Solved

Domain controller behind firewall

Posted on 2004-10-14
14
12,960 Views
Last Modified: 2010-05-08
Ok...please forgive me, but I'm not a network person...I'm a microsoft person, hehe. I manage systems and let the network people manage the network. But I have question:

I have a domain controller (windows 2003) that is behind a cisco firewall. I have a couple clients that are on a different subnet (they have static IPs) which need to access the DC to authenticate and use shared resources. What ports do I need to tell our network people to open to allow for this? Does this pose any kind of huge security risK?...yes, i know poking holes in a firewall is a security risk, but I really need these computers on our AD infastructure. The clients are ultimately behind another firewall (we are all a part of a university network, but my specific network is blocked off from the rest of the university for extra security). Currently, we only have the one server (its a small network), but I may be implementing a SUS server that would be behind the firewall as well that these clients would need to access.
0
Comment
Question by:luv2smile
  • 4
  • 3
  • 3
  • +2
14 Comments
 
LVL 2

Expert Comment

by:Xorb
Comment Utility
The risk here is mostly ( assumeing that you keep your server patches up to date) that if the clients you want to be able to log in can log in, then ppl that you might not want to log in could be able to log in to ( or try at least ).

One thing to watch out for is brute fore attack, where some one tries to guess a password by trying one after the other over and over. Protection against this is to set your polecies to violate a user account after x amount of incorect password attempts ( done uner polecies ) But be carefull, make your attempts allowed to low and its more admin for you. 10 is a nice rule-o-thumb 4 me. A user can make a few typos, but brute force against the open port will deactivate the account under attack.

And then there is the chance that some one might discover a flaw in the services that run on those ports that we dont know about yet ( so there is no patch for it yet ) and you get nailed, but mostly keep your patches tight and running a AV is good enough

0
 
LVL 18

Author Comment

by:luv2smile
Comment Utility
Server and all clients remain up to date on pathces and AV. Physical access to clients is not an issue.....they are in a secure area where only the appropriate people have access so the only threat would be from coming thru the network. I have user accounts set to lock out after 5 invalid attempts for a short period of time....is this what you are refering to? Complex passwords are enforced.

I know nothing is 100%, I just want to make sure that security is locked down as tight as possible. I don't want open ports on the firewall that are unecessary, but I don't know what to tell our firewall admin to allow/not allow. I guess my concern is that since these clients are not behind our firewall that if somehow someone got control of them...the chance of them gaining access to our network inside and being able to do anything serious.
0
 
LVL 16

Expert Comment

by:JammyPak
Comment Utility
0
 
LVL 16

Expert Comment

by:JammyPak
Comment Utility
This is a pretty good link if you want to do any other stuff through the firewall (print, map drives, etc).
http://support.microsoft.com/?id=832017
0
 
LVL 18

Author Comment

by:luv2smile
Comment Utility
Thanks for the articles, they have helped. I think I have figured out what ports need to be open to allow authentication with AD.

The only other thing these clients would need to do in our network is to access file shares located on the DC. I'm still looking, but not clear on exactly what ports need to be open to allow mapped network shares. I know TCP 139 and TCP 445 and UDP 445...but I'm not sure what else.
0
 
LVL 2

Accepted Solution

by:
Xorb earned 250 total points
Comment Utility
When looking at http://support.microsoft.com/?id=832017#5 ports you might want to open are ( give your guys eith numbers or names, they should know the number=name scheme ;-)
DNS    
DHCP
Kerbos ( 88 )
NTP (123 )
RPC ( 135 )
NetBios (137 + 138 + 139 )  *NB ! All these ports MUST be open to file share or print share
SMB ( 445)

And if you want SUS on the same server to work then
80 ( http)
ANd I think there is another, but I've got to go so I'll look it up 2 morrow ;-)


When you open those ports up, be sure to instruct your network guys to open them up ONLY to the server. This is easy to do, and you dont want trafic to any other IP appart from to your server to be able to pass through the ports that you are opening. Make sure they understand you want them to open these ports to the server. This will seriously limit the risk exposure.

0
 
LVL 12

Expert Comment

by:Mazaraat
Comment Utility
The best 2 ways to do this would be:

Have teh network "guys" create an access list on the router that specifies the remote clients IP and allow to your server.

or have the network guys create a VPN tunnel between the 2 networks using either the cisco routers or the firewalls.

Depending on your configuration either would work, and are extremely secure.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 18

Author Comment

by:luv2smile
Comment Utility
Xorb, Thanks for your list of ports...that was helpful. I'm not concerned about SUS at the moment since we don't have it implemented yet.

Mazaraat......yes, that is what we are going to do....only open the ports for the remote client's IP to the IP of the server....but even doing that, I would like to only open the ports necessary and not all ports.
0
 
LVL 12

Expert Comment

by:Mazaraat
Comment Utility
Good Luck =)
0
 
LVL 2

Expert Comment

by:Xorb
Comment Utility
Luv2smile
If your network guys are kind and dont mind working with you, maybe start by only opening up a few ports (netbios only as example ) and then test what works and what does not. That does take more time than just doing it all in one go, but think of it as a intresting and fun learning excersize.

But if your network guys dont have that much time for you, just open up that list, and you should be OK ... if I left anything out, your users will all complain that there is some small function that is just time'n out or a similar simptom
0
 
LVL 18

Author Comment

by:luv2smile
Comment Utility
Thank you...I think I have a better handle on it now.
0
 
LVL 16

Expert Comment

by:JammyPak
Comment Utility
??
0
 

Expert Comment

by:xavierleo
Comment Utility
The above mentioned accepted solution is not complete, LDAP and GC ports needs to be opened as well.

Thanks
0
 
LVL 12

Expert Comment

by:Mazaraat
Comment Utility
This ticket is over 4 years old, why post now?  Techincally you should NEVER open ports in the firewall, if you have remote users that need to connect to your domain, use a VPN connection.  That way your network is still protected and they will be authenticated and encrypted.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now