Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Block all AD traffic

Posted on 2011-10-19
9
Medium Priority
?
479 Views
Last Modified: 2012-05-12
Is it possible to block all Active Directory traffic by blocking ports? Or is AD one of those slippery traffic types that bypass all firewall settings?
0
Comment
Question by:Marius Gunnerud
  • 5
  • 3
9 Comments
 
LVL 6

Accepted Solution

by:
morpheios earned 168 total points
ID: 36992755
AD use this protocols
http://technet.microsoft.com/en-us/library/cc961766.aspx

Simple block

3268 TCP
3269 TCP
88 TCP and UDP
389 TCP
636 TCP
137  TCP and UDP
138  UDP
139  TCP

and also 53 TCP and User Datagram Protocol (UDP) if you neednot dns
0
 
LVL 8

Assisted Solution

by:Sushant Gulati
Sushant Gulati earned 332 total points
ID: 36992773
You can disable LDAP port on the firewall to block the AD communication. These are all major ports used in AD..

Client Port(s)                             Server Port           Service
1024-65535/TCP                       135/TCP                      RPC
1024-65535/TCP                       1024-65535/TCP    LSA RPC Services (*)
1024-65535/TCP/UDP                389/TCP/UDP              LDAP
1024-65535/TCP                        636/TCP                      LDAP SSL
1024-65535/TCP                        3268/TCP              LDAP GC
1024-65535/TCP                        3269/TCP              LDAP GC SSL
53,1024-65535/TCP/UDP                53/TCP/UDP              DNS
1024-65535/TCP/UDP                88/TCP/UDP              Kerberos
1024-65535/TCP                       445/TCP                      SMB


You can refer to this KB..
http://support.microsoft.com/kb/179442

But why do you want to block your AD?

Good Luck..!!
~SG~

0
 
LVL 6

Expert Comment

by:morpheios
ID: 36992774
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 6

Expert Comment

by:morpheios
ID: 36992796
susguperf:
1024-65535/TCP                       1024-65535/TCP  - its very extremal :))))
0
 
LVL 8

Assisted Solution

by:Sushant Gulati
Sushant Gulati earned 332 total points
ID: 36992839
those are client ports references.. this is described in the given article... although there is no need to touch at the client end if the modification has to be made on the firewall.. :))) nice catch though..!!
0
 
LVL 6

Expert Comment

by:morpheios
ID: 36992861
Article says::
Client Port(s)                             Server Port           Service
1024-65535/TCP                       1024-65535/TCP    LSA RPC Services (*)

Its disallow for example ICQ, socks and http proxy and more internet apllications
0
 
LVL 8

Expert Comment

by:Sushant Gulati
ID: 36992964
Not saying to disable all.. This depends what is the requirement and to what extent he wants his AD to be blocked.. Blocking single LDAP port will do the work but depending on the requirement the change has to be raised and made.. Articles are only for the help and guidance and rest is your logic..

God Luck..!!
~SG~
0
 
LVL 17

Author Comment

by:Marius Gunnerud
ID: 36992965
Thanks guys I know of all these ports as I have done my research ;-)

I was curious if blocking the ports will prevent all AD, DC traffic 100% guaranteed?

Main purpose of this is to setup a test environment to mimic the production environment as closely as possible without having the test AD write to the production AD when changes are made.  Why not do this in a Virtual environment completely seperate from the production zone you might be asking yourself? Well I asked my client the same thing and the answer I got was that is how it needs to be..hehe. what to do.
0
 
LVL 6

Expert Comment

by:morpheios
ID: 36992991
Yes AD not used any other protocls it give you 100% warranty.

For your task other solution may be using VLAN to divide zones on L2 or diffrent subnet (with limited routing - bloking described ports) on L3.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question