Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Windows Firewall Exceptions

Posted on 2016-09-06
5
Medium Priority
?
90 Views
Last Modified: 2016-09-16
Trying to find a list of recommended firewall exceptions that permit communications appropriate in a Windows domain environment. Examples:

  • Could not access event logs remotely
  • Potentially legitimate multicast traffic dropped
0
Comment
Question by:Bobby Stewart
  • 2
  • 2
5 Comments
 
LVL 43

Accepted Solution

by:
Adam Brown earned 1500 total points
ID: 41787096
The ports you want to have open depend on the server OS, but everything is available here: https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

In particular, the Dynamic RPC ports are not configured automatically when enabling ADDS rules in the Windows Firewall, so you have to put those in manually. These ports are more important for DC to DC communications, but can occasionally be used by client machines. Port 49152 to 65535 are the dynamic ports. It's possible to reduce the number of ports used by RPC, but depending on network size there exists the potential to seriously reduce network performance if there are not enough ports available for RPC in AD. The Windows Event Log remote access is done with RPC, so you need to have those ports open between any computers that need remote Event Log access.

Additional ports are SMB on port 445 for file sharing, port 135 for the event viewer application, and if you want to use WMI to access the event log, you pretty much have to have all the ports open for the Winmgmt application (There are pre-built rules in the windows firewall console for these, as shown here: https://technet.microsoft.com/en-us/library/jj572986(v=ws.11).aspx )

There are a load of pre-built firewall exception rules in Windows firewall that will simplify things for you as well. I recommend going through those rules and enabling all the services that you plan on using. If you don't know what any of the services does, google the rule and it should give you some information.
0
 
LVL 57

Expert Comment

by:McKnife
ID: 41787516
I recommend to use ipsec. Ipsec let's you define administrative workstations that may do anything. Those will not be identified by ip but instead by certificates for security reasons. You could even define user based rules, then (for example "let admin x access all machines from anywhere without restrictions).
0
 

Author Closing Comment

by:Bobby Stewart
ID: 41800647
This was helpful but really not what I was requesting. My hope was that someone had already created a standard list that they routinely used for configuring the Windows firewall.
0
 
LVL 57

Expert Comment

by:McKnife
ID: 41801065
There is no set of rules that fit all. Normally, clients: all closed, servers: open to those workstations in need of the services offered. It has a reason that no real help can be given since you only gave 2 examples (one of them was addressed by me, while the other, the multicast one was much too generally spoken).
0
 

Author Comment

by:Bobby Stewart
ID: 41801548
McKnife, I understand that. However, the thought was that there would be someone in this vast group of experienced professionals that had worked out their own standardized (for their environment) firewall policies that they thought could benefit the community. Maybe eve a few that tried to implement the firewall that had experiences that caused them to make adjustments which, again, might benefit the community.

In my case, I've got a functional policy except that I have one web application that isn't working. The "standardized" policies might not have affected this, but it might have helped with remote monitoring in my domain which even Adam's response didn't address.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows 10 Creator Update has just been released and I have it working very well on my laptop. Read below for issues, fixes and ideas.
In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question