Re: Windows 2003 Domain Controller (Open Port 593)

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:#aFnoo0KHHA.1252@xxxxxxxxxxxxxxxxxxxxxxx
I believe that what you describe is why, as far as I know, MS still
says placing a DC so firewall separates it from its members is not
a supported configuration. In early W2k days, speaking with those
who tried, we most often referred to the wall after such attempts as
swiss cheese, but regrettably MS did not then even support use of
VPN tunnel between separated domain segments.

I agree that if you configure a firewall to allow any higher level port that
might use RPC to remain open, that you have no firewall protection at all.

But the article he referenced in a later post is a significant article:

http://support.microsoft.com/kb/555381

This approach allows you to take just the RPC services required for a domain
controller, force them to use a *FIXED PORT*, and then open up just those
ports on the firewall. That way you do NOT open up ranges of ports on the
firewall. Every service is associated to one and only one fixed port.

My fault with the article was that it was not complete. Since this whole
subject of putting domain controllers behind firewalls is dear to my heart
(and possible proof of masochism :) ) I did some research, and the article
as written above appears to leave out the NETLOGON RPC service. Without
that RPC on a fixed port, and opened to the firewall, your computers won't
be able to open up a secure channel to the domain controller, which they
need at login and logoff (at minimum) to pass credentials and do cleanup.

Once you assign NETLOGON, Active Directory Replication (NTDS), and File
Replication RPC services to fixed ports, I am here to tell you that the
above article works! You end up with a reasonably "secured" domain
controller whose entry points are all well defined and running Microsoft
software.

I would probably not expose the LDAPS and LDAPS GC since we don't have
certificates in place yet and I wouldn't want to leave open ports that don't
have working/tested software running on those ports. File Replication
Service I guess you would only need to make available to other domain
controllers and could lock out clients from that.

--
Will



"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message
news:gpCdnT8_2Nca_Q7YnZ2dnUVZ_uC3nZ2d@xxxxxxxxxxxxxxx
"netmon" <bkj@xxxxxxxxxxxxxxx> wrote in message
news:1166634736.486819.163560@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I have configured the DC using the following article
http://support.microsoft.com/kb/555381. In addition, In addition, I
have taken a look at the following


http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/msdn_dcomfirewall.asp.
Looks as though the DC is as tight as it gets for windows.

I follow these articles, but I'm confused by the scope of the first one
concerning domain controller configuration of W2K3 DCs to work with
Windows
2003 Firewall. What doesn't appear to be mentioned in this article is
unblocking the endpoint mapper of RPC (port 135), which you would need
for
any RPC functionality.

What I also don't see discussed in that article is how to configure for
specific RPC services used during the initial authentication by users
and
clients. FRS and AD replication are only two of the services. When
we
traced this with a sniffer last year during configuration of ISA2004, we
detected at least three distinct UUIDs of the RPC service used by
clients
during authentication and initial login to a domain controller. All
of
those would require access to port 135 and subsequent access to the
higher
order ports assigned by RPC to those RPC services.

Note that the instructions in this knowledgebase get more complicated if
you
want the DC to sit behind an ISA server on its own segment. We managed
to
make that work, but it was hellish to figure out how to get the ISA RPC
filter to work with specific services (UUIDs) on fixed ports. It just
barely works, and we did have usability issues with it (still
unresolved,
even after referring them to Microsoft support).

--
Will







.

Relevant Pages

  • Re: Adding additionl DC to existing windows 2003 Domain
    ... Paul is probably right in respect of the ports being blocked. ... If your wan connection does not go through a firewall and only throught the ... I have added the new windows 2003 server to the ... "Could not find the domain controller for this domain." ...
    (microsoft.public.windows.server.active_directory)
  • Re: Help Understanding LDAP Variants
    ... PRINTERS, COMPUTERS, OR PEOPLE will hit the GC. ... way is to do a long term trace on the machine for the ports in question ... Yes, but in our case we examine the firewall logs frequently, and run dcdiag ... that puts a domain controller behind a firewall, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Messenger Service on W2K server
    ... > a lot of conflicting information about what other ports may be used. ... > an IIS RPC proxy that would enable clients to access RPC services ... > behind a firewall through port 80. ... I wasn't sure if it would also break remote access ...
    (microsoft.public.security)
  • Re: Windows 2003 Domain Controller (Open Port 593)
    ... I agree that if you configure a firewall to allow any higher level port ... be able to open up a secure channel to the domain controller, ... Replication RPC services to fixed ports, I am here to tell you that the ...
    (microsoft.public.windows.server.security)
  • Re: Windows Firewall on Domain Controllers
    ... * Domain Controller doesn't work with firewally active unless it is ... confgured for all the AD ports and you do some voodoo with RPC ports. ... Don't use firewall on a DC, use a diferent machine, if you can don't join ... Active Directory replication over RPC ...
    (microsoft.public.windows.server.active_directory)