Re: Windows 2003 Domain Controller (Open Port 593)
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Wed, 3 Jan 2007 02:09:54 -0700
"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message
news:sP2dnZEiBbkh_AbYnZ2dnUVZ_uCinZ2d@xxxxxxxxxxxxxxx
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:#aFnoo0KHHA.1252@xxxxxxxxxxxxxxxxxxxxxxx
I believe that what you describe is why, as far as I know, MS still
says placing a DC so firewall separates it from its members is not
a supported configuration. In early W2k days, speaking with those
who tried, we most often referred to the wall after such attempts as
swiss cheese, but regrettably MS did not then even support use of
VPN tunnel between separated domain segments.
I agree that if you configure a firewall to allow any higher level port
that
might use RPC to remain open, that you have no firewall protection at all.
But the article he referenced in a later post is a significant article:
http://support.microsoft.com/kb/555381
This approach allows you to take just the RPC services required for a
domain
controller, force them to use a *FIXED PORT*, and then open up just those
ports on the firewall. That way you do NOT open up ranges of ports on
the
firewall. Every service is associated to one and only one fixed port.
My fault with the article was that it was not complete. Since this
whole
subject of putting domain controllers behind firewalls is dear to my heart
(and possible proof of masochism :) ) I did some research, and the article
as written above appears to leave out the NETLOGON RPC service. Without
that RPC on a fixed port, and opened to the firewall, your computers won't
be able to open up a secure channel to the domain controller, which they
need at login and logoff (at minimum) to pass credentials and do cleanup.
Once you assign NETLOGON, Active Directory Replication (NTDS), and File
Replication RPC services to fixed ports, I am here to tell you that the
above article works! You end up with a reasonably "secured" domain
controller whose entry points are all well defined and running Microsoft
software.
I would probably not expose the LDAPS and LDAPS GC since we don't have
certificates in place yet and I wouldn't want to leave open ports that
don't
have working/tested software running on those ports. File Replication
Service I guess you would only need to make available to other domain
controllers and could lock out clients from that.
That is interesting info Will.
You no doubt have actually pulled out far more hair on this
than I have been willing to put at risk <g>
I wonder whether, if I make comment to the KB people about
the omission of mention of the Netlogon RPC port requirement
they would be able to complete their research from that (being
content writers/specialists and all)
I think whether FRS is needed otherwise than you indicate
also depends on whether DFS is in use and what rev level
of the OS is in use for the DFS replicas.
Roger
"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in messagehttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/msdn_dcomfirewall.asp.
news:gpCdnT8_2Nca_Q7YnZ2dnUVZ_uC3nZ2d@xxxxxxxxxxxxxxx
"netmon" <bkj@xxxxxxxxxxxxxxx> wrote in message
news:1166634736.486819.163560@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I have configured the DC using the following article
http://support.microsoft.com/kb/555381. In addition, In addition, I
have taken a look at the following
forLooks as though the DC is as tight as it gets for windows.
I follow these articles, but I'm confused by the scope of the first one
concerning domain controller configuration of W2K3 DCs to work with
Windows
2003 Firewall. What doesn't appear to be mentioned in this article is
unblocking the endpoint mapper of RPC (port 135), which you would need
andany RPC functionality.
What I also don't see discussed in that article is how to configure for
specific RPC services used during the initial authentication by users
weclients. FRS and AD replication are only two of the services. When
clientstraced this with a sniffer last year during configuration of ISA2004,
we
detected at least three distinct UUIDs of the RPC service used by
ofduring authentication and initial login to a domain controller. All
higherthose would require access to port 135 and subsequent access to the
unresolved,order ports assigned by RPC to those RPC services.
Note that the instructions in this knowledgebase get more complicated
if
you
want the DC to sit behind an ISA server on its own segment. We
managed
to
make that work, but it was hellish to figure out how to get the ISA RPC
filter to work with specific services (UUIDs) on fixed ports. It just
barely works, and we did have usability issues with it (still
even after referring them to Microsoft support).
--
Will
.
- Follow-Ups:
- Re: Windows 2003 Domain Controller (Open Port 593)
- From: Paul Adare
- Re: Windows 2003 Domain Controller (Open Port 593)
- References:
- Prev by Date: Re: Setting Audit Permissions Differently for Each User
- Next by Date: Re: Looking for domain security tool
- Previous by thread: Re: Windows 2003 Domain Controller (Open Port 593)
- Next by thread: Re: Windows 2003 Domain Controller (Open Port 593)
- Index(es):
Relevant Pages
|
