Solved

Windows Firewall Exceptions

Posted on 2016-09-06
5
49 Views
Last Modified: 2016-09-16
Trying to find a list of recommended firewall exceptions that permit communications appropriate in a Windows domain environment. Examples:

  • Could not access event logs remotely
  • Potentially legitimate multicast traffic dropped
0
Comment
Question by:Bobby Stewart
  • 2
  • 2
5 Comments
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
Comment Utility
The ports you want to have open depend on the server OS, but everything is available here: https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

In particular, the Dynamic RPC ports are not configured automatically when enabling ADDS rules in the Windows Firewall, so you have to put those in manually. These ports are more important for DC to DC communications, but can occasionally be used by client machines. Port 49152 to 65535 are the dynamic ports. It's possible to reduce the number of ports used by RPC, but depending on network size there exists the potential to seriously reduce network performance if there are not enough ports available for RPC in AD. The Windows Event Log remote access is done with RPC, so you need to have those ports open between any computers that need remote Event Log access.

Additional ports are SMB on port 445 for file sharing, port 135 for the event viewer application, and if you want to use WMI to access the event log, you pretty much have to have all the ports open for the Winmgmt application (There are pre-built rules in the windows firewall console for these, as shown here: https://technet.microsoft.com/en-us/library/jj572986(v=ws.11).aspx )

There are a load of pre-built firewall exception rules in Windows firewall that will simplify things for you as well. I recommend going through those rules and enabling all the services that you plan on using. If you don't know what any of the services does, google the rule and it should give you some information.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
I recommend to use ipsec. Ipsec let's you define administrative workstations that may do anything. Those will not be identified by ip but instead by certificates for security reasons. You could even define user based rules, then (for example "let admin x access all machines from anywhere without restrictions).
0
 

Author Closing Comment

by:Bobby Stewart
Comment Utility
This was helpful but really not what I was requesting. My hope was that someone had already created a standard list that they routinely used for configuring the Windows firewall.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
There is no set of rules that fit all. Normally, clients: all closed, servers: open to those workstations in need of the services offered. It has a reason that no real help can be given since you only gave 2 examples (one of them was addressed by me, while the other, the multicast one was much too generally spoken).
0
 

Author Comment

by:Bobby Stewart
Comment Utility
McKnife, I understand that. However, the thought was that there would be someone in this vast group of experienced professionals that had worked out their own standardized (for their environment) firewall policies that they thought could benefit the community. Maybe eve a few that tried to implement the firewall that had experiences that caused them to make adjustments which, again, might benefit the community.

In my case, I've got a functional policy except that I have one web application that isn't working. The "standardized" policies might not have affected this, but it might have helped with remote monitoring in my domain which even Adam's response didn't address.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
A procedure for exporting installed hotfix details of remote computers using powershell
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now