Port: TCP 464

Port: TCP 5722

Port: TCP 636

Port: TCP 9389

Port: UDP 389

Port: UDP 464

Port: TCP 3268

Port: TCP 3269

Port: TCP 389

Port: TCP 464

Port: TCP 47001

Port: TCP 5722

Port: TCP 593

Port: TCP 636

Port: TCP 9389

Port: TCP 9876

Port: UDP 389

Port: UDP 464

Port: UDP 5355

Port: TCP 3268

Port: TCP 3269

Port: TCP 389

Port: TCP 464

Port: TCP 593

Port: TCP 636

Port: UDP 123

Port: TCP 443

If local requirements for this port exist, then every

Port: UDP 123

Port: UDP 161

Port: UDP 18246

Port: UDP 91-97

Port: NONE n/a

Port: NONE n/a

Port: NONE n/a

Port: NONE n/a

Port: NONE n/a

Port: NONE n/a

Port: NONE n/a

Port: NONE n/a

Port: NONE n/a

Port: NONE n/a

Port: TCP 1616

Port: TCP 4840

Port: TCP 4843

Port: TCP 49152-65538 (See

Port: TCP 501-503

If any of these ports are used for Modbus

Port: TCP 5150

Port: TCP 5310-5312