Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Domain controller behind firewall

Posted on 2004-10-14
14
Medium Priority
?
13,054 Views
Last Modified: 2010-05-08
Ok...please forgive me, but I'm not a network person...I'm a microsoft person, hehe. I manage systems and let the network people manage the network. But I have question:

I have a domain controller (windows 2003) that is behind a cisco firewall. I have a couple clients that are on a different subnet (they have static IPs) which need to access the DC to authenticate and use shared resources. What ports do I need to tell our network people to open to allow for this? Does this pose any kind of huge security risK?...yes, i know poking holes in a firewall is a security risk, but I really need these computers on our AD infastructure. The clients are ultimately behind another firewall (we are all a part of a university network, but my specific network is blocked off from the rest of the university for extra security). Currently, we only have the one server (its a small network), but I may be implementing a SUS server that would be behind the firewall as well that these clients would need to access.
0
Comment
Question by:luv2smile
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +2
14 Comments
 
LVL 2

Expert Comment

by:Xorb
ID: 12308502
The risk here is mostly ( assumeing that you keep your server patches up to date) that if the clients you want to be able to log in can log in, then ppl that you might not want to log in could be able to log in to ( or try at least ).

One thing to watch out for is brute fore attack, where some one tries to guess a password by trying one after the other over and over. Protection against this is to set your polecies to violate a user account after x amount of incorect password attempts ( done uner polecies ) But be carefull, make your attempts allowed to low and its more admin for you. 10 is a nice rule-o-thumb 4 me. A user can make a few typos, but brute force against the open port will deactivate the account under attack.

And then there is the chance that some one might discover a flaw in the services that run on those ports that we dont know about yet ( so there is no patch for it yet ) and you get nailed, but mostly keep your patches tight and running a AV is good enough

0
 
LVL 18

Author Comment

by:luv2smile
ID: 12308665
Server and all clients remain up to date on pathces and AV. Physical access to clients is not an issue.....they are in a secure area where only the appropriate people have access so the only threat would be from coming thru the network. I have user accounts set to lock out after 5 invalid attempts for a short period of time....is this what you are refering to? Complex passwords are enforced.

I know nothing is 100%, I just want to make sure that security is locked down as tight as possible. I don't want open ports on the firewall that are unecessary, but I don't know what to tell our firewall admin to allow/not allow. I guess my concern is that since these clients are not behind our firewall that if somehow someone got control of them...the chance of them gaining access to our network inside and being able to do anything serious.
0
 
LVL 16

Expert Comment

by:JammyPak
ID: 12308721
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 16

Expert Comment

by:JammyPak
ID: 12309295
This is a pretty good link if you want to do any other stuff through the firewall (print, map drives, etc).
http://support.microsoft.com/?id=832017
0
 
LVL 18

Author Comment

by:luv2smile
ID: 12309634
Thanks for the articles, they have helped. I think I have figured out what ports need to be open to allow authentication with AD.

The only other thing these clients would need to do in our network is to access file shares located on the DC. I'm still looking, but not clear on exactly what ports need to be open to allow mapped network shares. I know TCP 139 and TCP 445 and UDP 445...but I'm not sure what else.
0
 
LVL 2

Accepted Solution

by:
Xorb earned 1000 total points
ID: 12309681
When looking at http://support.microsoft.com/?id=832017#5 ports you might want to open are ( give your guys eith numbers or names, they should know the number=name scheme ;-)
DNS    
DHCP
Kerbos ( 88 )
NTP (123 )
RPC ( 135 )
NetBios (137 + 138 + 139 )  *NB ! All these ports MUST be open to file share or print share
SMB ( 445)

And if you want SUS on the same server to work then
80 ( http)
ANd I think there is another, but I've got to go so I'll look it up 2 morrow ;-)


When you open those ports up, be sure to instruct your network guys to open them up ONLY to the server. This is easy to do, and you dont want trafic to any other IP appart from to your server to be able to pass through the ports that you are opening. Make sure they understand you want them to open these ports to the server. This will seriously limit the risk exposure.

0
 
LVL 12

Expert Comment

by:Mazaraat
ID: 12310237
The best 2 ways to do this would be:

Have teh network "guys" create an access list on the router that specifies the remote clients IP and allow to your server.

or have the network guys create a VPN tunnel between the 2 networks using either the cisco routers or the firewalls.

Depending on your configuration either would work, and are extremely secure.
0
 
LVL 18

Author Comment

by:luv2smile
ID: 12310288
Xorb, Thanks for your list of ports...that was helpful. I'm not concerned about SUS at the moment since we don't have it implemented yet.

Mazaraat......yes, that is what we are going to do....only open the ports for the remote client's IP to the IP of the server....but even doing that, I would like to only open the ports necessary and not all ports.
0
 
LVL 12

Expert Comment

by:Mazaraat
ID: 12313380
Good Luck =)
0
 
LVL 2

Expert Comment

by:Xorb
ID: 12316377
Luv2smile
If your network guys are kind and dont mind working with you, maybe start by only opening up a few ports (netbios only as example ) and then test what works and what does not. That does take more time than just doing it all in one go, but think of it as a intresting and fun learning excersize.

But if your network guys dont have that much time for you, just open up that list, and you should be OK ... if I left anything out, your users will all complain that there is some small function that is just time'n out or a similar simptom
0
 
LVL 18

Author Comment

by:luv2smile
ID: 12318494
Thank you...I think I have a better handle on it now.
0
 
LVL 16

Expert Comment

by:JammyPak
ID: 12318764
??
0
 

Expert Comment

by:xavierleo
ID: 21698694
The above mentioned accepted solution is not complete, LDAP and GC ports needs to be opened as well.

Thanks
0
 
LVL 12

Expert Comment

by:Mazaraat
ID: 21703585
This ticket is over 4 years old, why post now?  Techincally you should NEVER open ports in the firewall, if you have remote users that need to connect to your domain, use a VPN connection.  That way your network is still protected and they will be authenticated and encrypted.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
This program is used to assist in finding and resolving common problems with wireless connections.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question