• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 152
  • Last Modified:

changing active ports

I need to change the ports that Active Directory uses because of firewall hardening. Would that be changed in ADSIEdit or is there another way to statically change them?
0
jfholloway
Asked:
jfholloway
  • 4
  • 3
  • 3
  • +3
1 Solution
 
Chris HIT DirectorCommented:
0
 
Mike KlineCommented:
So you want to restrict the RPC ports and that is done via the registry on the DCs

http://support.microsoft.com/kb/224196

http://blogs.technet.com/b/luistog/archive/2012/05/08/restricting-ad-replication-traffic-between-dcs-to-only-a-few-ports.aspx

Test in a lab first on a few DCs so you get a feel for it first.

Thanks

Mike
0
 
Chris HIT DirectorCommented:
You cannot change the LDAP port.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
jfhollowaySr. Systems AdministratorAuthor Commented:
Thnaks everyone. Is there a way to scan to see what firewall ports are open?
0
 
Mike KlineCommented:
you can use a tool like portqry to test ports, telnet is another method.  There are other ways, those are just two.

Thanks

Mike
0
 
KCTSCommented:
Active directory (LDAP) uses port 389 (or 636 over SSL), its NOT a good idea to change it - I can't see how you will achieve much in the way of hardening you server by tinkering with LDAP ports.
0
 
Mike KlineCommented:
Not LDAP ports but RPC (high ports).  I've seen this done at several places where they didn't want to open everything above 1024
0
 
jfhollowaySr. Systems AdministratorAuthor Commented:
Thanks again. In the article link you gave me it doesn't say how to change to a port change instead of just one port. Is there a way to do that as well? also, can I use the same port say 137 to also run RPC through?
0
 
Radhakrishnan RITCommented:
Hi,

I would suggest you to not change the AD or it's related ports as this cause issues. Why don't you open the ports from your firewall (or add exception) instead of changing the default one?

Currently opened port can be view by performing netstat -ano command. Also, the list of default AD ports can be find from this link http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx

Hope this help
0
 
jfhollowaySr. Systems AdministratorAuthor Commented:
I would like to do it from the firewall but, our network/corporate security group won't bend. They say they won't allow the "extreme" number of ports that AD needs or the ports that they deem are high security risk ports so, I have to redirect to specific ports they have signed off on.
0
 
Radhakrishnan RITCommented:
Hi,

As you know AD is integrated with several ports and you are trying to chnage the AD architucture which is not recommended.
Some AD ports doesn't work if you change or some ports should not change (i.e - LDAP-389).

However, if you are only concerning about replication then the replication port can be change http://support.microsoft.com/?id=224196

Personely, i would say speak to your security group and make them understand that changing AD port is not possible and it's not advisible.

"Good Luck"
0
 
jfhollowaySr. Systems AdministratorAuthor Commented:
Thanks everyone for the help!
0
 
Chris HIT DirectorCommented:
In a case where no one will bend, do a VPN.  Two ports, and you can emulate what ever you want overhead.  No port restriction required.  Just avoid setting up an IPSec policy as it may cause issues with your VPN appliance.
0
 
David Johnson, CD, MVPOwnerCommented:
they can be blocked at the corp. firewall but allowed within the LAN but blocked from the WAN, not a problem.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 4
  • 3
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now