Re: Windows 2003 Domain Controller (Open Port 593)

You could search the MS web properties for IPsec and "Domain Isolation"
for further approaches when it is desired to have DCs function just for
their
domain membership. Of course, there are adaptations too.

"netmon" <bkj@xxxxxxxxxxxxxxx> wrote in message
news:1166634736.486819.163560@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I have configured the DC using the following article
http://support.microsoft.com/kb/555381. In addition, In addition, I
have taken a look at the following
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/msdn_dcomfirewall.asp.
Looks as though the DC is as tight as it gets for windows.

Thanks for the help and articles.

Roger Abell [MVP] wrote:
Yep, that is a fairly good KB
It is difficult to shield DCs in too much detail
(but there is another KB on it, DCs and firewalls).

Cheers,
--
ra

"netmon" <bkj@xxxxxxxxxxxxxxx> wrote in message
news:1166553033.043467.275540@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
You are correct with the assumption that i had misinterpreted
http://support.microsoft.com/kb/826382.
After reviewing http://support.microsoft.com/kb/832017 it looks like
there is nothing I can do about the port opening as it is needed by
the OS. I should have included in my first post that the svchost.exe
was using the RpcSs services. Thank you for the quick response and
article 832017.

netmon wrote:
I have just set up a new Windows 2003 domain controller and after
setting up the DC I ran a quick nmap scan of the box and have two open
ports which concern me. They are ports 593 and 1026. I did a quick
Google and port 593 (opened by svchost.exe) is related to
http-rpc-epmap and port 1026 (opened by lsass.exe) is related to
lsa-or-nterm. I do not have RPC over http proxy enabled and just to
make sure I have doubled checked this by going to add/remove windows
components/networking services and RPC over HTTP Proxy is not enabled.
My question is how can I remove these or are they necessary services
needed by the OS. I do not have an Exchange environment and IIS is
not
installed.




.

Relevant Pages

  • Re: Problem After Defining Static RPC Port
    ... our Security people allowed port 1026 to be open to the DCs ... like the old DCs on the other subnet. ... Select Firewall Ports Needed for Replication ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows 2003 Domain Controller (Open Port 593)
    ... Roger Abell [MVP] wrote: ... It is difficult to shield DCs in too much detail ... Google and port 593 is related to ...
    (microsoft.public.windows.server.security)
  • Problem After Defining Static RPC Port
    ... We have had 4 DCs behind a firewall in a particular subnet for a few years. ... RPC communcation from clients always seems to go to ... port 1025 even though a static port isn't set in the servers' Registry. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Problem After Defining Static RPC Port
    ... Don't just assume something is going to stay on the same port, you are just asking for wierd things to happen. ... Select Firewall Ports Needed for Replication ... DCs, along with port 135 and the other usual AD ports. ... DCs in one subnet are having the endpoint mapper ...
    (microsoft.public.windows.server.active_directory)