Block all AD traffic
Is it possible to block all Active Directory traffic by blocking ports? Or is AD one of those slippery traffic types that bypass all firewall settings?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
morpheios
See also http://geekswithblogs.net/TSCustomiser/archive/2007/05/09/112357.aspx
susguperf:
1024-65535/TCP 1024-65535/TCP - its very extremal :))))
1024-65535/TCP 1024-65535/TCP - its very extremal :))))
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Article says::
Client Port(s) Server Port Service
1024-65535/TCP 1024-65535/TCP LSA RPC Services (*)
Its disallow for example ICQ, socks and http proxy and more internet apllications
Client Port(s) Server Port Service
1024-65535/TCP 1024-65535/TCP LSA RPC Services (*)
Its disallow for example ICQ, socks and http proxy and more internet apllications
Not saying to disable all.. This depends what is the requirement and to what extent he wants his AD to be blocked.. Blocking single LDAP port will do the work but depending on the requirement the change has to be raised and made.. Articles are only for the help and guidance and rest is your logic..
God Luck..!!
~SG~
God Luck..!!
~SG~
ASKER
Thanks guys I know of all these ports as I have done my research ;-)
I was curious if blocking the ports will prevent all AD, DC traffic 100% guaranteed?
Main purpose of this is to setup a test environment to mimic the production environment as closely as possible without having the test AD write to the production AD when changes are made. Why not do this in a Virtual environment completely seperate from the production zone you might be asking yourself? Well I asked my client the same thing and the answer I got was that is how it needs to be..hehe. what to do.
I was curious if blocking the ports will prevent all AD, DC traffic 100% guaranteed?
Main purpose of this is to setup a test environment to mimic the production environment as closely as possible without having the test AD write to the production AD when changes are made. Why not do this in a Virtual environment completely seperate from the production zone you might be asking yourself? Well I asked my client the same thing and the answer I got was that is how it needs to be..hehe. what to do.
Yes AD not used any other protocls it give you 100% warranty.
For your task other solution may be using VLAN to divide zones on L2 or diffrent subnet (with limited routing - bloking described ports) on L3.
For your task other solution may be using VLAN to divide zones on L2 or diffrent subnet (with limited routing - bloking described ports) on L3.