Port 9389 (TCP) – Active Directory Web Services (ADWS)

What runs on port 9389?

Port 9389 carries Active Directory Web Services (ADWS), a SOAP-based web service that domain controllers expose for AD queries and management. It is the channel behind the PowerShell Active Directory module (Get-ADUser, Get-ADGroup, and the rest) and tools like the Active Directory Administrative Center. Enabled by default since Windows Server 2008 R2, ADWS surfaces the same directory information available over LDAP on 389, just through a different protocol.

Why it matters for security

Because ADWS reaches the same directory data as LDAP but over SOAP, it gives attackers an alternate, lower-noise path for reconnaissance. Many detection rules focus on raw LDAP traffic and miss equivalent queries arriving on 9389. An attacker with any domain foothold can enumerate users, groups, ACLs, and privilege relationships to plan escalation, and with stolen admin credentials can drive management write operations through the same interface.

How it's attacked

The tool SOAPHound queries ADWS to enumerate Active Directory while evading LDAP-based detections — collecting the same data BloodHound consumes but over SOAP. Attackers also use the built-in PowerShell AD module for hands-on-keyboard reconnaissance, mapping privileges and ACLs, then abuse administrative cmdlets once they hold sufficient rights.

Hardening checklist

Restrict TCP 9389 to administrative jump hosts and tiered admin networks so it is not broadly reachable. Monitor ADWS/SOAP queries alongside LDAP enumeration so the alternate path is not a blind spot, and watch for SOAPHound-style bulk reads. Apply least privilege so low-tier accounts cannot enumerate the directory broadly, keep domain controllers patched, and audit AD management tooling. The nmap banner check above confirms exposure on hosts you are authorised to test. </content>