Ports

Port 1433: MS SQL Server

Default Microsoft SQL Server listener. Often moved or proxied in hardened environments.

Where you will see it: You will see this in scans, firewall rules, vulnerability reports, and service configs. Treat open ports as exposure points and verify the service is expected, hardened, and restricted.

What it is

TCP port 1433 is the default listener for Microsoft SQL Server in many deployments. A port is a transport layer number used together with an IP address and a protocol such as TCP or UDP to direct traffic to the correct service on a host.

A server process binds a socket to a port and listens, while a client typically chooses an ephemeral source port for outbound connections. The combination of source and destination IP addresses, source and destination ports, and the transport protocol uniquely identifies a flow so the operating system can keep many conversations separate.

Firewalls, NAT, and scanners talk about ports because the destination port is the stable rendezvous point that exposes a service to the network. A SQL Server instance binds to 1433 so client applications can find the database engine.

A client connects from an ephemeral source port, completes the TCP handshake, negotiates the SQL Server protocol, authenticates, and then sends queries while receiving result sets over the same session. Many applications use connection pooling, so a small number of long lived connections can carry many transactions, which is why you may see steady traffic even when user activity is bursty.

From a security perspective, database ports represent high value data access. Exposing 1433 beyond the application tier increases brute force risk, expands lateral movement paths, and can turn one compromised host into a data breach.

How it works in broad strokes

  1. Client opens a TCP connection and negotiates the SQL Server protocol and session settings.
  2. Client authenticates, then sends queries and receives result sets over the same connection.
  3. Connections are often pooled by applications for performance, keeping sessions open.

Concrete example

An application server connects to SQL Server on 1433 using a pooled connection. If a workstation can also reach 1433, an attacker who compromises the workstation may attempt credential stuffing against the database.

Why it matters

Database ports are high value. If 1433 is exposed beyond what is necessary, attackers can brute force credentials, exploit unpatched vulnerabilities, or pivot into the data layer. Even internally, over permissive access to the database tier increases blast radius.

Security angle

  • Restrict access to application subnets and use firewalls or private endpoints.
  • Patch regularly and disable unused features.
  • Monitor for failed logins, unusual query patterns, and data exfiltration signals.

Common pitfalls

  • Exposing 1433 directly to the internet.
  • Using shared or weak database accounts and embedding credentials in code.
  • Assuming network reachability equals authorization. Many breaches start with lateral movement into the database tier.