Solved

Windows Firewall Exceptions

Posted on 2016-09-06
5
78 Views
Last Modified: 2016-09-16
Trying to find a list of recommended firewall exceptions that permit communications appropriate in a Windows domain environment. Examples:

  • Could not access event logs remotely
  • Potentially legitimate multicast traffic dropped
0
Comment
Question by:Bobby Stewart
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 41

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41787096
The ports you want to have open depend on the server OS, but everything is available here: https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

In particular, the Dynamic RPC ports are not configured automatically when enabling ADDS rules in the Windows Firewall, so you have to put those in manually. These ports are more important for DC to DC communications, but can occasionally be used by client machines. Port 49152 to 65535 are the dynamic ports. It's possible to reduce the number of ports used by RPC, but depending on network size there exists the potential to seriously reduce network performance if there are not enough ports available for RPC in AD. The Windows Event Log remote access is done with RPC, so you need to have those ports open between any computers that need remote Event Log access.

Additional ports are SMB on port 445 for file sharing, port 135 for the event viewer application, and if you want to use WMI to access the event log, you pretty much have to have all the ports open for the Winmgmt application (There are pre-built rules in the windows firewall console for these, as shown here: https://technet.microsoft.com/en-us/library/jj572986(v=ws.11).aspx )

There are a load of pre-built firewall exception rules in Windows firewall that will simplify things for you as well. I recommend going through those rules and enabling all the services that you plan on using. If you don't know what any of the services does, google the rule and it should give you some information.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 41787516
I recommend to use ipsec. Ipsec let's you define administrative workstations that may do anything. Those will not be identified by ip but instead by certificates for security reasons. You could even define user based rules, then (for example "let admin x access all machines from anywhere without restrictions).
0
 

Author Closing Comment

by:Bobby Stewart
ID: 41800647
This was helpful but really not what I was requesting. My hope was that someone had already created a standard list that they routinely used for configuring the Windows firewall.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 41801065
There is no set of rules that fit all. Normally, clients: all closed, servers: open to those workstations in need of the services offered. It has a reason that no real help can be given since you only gave 2 examples (one of them was addressed by me, while the other, the multicast one was much too generally spoken).
0
 

Author Comment

by:Bobby Stewart
ID: 41801548
McKnife, I understand that. However, the thought was that there would be someone in this vast group of experienced professionals that had worked out their own standardized (for their environment) firewall policies that they thought could benefit the community. Maybe eve a few that tried to implement the firewall that had experiences that caused them to make adjustments which, again, might benefit the community.

In my case, I've got a functional policy except that I have one web application that isn't working. The "standardized" policies might not have affected this, but it might have helped with remote monitoring in my domain which even Adam's response didn't address.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows 10 Creator Update has just been released and I have it working very well on my laptop. Read below for issues, fixes and ideas.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question