Re: Ports to close on firewall in an Active Directory Environment

From: Ace Fekay [MVP] (PleaseSubstituteMyFirstName&LastNameHere@hotmail.com)
Date: 03/01/03

Next message: Kevin Lim: "Re: Removing IIS Application Banner"
Previous message: Kevin Lim: "Re: Outlook Web Access!!"
In reply to: x y, mvp: "Re: Ports to close on firewall in an Active Directory Environment"
Next in thread: Karl Levinson [x y] mvp: "Re: Ports to close on firewall in an Active Directory Environment"
Reply: Karl Levinson [x y] mvp: "Re: Ports to close on firewall in an Active Directory Environment"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Ace Fekay [MVP]" <PleaseSubstituteMyFirstName&LastNameHere@hotmail.com>
Date: Fri, 28 Feb 2003 23:12:02 -0500

If browsing is required between the subnets, you need to allow your NetBIOS
ports. An L2TP VPN between the remote sites would offer far better security
from the ouside world at ttime you can open all ports between the sites.

Active Directory communication require 29 ports. This turns a firewall into
swiss cheese.

Q289241 - A List of the Windows 2000 Domain Controller Default Ports:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q289241&

You also need that article that Aaron posted (179442).

A VPN solution is much more secure. Youdon;t have to open all those ports,
just a certain few.

Example:
One of my clients has 4 VPN connected sites. To make it work and secure it
between the locations, on the firewall, the ports we needed to allow for an
L2TP VPN using IPSec and the rules we needed to setup were:

Deny:
Inbound:
192.168.0.0/24
172.16.0.0/24
10.0.0.0/8
Block your own internal IP range (to prevent spoofing)

Permit:
Inbound (only from the remote site's IP address):
TCP 1701 (for the VPN)
UDP 500 (for ISAKMP [key exchange])
Protocol ID 50. (for ESP [Encrypted Secure Payload])
Allow other site's IP range
TCP Established
(that's for clients to connect to the Internet, allow reponse traffic back
in)

Permit:
Outbound:
Allow all (unless you want to block something specific)

Hope that helps.

--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
"x y, mvp" <levinson_k@despammed.com> wrote in message
news:O3i4BG03CHA.2464@TK2MSFTNGP10.phx.gbl...
>
> "Rob McShinsky" <Rob@McShinsky.com> wrote in message
> news:#ZH4xYz3CHA.2300@TK2MSFTNGP11.phx.gbl...
> > What are the esential ports to close on a firewall in an active
directory
> > enviroent from the outside world.  We have a multiple sites, so some
ports
> > will have to be opened to specific areas, but for safety from those not
> > related to our environment, what are the ports.  Thanks.
>
> For best safety, ALL of the ports should be closed, both incoming and
> outgoing, except for the services that you specifically need or want to
> allow.  If you agree that this is best, then what you want to identify is
> not what ports to close but which to open, and which services you need
[you
> didn't mention which services are necessary, so I can't say which ones you
> need].
>
> If you're not sure either, view your firewall logs for a week to see which
> ports are being used, and then research what each port is and decide
whether
> you want to permit it.  You'd definitely want to seriously consider
blocking
> Netbios both in and out to/from the internet over TCP and UDP 135 - 139
and
> 445.  But if you leave any port open outbound, it can be abused by an
> attacker or an employee.
>
> Further information is in the FAQ:
>
> http://securityadmin.info/faq.htm
>
>
>
>
>
>
>

Next message: Kevin Lim: "Re: Removing IIS Application Banner"
Previous message: Kevin Lim: "Re: Outlook Web Access!!"
In reply to: x y, mvp: "Re: Ports to close on firewall in an Active Directory Environment"
Next in thread: Karl Levinson [x y] mvp: "Re: Ports to close on firewall in an Active Directory Environment"
Reply: Karl Levinson [x y] mvp: "Re: Ports to close on firewall in an Active Directory Environment"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: NetGear FVS124G
... Manageable DUAL WAN VPN Firewall with Gigabit LAN Ports ... support, and up to 25 IPSec VPN tunnels assures safe network computing. ...
(comp.security.firewalls)
Re: Cant access server over VPN
... I did not check this because I was sure I had opened these ports in the firewall on the server...and indeed I had. ... Think is Windows firewall only opened them to the subnet the server was on. ... Networking, Internet, Routing, VPN Troubleshooting on ...
(microsoft.public.windows.server.networking)
Re: Ports require to open to allow communications between AD 2003
... Also I have some info on locking ports to specific ranges for RPC in general ... Select articles and click on Firewall Ports Needed For Replication there is ... We are not looking in VPN cos the ... We were suggesting that you let the clients connect through ...
(microsoft.public.windows.server.active_directory)
Firewall ports for AD domains in 2 different forests--SMS indirect
... the below in relation to Active Directory only before I have our Headquarters ... Firewall Team open the ports on the routers: ... Question at bottom and response from SMS Newsgroup below. ...
(microsoft.public.windows.server.active_directory)
Re: Access to user properties
... These subnet are separated by a firewall, ... Active Directory communication requires about 29 ports to be allowed through, including the emepheral response ports. ... "To comply with Internet Assigned Numbers Authority recommendations, Microsoft has increased the dynamic client port range for outgoing connections in Windows Vista and in Windows Server 2008. ...
(microsoft.public.windows.server.active_directory)