port knocking client and service software for microsoft windows servers

Portmask is a port knocking client and service software suite for Microsoft Windows Servers. Port knocking is a method that allows authorised users to reach administrative channels such as ssh and terminal services while keeping hackers away.


the problem

Any publicly reachable server is targeted by malicious activity at all times of the day and night. The perpetrators have no idea which servers are well secured and which servers are vulnerable. Therefore, even well secured servers are subject to port scans to determine if interesting ports are open.

Remote administration requires that administrators have a communications channel available at all times. The most popular channel on Microsoft Windows Servers is terminal services running the RDP protocol on tcp port 3389. Some administrators prefer using a SSH server and tunnelling their connections using redirection.

Both methods are highly secure.

However, that does not stop hackers and the curious from trying brute force attacks. Even if the brute force attacks fail, these attacks fill up logs. When the logs are full of failed attacks, it becomes easy to miss the ones that did not fail.

So the danger is on two fronts. Either the attack is directly successful, or the attack masks other security alerts which should have been seen. Neither situation is desirable.


the defense

The classic defense is to filter all unwelcome traffic at the network perimeter or server using a well configured firewall. With the correct firewall packet filters in place only permitted services can be reached. The administrative channels can have specific firewall apertures opened for them from known originating addresses. This works very well and has kept many servers and networks administrators safe.


the conflict

However, there is a usage pattern that conflicts with the usual firewall setup. Restrictions to the ports used by administrative services is normally done by referencing static network addresses for the originating client computer. Assignment of static addresses normally adds a small amount to the cost of broadband services.

But, several conditions can prevent using static addresses.

First, even with a static address, the user may lose access to the specific address when his isp re-assigns that network address or the user changes providers.

Second, it the user must resort to an emergency connection, the address will not be the configured static network address.

Third, if the user needs access while travelling, or is otherwise away from home base, again the network address will not be the network address configured in the firewall rules.

In all of these situations, the user and firewall administrator cannot know in advance what the required rule might be. This will cause the administrative channel to be unreachable at the exact time when it is most urgent.


the solution

Port knocking was devised in 2006 as a solution to the problems described above.

In port knocking, the server is configured to ignore all traffic on the administrative channels. The server runs a service which acts as an attendant. Authorised users are issued client software which is capable of carrying out covert communications with the attendant service listening on the server. When the attendant receives the correct "secret knock" from the inquiring client, it opens up access to the administrative service to connections arriving from the specific network address. Even while the channel is open, it is only open to the single originating network address.

By using port knocking, the administrator is assured of controlled access to administrative channels without worrying about having access to a specific network address. Yet, at the same time, the server remains protected from port scanning and brute force attacks.


the software

PortMask for Windows is a port knocking software suite for Microsoft Windows Servers. The suite includes a Windows compatible port knocking client, a user password maintenance utility and a Windows Server service.

The PortMask Suite is a second generation port knocking implementation designed for professional Windows Server Administrators. It includes enhancements in both usability and security from previous designs.

feature benefit

account lockout prevents brute force and dictionary attacks
source ip address lockout prevents brute force and dictionary attacks
tcp protocol avoids problems in hotels and wifi hotspots with udp
encryption authentication data safe from analysis and highjack
unique session keys protects against replay attacks
whitelist/blacklist guaranteed behaviour for listed addresses
automatic cleanup configuration changes are automatically maintained
unique keys access only granted by two factor authentication
password hash users only know their own password
secret emergency key access cannot be denied even if password data erased
executes batch files aperture opening commands are fully customisable
full event logging easily track all activity in windows server event logs
persistent queue all required cleanups survive crashes and reboots
native windows service standard windows service management and interaction
system requirements

server Windows Server 2000/2003/2008
client Windows 95/98/ME/NT/2000/XP/VISTA
package contents

client software distributed to users for client connections
server software installed as windows server service
password utility administrator's password maintenance utility
configuration samples suggested common and advanced deployment examples


how to buy portmask

Portmask for Windows Server is priced at $59.00 per server. The included client may be used by unlimited users.

Please be sure to review the administrator's manual for product suitability before buying. This product is designed for professional use by qualified administrators with the required skills and experience.

The software will be delivered electronically by email after payment is received. Please allow up to 3 business days.

Payments are processed using the paypal.com site, but you are not required to sign up for a paypal account.

When you click the pay now button, you will be transferred to the secure payment area of paypal.com on a secure ssl connection. You will have an opportunity on the paypal.com site to confirm your purchase and print a transaction receipt. paypal.com will also send you a transaction record via email.

Please note your transaction id number for future reference. We do not have access to any of your credit card information at any time.

please contact us using the details here


The portmask client software can always be downloaded by clicking here. If you are working remotely and are using a borrowed computer, just click on the link to get a fresh copy.


  • port knocking
  • firewall control
  • microsoft windows server
  • protecting terminal services
  • protecting ssh connections
  • port scanning defence
  • firewall configuration and control
  • dictionary password attacks
  • brute force password attacks


© 2009, all rights reserved