Ports, Protocols, and Acronyms High-Yield Tables
Key Takeaways
- Port questions are scenario questions: the exam asks what should be allowed, blocked, encrypted, or monitored, not just the number.
- Know the secure-vs-insecure pairs cold: Telnet/SSH, FTP/SFTP, HTTP/HTTPS, LDAP/LDAPS, SNMPv2c/SNMPv3.
- Direct Internet exposure of SMB 445, RDP 3389, and database ports 1433/3306/5432 is almost always the wrong answer.
- Acronyms matter most when they change the decision, such as SIEM vs SOAR or SAML vs OIDC.
- On PBQs, read direction and business purpose before selecting a port or protocol.
Ports Are Scenario Questions
Memorizing numbers is necessary but not sufficient. SY0-701 gives a business or security situation and expects you to decide which traffic is appropriate, which protocol is safer, or which exposed service creates risk. Treat every port as a decision: who should reach it, from where, and is there an encrypted alternative.
Core Ports Table
| Port | Protocol | Service | Exam cue |
|---|---|---|---|
| 20/21 | TCP | FTP | Legacy transfer; cleartext credentials |
| 22 | TCP | SSH / SFTP / SCP | Secure shell and secure file transfer |
| 23 | TCP | Telnet | Insecure remote administration |
| 25 | TCP | SMTP | Server-to-server mail |
| 53 | TCP/UDP | DNS | UDP for queries, TCP for zone transfers |
| 67/68 | UDP | DHCP | Dynamic address assignment |
| 69 | UDP | TFTP | Unauthenticated simple transfer |
| 80 | TCP | HTTP | Unencrypted web traffic |
| 88 | TCP/UDP | Kerberos | Ticket-based authentication |
| 110 | TCP | POP3 | Legacy mailbox retrieval |
| 123 | UDP | NTP | Time sync (logs, Kerberos) |
| 135-139 | TCP/UDP | RPC / NetBIOS | Windows discovery; risky if exposed |
| 143 | TCP | IMAP | Mailbox access |
| 161/162 | UDP | SNMP | Monitoring/traps; prefer SNMPv3 |
| 389 | TCP/UDP | LDAP | Directory queries; cleartext unless protected |
| 443 | TCP | HTTPS | Encrypted web traffic |
| 445 | TCP | SMB | Windows file sharing; never expose to Internet |
| 465/587 | TCP | SMTPS / submission | Encrypted/authenticated mail submission |
| 514 | UDP/TCP | Syslog | Central logging |
| 636 | TCP | LDAPS | LDAP over TLS |
| 993 / 995 | TCP | IMAPS / POP3S | Mail over TLS |
| 1433 / 1521 | TCP | MS SQL / Oracle | Database; tightly restrict |
| 3306 / 5432 | TCP | MySQL / PostgreSQL | Database; tightly restrict |
| 3389 | TCP/UDP | RDP | Remote desktop; avoid Internet exposure |
| 5985 / 5986 | TCP | WinRM | Windows mgmt; 5986 uses HTTPS |
Secure Alternatives
The single most repeated exam pattern is choosing the encrypted equivalent of a cleartext service.
| Insecure or risky choice | Better choice | Why |
|---|---|---|
| Telnet (23) | SSH (22) | Encrypts the admin session and credentials |
| FTP (21) | SFTP, SCP, or FTPS | Protects credentials and file contents |
| HTTP login (80) | HTTPS (443) | Protects session and credentials in transit |
| LDAP (389) for auth | LDAPS (636) or StartTLS | Encrypts directory traffic |
| SNMPv1/v2c (161) | SNMPv3 | Adds authentication and privacy |
| Direct RDP (3389) from Internet | VPN, ZTNA, jump box, or PAM | Shrinks the attack surface |
| Public SMB (445) | No public SMB; controlled sharing | SMB exposure enabled WannaCry-class attacks |
Acronym Table for Fast Review
| Acronym | Meaning | Decision clue |
|---|---|---|
| AAA | Authentication, authorization, accounting | Prove identity, grant permission, record activity |
| CASB | Cloud access security broker | Visibility and policy for SaaS |
| DLP | Data loss prevention | Detect/block sensitive data movement |
| EDR / XDR | Endpoint / extended detection and response | Telemetry, detection, response |
| IdP | Identity provider | Authenticates identities for apps |
| NAC | Network access control | Admits or restricts based on posture/identity |
| OIDC | OpenID Connect | Identity layer on top of OAuth 2.0 |
| PAM | Privileged access management | Controls privileged elevation and sessions |
| RADIUS / TACACS+ | AAA protocols | VPN/Wi-Fi vs device administration |
| SAML | Security Assertion Markup Language | Federation and browser SSO assertions |
| SIEM | Security info and event management | Log collection, correlation, alerting |
| SOAR | Security orchestration, automation, response | Automated response playbooks |
| SPF / DKIM / DMARC | Email authentication | Reduce spoofing, improve mail trust |
| TPM | Trusted Platform Module | Hardware key storage, measured boot |
| ZTNA | Zero trust network access | App-specific access, no broad trust |
PBQ Port Pattern
Map the prompt language to a flow:
- "Allow customers to access the public ordering site" -> inbound TCP 443 to the web tier only.
- "Allow the web tier to query the database" -> allow only the web-server source to the database destination on the required port (3306, 1433, 5432).
- "Allow administrators to manage Linux servers" -> SSH (22) from an admin subnet or jump box, never Telnet or any-source.
Worked Three-Tier Scenario
A company publishes a customer portal, runs a database behind it, and uses a jump box for administration.
| Flow | Correct rule |
|---|---|
| Internet to portal | Allow TCP 443 to web server |
| Web server to database | Allow database port from web server only |
| Admin subnet to jump box | Allow SSH or RDP per platform |
| Jump box to internal servers | Allow management ports from jump box only |
| Internet to database | Deny |
| Internet to SMB/RDP/SSH on servers | Deny unless a named secure access design is stated |
The exam favors broad answers that sound convenient. Prefer the narrow rule that meets the business goal and nothing more. When two ports could work, pick the encrypted one (587 over 25, 636 over 389, 5986 over 5985).
A PBQ shows TCP 445 allowed from the Internet to an internal file server. What is the best interpretation?
Match the protocol or acronym to the best exam cue.
Match each item on the left with the correct item on the right
An administrator currently uses Telnet to manage network switches. Which is the best secure replacement?