Probably not such a good idea to block port 88 globally, just in case you're one of those users whose mail server is elite enough to support Kerberos logins. Just a thought...
So give your Xbox an address, and then block exactly those three ports from exactly the one address.
The question I have on top of this is, what stops MS changing the port next month, and getting people banned all over the place?
(I'm actually tempted to block *everything* from the Xbox, and enable one service at a time where I need it, for things like live weather updates.)