Solved

Domain controller behind firewall

Posted on 2004-10-14
14
12,991 Views
Last Modified: 2010-05-08
Ok...please forgive me, but I'm not a network person...I'm a microsoft person, hehe. I manage systems and let the network people manage the network. But I have question:

I have a domain controller (windows 2003) that is behind a cisco firewall. I have a couple clients that are on a different subnet (they have static IPs) which need to access the DC to authenticate and use shared resources. What ports do I need to tell our network people to open to allow for this? Does this pose any kind of huge security risK?...yes, i know poking holes in a firewall is a security risk, but I really need these computers on our AD infastructure. The clients are ultimately behind another firewall (we are all a part of a university network, but my specific network is blocked off from the rest of the university for extra security). Currently, we only have the one server (its a small network), but I may be implementing a SUS server that would be behind the firewall as well that these clients would need to access.
0
Comment
Question by:luv2smile
  • 4
  • 3
  • 3
  • +2
14 Comments
 
LVL 2

Expert Comment

by:Xorb
ID: 12308502
The risk here is mostly ( assumeing that you keep your server patches up to date) that if the clients you want to be able to log in can log in, then ppl that you might not want to log in could be able to log in to ( or try at least ).

One thing to watch out for is brute fore attack, where some one tries to guess a password by trying one after the other over and over. Protection against this is to set your polecies to violate a user account after x amount of incorect password attempts ( done uner polecies ) But be carefull, make your attempts allowed to low and its more admin for you. 10 is a nice rule-o-thumb 4 me. A user can make a few typos, but brute force against the open port will deactivate the account under attack.

And then there is the chance that some one might discover a flaw in the services that run on those ports that we dont know about yet ( so there is no patch for it yet ) and you get nailed, but mostly keep your patches tight and running a AV is good enough

0
 
LVL 18

Author Comment

by:luv2smile
ID: 12308665
Server and all clients remain up to date on pathces and AV. Physical access to clients is not an issue.....they are in a secure area where only the appropriate people have access so the only threat would be from coming thru the network. I have user accounts set to lock out after 5 invalid attempts for a short period of time....is this what you are refering to? Complex passwords are enforced.

I know nothing is 100%, I just want to make sure that security is locked down as tight as possible. I don't want open ports on the firewall that are unecessary, but I don't know what to tell our firewall admin to allow/not allow. I guess my concern is that since these clients are not behind our firewall that if somehow someone got control of them...the chance of them gaining access to our network inside and being able to do anything serious.
0
 
LVL 16

Expert Comment

by:JammyPak
ID: 12308721
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 16

Expert Comment

by:JammyPak
ID: 12309295
This is a pretty good link if you want to do any other stuff through the firewall (print, map drives, etc).
http://support.microsoft.com/?id=832017
0
 
LVL 18

Author Comment

by:luv2smile
ID: 12309634
Thanks for the articles, they have helped. I think I have figured out what ports need to be open to allow authentication with AD.

The only other thing these clients would need to do in our network is to access file shares located on the DC. I'm still looking, but not clear on exactly what ports need to be open to allow mapped network shares. I know TCP 139 and TCP 445 and UDP 445...but I'm not sure what else.
0
 
LVL 2

Accepted Solution

by:
Xorb earned 250 total points
ID: 12309681
When looking at http://support.microsoft.com/?id=832017#5 ports you might want to open are ( give your guys eith numbers or names, they should know the number=name scheme ;-)
DNS    
DHCP
Kerbos ( 88 )
NTP (123 )
RPC ( 135 )
NetBios (137 + 138 + 139 )  *NB ! All these ports MUST be open to file share or print share
SMB ( 445)

And if you want SUS on the same server to work then
80 ( http)
ANd I think there is another, but I've got to go so I'll look it up 2 morrow ;-)


When you open those ports up, be sure to instruct your network guys to open them up ONLY to the server. This is easy to do, and you dont want trafic to any other IP appart from to your server to be able to pass through the ports that you are opening. Make sure they understand you want them to open these ports to the server. This will seriously limit the risk exposure.

0
 
LVL 12

Expert Comment

by:Mazaraat
ID: 12310237
The best 2 ways to do this would be:

Have teh network "guys" create an access list on the router that specifies the remote clients IP and allow to your server.

or have the network guys create a VPN tunnel between the 2 networks using either the cisco routers or the firewalls.

Depending on your configuration either would work, and are extremely secure.
0
 
LVL 18

Author Comment

by:luv2smile
ID: 12310288
Xorb, Thanks for your list of ports...that was helpful. I'm not concerned about SUS at the moment since we don't have it implemented yet.

Mazaraat......yes, that is what we are going to do....only open the ports for the remote client's IP to the IP of the server....but even doing that, I would like to only open the ports necessary and not all ports.
0
 
LVL 12

Expert Comment

by:Mazaraat
ID: 12313380
Good Luck =)
0
 
LVL 2

Expert Comment

by:Xorb
ID: 12316377
Luv2smile
If your network guys are kind and dont mind working with you, maybe start by only opening up a few ports (netbios only as example ) and then test what works and what does not. That does take more time than just doing it all in one go, but think of it as a intresting and fun learning excersize.

But if your network guys dont have that much time for you, just open up that list, and you should be OK ... if I left anything out, your users will all complain that there is some small function that is just time'n out or a similar simptom
0
 
LVL 18

Author Comment

by:luv2smile
ID: 12318494
Thank you...I think I have a better handle on it now.
0
 
LVL 16

Expert Comment

by:JammyPak
ID: 12318764
??
0
 

Expert Comment

by:xavierleo
ID: 21698694
The above mentioned accepted solution is not complete, LDAP and GC ports needs to be opened as well.

Thanks
0
 
LVL 12

Expert Comment

by:Mazaraat
ID: 21703585
This ticket is over 4 years old, why post now?  Techincally you should NEVER open ports in the firewall, if you have remote users that need to connect to your domain, use a VPN connection.  That way your network is still protected and they will be authenticated and encrypted.
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question