• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 101
  • Last Modified:

Windows Firewall Exceptions

Trying to find a list of recommended firewall exceptions that permit communications appropriate in a Windows domain environment. Examples:

  • Could not access event logs remotely
  • Potentially legitimate multicast traffic dropped
0
Bobby Stewart
Asked:
Bobby Stewart
  • 2
  • 2
1 Solution
 
Adam BrownSr Solutions ArchitectCommented:
The ports you want to have open depend on the server OS, but everything is available here: https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

In particular, the Dynamic RPC ports are not configured automatically when enabling ADDS rules in the Windows Firewall, so you have to put those in manually. These ports are more important for DC to DC communications, but can occasionally be used by client machines. Port 49152 to 65535 are the dynamic ports. It's possible to reduce the number of ports used by RPC, but depending on network size there exists the potential to seriously reduce network performance if there are not enough ports available for RPC in AD. The Windows Event Log remote access is done with RPC, so you need to have those ports open between any computers that need remote Event Log access.

Additional ports are SMB on port 445 for file sharing, port 135 for the event viewer application, and if you want to use WMI to access the event log, you pretty much have to have all the ports open for the Winmgmt application (There are pre-built rules in the windows firewall console for these, as shown here: https://technet.microsoft.com/en-us/library/jj572986(v=ws.11).aspx )

There are a load of pre-built firewall exception rules in Windows firewall that will simplify things for you as well. I recommend going through those rules and enabling all the services that you plan on using. If you don't know what any of the services does, google the rule and it should give you some information.
0
 
McKnifeCommented:
I recommend to use ipsec. Ipsec let's you define administrative workstations that may do anything. Those will not be identified by ip but instead by certificates for security reasons. You could even define user based rules, then (for example "let admin x access all machines from anywhere without restrictions).
0
 
Bobby StewartSenior Systems EngineerAuthor Commented:
This was helpful but really not what I was requesting. My hope was that someone had already created a standard list that they routinely used for configuring the Windows firewall.
0
 
McKnifeCommented:
There is no set of rules that fit all. Normally, clients: all closed, servers: open to those workstations in need of the services offered. It has a reason that no real help can be given since you only gave 2 examples (one of them was addressed by me, while the other, the multicast one was much too generally spoken).
0
 
Bobby StewartSenior Systems EngineerAuthor Commented:
McKnife, I understand that. However, the thought was that there would be someone in this vast group of experienced professionals that had worked out their own standardized (for their environment) firewall policies that they thought could benefit the community. Maybe eve a few that tried to implement the firewall that had experiences that caused them to make adjustments which, again, might benefit the community.

In my case, I've got a functional policy except that I have one web application that isn't working. The "standardized" policies might not have affected this, but it might have helped with remote monitoring in my domain which even Adam's response didn't address.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now