What You'll Learn
Why ports matter beyond trivia memorization
How attackers abuse SSH, DNS, RDP, and HTTPS
The essential port-to-risk matrix for exam day
Real firewall rules that stop port-based attacks
65535
Total available TCP/UDP ports
3389
Port behind most ransomware attacks
80%
Of breaches start with known-vulnerable services
You cannot defend a network if you do not understand the doors that attackers are continually rattling.

Why Ports Matter Beyond Knowing 'What is Port 80?'

In modern 2026 exam configurations, the SY0-701 doesn't ask basic trivia. Scenario questions use ports to help you identify active services, potential attack paths, and the exact mitigations required to stop a breach. You must connect the protocol to the inherent risk.

Real-World Scenario

Your SOC detects outbound traffic from a workstation on Port 53 at 2 AM with unusually large TXT record responses. This is not a DNS lookup — it's data exfiltration via DNS tunneling. The attacker is burying corporate data inside legitimate-looking DNS packets that most firewalls pass without inspection.

Illustration of DNS tunneling and data exfiltration

Port 22 (SSH): Secure by Design, Risky by Exposure

Secure Shell (SSH) encrypts remote administration. It is fundamentally safer than legacy protocols like Telnet (Port 23). However, exposing SSH directly to the internet without guardrails guarantees brute-force attacks.

  • Threat Vector: Password spraying, dictionary attacks, and credential stuffing on exposed interfaces.
  • Modern Mitigation: Key-based authentication (Ed25519), strict IP allowlisting, Fail2Ban, and Multi-Factor Authentication (MFA).
  • Exam Insight: If the question mandates secure remote administration, SSH is the answer. If an incident starts with 'multiple failed logins on an admin node,' investigate Port 22.
terminal
# Hardened SSH config
Port 2222
PermitRootLogin no
PasswordAuthentication no
MaxAuthTries 3

Port 53 (DNS): The Silent Exfiltration Channel

Domain Name System (DNS) is foundational infrastructure. Attackers target it for DNS poisoning, amplification DDoS attacks, and primarily Command-and-Control (C2) traffic via DNS tunneling.

Many firewalls blindly allow outbound Port 53 traffic, making it a prime candidate for data exfiltration by APTs. DNS logging and anomaly detection are critical controls.

Port 3389 (RDP): The Ransomware Gateway

Remote Desktop Protocol (RDP) is one of the most abused enterprise services globally. The majority of ransomware operations begin with exposed RDP endpoints purchased from Initial Access Brokers.

  • Threat Vector: Initial access brokers selling brute-forced RDP credentials on dark web forums.
  • Modern Mitigation: Never expose RDP to the public internet. Require VPN + MFA, enforce account lockout, use NLA.
  • Exam Insight: If servers are encrypted and unauthorized remote access is found, RDP is the primary suspect.

Essential Port-to-Risk Matrix for SY0-701

PortServicePrimary Threat VectorOptimal Mitigation
20/21FTPCleartext credential interceptionReplace with SFTP (Port 22)
22SSHBrute-force internet scanningKey-only auth, IP allowlist, VPN
23TelnetMan-in-the-Middle (MitM) snoopingDisable entirely, use SSH
53DNSDNS Tunneling / Data ExfiltrationDNS logging + egress filtering
80HTTPCleartext web traffic interceptionEnforce HSTS, migrate to HTTPS
443HTTPSEncrypted malware C2 / phishingTLS inspection, WAF
445SMBEternalBlue / ransomware lateral movementFirewall, disable SMBv1
3389RDPRansomware initial accessVPN + MFA, never expose directly

Firewall Rule Design for Critical Ports

Any inbound connection on Port 23 should be denied at the perimeter firewall without exception. Telnet transmits all data including passwords in cleartext. Rule: Deny TCP/UDP 23 inbound.
SSH should never be accessible to the public internet. Create an allowlist rule permitting SSH (Port 22) only from the corporate VPN subnet. Rule: Permit TCP 22 from 10.8.0.0/24 only.
HTTPS cannot be blindly trusted. Attackers run C2 over Port 443 because it blends with normal traffic. TLS Inspection (SSL decryption at the perimeter) is required to examine encrypted payloads.
SMBv1 was exploited by EternalBlue, used in WannaCry and NotPetya ransomware. Disable SMBv1 entirely. If SMB is needed, use only SMBv3 with signing enforced, restricted to internal subnets.
When a question asks for the BEST control, choose the option that reduces attack surface first (disable or block the port) before falling back to monitoring.
Key Takeaways
  • Port 3389 (RDP) is responsible for the majority of ransomware initial access incidents globally.
  • Port 53 (DNS) is a covert exfiltration channel — never assume outbound DNS traffic is benign.
  • SSH (22) is secure by design but must be paired with key-based auth and IP restrictions.
  • The SY0-701 connects ports to threat vectors — always think: service → risk → mitigation.
  • TLS Inspection is required to detect malware hiding inside HTTPS (Port 443) traffic.
Next Steps
Practice with Network Security Flashcards
Take Domain 3 Practice Exam
Read: Zero Trust Architecture Explained

Ready to test your knowledge?

Take a free full-length practice exam with 90 questions and instant feedback.

Start Practice Exam