Port 664: Remote Hardware Management — The port that reaches past the OS

What Runs on Port 664

Port 664 hosts two officially assigned services, both for remote hardware management:

TCP 664 — oob-ws-https (Out-of-Band Web Services HTTPS)¹
DMTF's secure web services management protocol. Registered June 2007.

UDP 664 — asf-secure-rmcp (ASF Secure Remote Management and Control Protocol)¹
The secure variant of Intel's Alert Standard Format remote control protocol.

Both protocols share a common purpose: managing computers at the hardware level, independent of the operating system.

Out-of-Band Management

Out-of-band management means controlling a computer through a channel separate from the normal network connection the OS uses. Think of it as a maintenance tunnel running parallel to the main hallway.

When you manage a server "in-band," you're sending commands through the operating system—SSH, RDP, a web interface running on the server. If the OS crashes, you're locked out.

When you manage a server "out-of-band," you're talking directly to a management processor embedded in the hardware—typically called a BMC (Baseboard Management Controller). This processor has its own network interface, its own firmware, and keeps running even when the main CPU is off.²

Port 664 is one of the doors into that management processor.

The DMTF Protocol (TCP 664)

The Distributed Management Task Force (DMTF) created the DASH standard—Desktop and mobile Architecture for System Hardware—to standardize out-of-band management.³

DASH uses the WS-Management protocol (a SOAP-based web services standard) over HTTPS on port 664. This is the secure variant. The non-secure HTTP version runs on port 623.⁴

Through this port, an administrator can:

• Power the system on or off remotely
• Access BIOS settings without being physically present
• Redirect keyboard, video, and mouse (KVM) over the network
• Monitor hardware sensors (temperature, fan speeds, voltage)
• Manage network configuration (even when the OS is down)
• Update firmware

DASH-compliant systems from Dell, HP, and other manufacturers expose these capabilities through port 664.⁵

The ASF Protocol (UDP 664)

Alert Standard Format (ASF) is an older DMTF standard for remote management and control. ASF primarily uses UDP port 623, but version 2.0 added port 664 for the secure variant.⁶

ASF lets the management controller send alerts ("disk failure imminent," "temperature critical") and receive commands ("power cycle the system," "force boot from network") entirely at the hardware level.⁷

Unlike the web services approach of DASH, ASF uses a lighter-weight UDP protocol. Both can coexist on the same system—ASF for basic alerting and control, DASH for richer management capabilities.

The Security Concern

Here's the uncomfortable truth: these management processors are computers within your computer. They run their own operating system, maintain their own network stack, and operate with privileges higher than the OS itself.

In May 2017, a critical vulnerability in Intel's Active Management Technology (AMT)—which uses these ports—allowed attackers with network access to take complete control of vulnerable systems.⁸ Organizations scrambled to block ports 623, 664, and related management ports at network borders.

The management engine can remain active even when the server appears powered down. It's extraordinarily powerful, and that power comes with extraordinary risk if compromised.

Best practices:

• Never expose port 664 to the Internet
• Segment management interfaces onto a dedicated management network
• Use strong authentication (never default credentials)
• Regularly update management controller firmware
• Disable out-of-band management entirely if you don't use it

How to Check What's Listening

On Linux or macOS:

sudo lsof -i :664
# or
sudo netstat -tulpn | grep :664

On Windows:

netstat -ano | findstr :664

If you see something listening on port 664, it's likely a BMC or management controller. Check your system's documentation—many motherboards include management features that might be enabled by default.

Why This Port Matters

When the operating system fails, port 664 keeps working. When you're in a data center at 3 AM and a server won't boot, port 664 is how you troubleshoot without driving to the location.

Out-of-band management isn't exotic enterprise technology anymore. Even consumer motherboards sometimes include these features. The question every administrator faces: Is the convenience of remote hardware control worth the risk of exposing a second computer—one with higher privileges—to the network?

Port 664 is the answer when you say yes.

Related Ports

• Port 623 — oob-ws-http (non-secure DASH) and asf-rmcp (non-secure ASF)
• Port 16992-16995 — Intel AMT web and redirection services
• Port 5900 — VNC, often used for KVM-over-IP