Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Domain controller behind firewall

Posted on 2004-10-14
14
Medium Priority
?
13,059 Views
Last Modified: 2010-05-08
Ok...please forgive me, but I'm not a network person...I'm a microsoft person, hehe. I manage systems and let the network people manage the network. But I have question:

I have a domain controller (windows 2003) that is behind a cisco firewall. I have a couple clients that are on a different subnet (they have static IPs) which need to access the DC to authenticate and use shared resources. What ports do I need to tell our network people to open to allow for this? Does this pose any kind of huge security risK?...yes, i know poking holes in a firewall is a security risk, but I really need these computers on our AD infastructure. The clients are ultimately behind another firewall (we are all a part of a university network, but my specific network is blocked off from the rest of the university for extra security). Currently, we only have the one server (its a small network), but I may be implementing a SUS server that would be behind the firewall as well that these clients would need to access.
0
Comment
Question by:luv2smile
  • 4
  • 3
  • 3
  • +2
14 Comments
 
LVL 2

Expert Comment

by:Xorb
ID: 12308502
The risk here is mostly ( assumeing that you keep your server patches up to date) that if the clients you want to be able to log in can log in, then ppl that you might not want to log in could be able to log in to ( or try at least ).

One thing to watch out for is brute fore attack, where some one tries to guess a password by trying one after the other over and over. Protection against this is to set your polecies to violate a user account after x amount of incorect password attempts ( done uner polecies ) But be carefull, make your attempts allowed to low and its more admin for you. 10 is a nice rule-o-thumb 4 me. A user can make a few typos, but brute force against the open port will deactivate the account under attack.

And then there is the chance that some one might discover a flaw in the services that run on those ports that we dont know about yet ( so there is no patch for it yet ) and you get nailed, but mostly keep your patches tight and running a AV is good enough

0
 
LVL 18

Author Comment

by:luv2smile
ID: 12308665
Server and all clients remain up to date on pathces and AV. Physical access to clients is not an issue.....they are in a secure area where only the appropriate people have access so the only threat would be from coming thru the network. I have user accounts set to lock out after 5 invalid attempts for a short period of time....is this what you are refering to? Complex passwords are enforced.

I know nothing is 100%, I just want to make sure that security is locked down as tight as possible. I don't want open ports on the firewall that are unecessary, but I don't know what to tell our firewall admin to allow/not allow. I guess my concern is that since these clients are not behind our firewall that if somehow someone got control of them...the chance of them gaining access to our network inside and being able to do anything serious.
0
 
LVL 16

Expert Comment

by:JammyPak
ID: 12308721
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 16

Expert Comment

by:JammyPak
ID: 12309295
This is a pretty good link if you want to do any other stuff through the firewall (print, map drives, etc).
http://support.microsoft.com/?id=832017
0
 
LVL 18

Author Comment

by:luv2smile
ID: 12309634
Thanks for the articles, they have helped. I think I have figured out what ports need to be open to allow authentication with AD.

The only other thing these clients would need to do in our network is to access file shares located on the DC. I'm still looking, but not clear on exactly what ports need to be open to allow mapped network shares. I know TCP 139 and TCP 445 and UDP 445...but I'm not sure what else.
0
 
LVL 2

Accepted Solution

by:
Xorb earned 1000 total points
ID: 12309681
When looking at http://support.microsoft.com/?id=832017#5 ports you might want to open are ( give your guys eith numbers or names, they should know the number=name scheme ;-)
DNS    
DHCP
Kerbos ( 88 )
NTP (123 )
RPC ( 135 )
NetBios (137 + 138 + 139 )  *NB ! All these ports MUST be open to file share or print share
SMB ( 445)

And if you want SUS on the same server to work then
80 ( http)
ANd I think there is another, but I've got to go so I'll look it up 2 morrow ;-)


When you open those ports up, be sure to instruct your network guys to open them up ONLY to the server. This is easy to do, and you dont want trafic to any other IP appart from to your server to be able to pass through the ports that you are opening. Make sure they understand you want them to open these ports to the server. This will seriously limit the risk exposure.

0
 
LVL 12

Expert Comment

by:Mazaraat
ID: 12310237
The best 2 ways to do this would be:

Have teh network "guys" create an access list on the router that specifies the remote clients IP and allow to your server.

or have the network guys create a VPN tunnel between the 2 networks using either the cisco routers or the firewalls.

Depending on your configuration either would work, and are extremely secure.
0
 
LVL 18

Author Comment

by:luv2smile
ID: 12310288
Xorb, Thanks for your list of ports...that was helpful. I'm not concerned about SUS at the moment since we don't have it implemented yet.

Mazaraat......yes, that is what we are going to do....only open the ports for the remote client's IP to the IP of the server....but even doing that, I would like to only open the ports necessary and not all ports.
0
 
LVL 12

Expert Comment

by:Mazaraat
ID: 12313380
Good Luck =)
0
 
LVL 2

Expert Comment

by:Xorb
ID: 12316377
Luv2smile
If your network guys are kind and dont mind working with you, maybe start by only opening up a few ports (netbios only as example ) and then test what works and what does not. That does take more time than just doing it all in one go, but think of it as a intresting and fun learning excersize.

But if your network guys dont have that much time for you, just open up that list, and you should be OK ... if I left anything out, your users will all complain that there is some small function that is just time'n out or a similar simptom
0
 
LVL 18

Author Comment

by:luv2smile
ID: 12318494
Thank you...I think I have a better handle on it now.
0
 
LVL 16

Expert Comment

by:JammyPak
ID: 12318764
??
0
 

Expert Comment

by:xavierleo
ID: 21698694
The above mentioned accepted solution is not complete, LDAP and GC ports needs to be opened as well.

Thanks
0
 
LVL 12

Expert Comment

by:Mazaraat
ID: 21703585
This ticket is over 4 years old, why post now?  Techincally you should NEVER open ports in the firewall, if you have remote users that need to connect to your domain, use a VPN connection.  That way your network is still protected and they will be authenticated and encrypted.
0

Featured Post

WatchGuard Case Study: Museum of Flight

“With limited money and limited staffing, we didn’t have a lot of choices in terms of what we could do to bring efficiency. WatchGuard played a central part in changing that.” To provide strong, secure Wi-Fi access within the museum, Hunter chose to deploy WatchGuard’s AP120 APs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question