Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Windows Firewall Exceptions

Posted on 2016-09-06
5
Medium Priority
?
85 Views
Last Modified: 2016-09-16
Trying to find a list of recommended firewall exceptions that permit communications appropriate in a Windows domain environment. Examples:

  • Could not access event logs remotely
  • Potentially legitimate multicast traffic dropped
0
Comment
Question by:Bobby Stewart
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 42

Accepted Solution

by:
Adam Brown earned 1500 total points
ID: 41787096
The ports you want to have open depend on the server OS, but everything is available here: https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

In particular, the Dynamic RPC ports are not configured automatically when enabling ADDS rules in the Windows Firewall, so you have to put those in manually. These ports are more important for DC to DC communications, but can occasionally be used by client machines. Port 49152 to 65535 are the dynamic ports. It's possible to reduce the number of ports used by RPC, but depending on network size there exists the potential to seriously reduce network performance if there are not enough ports available for RPC in AD. The Windows Event Log remote access is done with RPC, so you need to have those ports open between any computers that need remote Event Log access.

Additional ports are SMB on port 445 for file sharing, port 135 for the event viewer application, and if you want to use WMI to access the event log, you pretty much have to have all the ports open for the Winmgmt application (There are pre-built rules in the windows firewall console for these, as shown here: https://technet.microsoft.com/en-us/library/jj572986(v=ws.11).aspx )

There are a load of pre-built firewall exception rules in Windows firewall that will simplify things for you as well. I recommend going through those rules and enabling all the services that you plan on using. If you don't know what any of the services does, google the rule and it should give you some information.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41787516
I recommend to use ipsec. Ipsec let's you define administrative workstations that may do anything. Those will not be identified by ip but instead by certificates for security reasons. You could even define user based rules, then (for example "let admin x access all machines from anywhere without restrictions).
0
 

Author Closing Comment

by:Bobby Stewart
ID: 41800647
This was helpful but really not what I was requesting. My hope was that someone had already created a standard list that they routinely used for configuring the Windows firewall.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41801065
There is no set of rules that fit all. Normally, clients: all closed, servers: open to those workstations in need of the services offered. It has a reason that no real help can be given since you only gave 2 examples (one of them was addressed by me, while the other, the multicast one was much too generally spoken).
0
 

Author Comment

by:Bobby Stewart
ID: 41801548
McKnife, I understand that. However, the thought was that there would be someone in this vast group of experienced professionals that had worked out their own standardized (for their environment) firewall policies that they thought could benefit the community. Maybe eve a few that tried to implement the firewall that had experiences that caused them to make adjustments which, again, might benefit the community.

In my case, I've got a functional policy except that I have one web application that isn't working. The "standardized" policies might not have affected this, but it might have helped with remote monitoring in my domain which even Adam's response didn't address.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
In this modest contribution, I want to share with the IT community (especially system administrators, IT Support Engineers and IT Help Desks) about Windows crashes/hangs and how to deal with these particular problems.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question