Firewall ports for Active Directory

Hi guys

I'm trying to lock down our VPN tunnels and firewall rules between sites. The one thing I am seeing in some places are that there are 'any' ports set up which is not explicit.

So one place that always creates problems is the Active Directory systems. We have PC's in remote locations that talk to remote AD servers.

In order for the systems to not get affected, I need to be absolute in every single port I set up as I will be killing the 'any' port.

This MS article covers ports domains and trusts: https://support.microsoft.com/en-gb/help/179442/how-to-configure-a-firewall-for-domains-and-trusts

But then for RPC, it has ports 1024-65535/TCP!!

Do you have a setup on your firewalls in the same way as MS has described? And what about the RPC port? Not over-exposed?!
LVL 1
YashyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
While I am a fan of defense in-depth, a VPN is exactly that. It extends a network virtually over encrypted tunnels.

In your LAN, do you have a firewall blocking ports between clients and DCs? If not, why do you want to do this on a VPN?? Doing one and not the other doesn't make much sense to me.
0
YashyAuthor Commented:
It's for PCI DSS. I have to prove why there are 'any' to 'any' rules set up and not explicit ones.

I completely understand where you are coming from here. I'm being asked to do this via our new I.T director.
0
Cliff GaliherCommented:
If you are having to do that for PCI compliance, there is *almost certainly* something wrong.  Either with the network design, where credit card info is processed and/or stored, or a misinterpretation of PCI requirements.  At any rate, even if you do find you have to account for that for some strange reason, PCI doesn't disallow them. You just have to justify them. And in a domain environment, that and the traffic being secured via VPN, (and showing that the tunnel is indeed secured) is often enough justification for the rules.

Or you can remove the any rules. And open the large swathe of ports required. It's effectively still almost any port. But maybrle that "almost" is enough to appease the director.

Regardless, the point is you can keep the any, or open those ports (which is not "over exposed" when a VPN is in consideration), or edit the registry to have some RPC stuff happen over single ports per service. Which is actually the least secure option.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MaheshArchitectCommented:
The rpc port range is dynamic, means server has liberty to choose few ports for communications from entire range and its not listening on all port range
This is done purposely to distribute traffic on multiple ports and bit difficult for intruders attack
This is actually better than freezing all traffic to specific port and by any means no rpc port is exposed to the internet
Vpn tunnel is secured with ssl
Still if you want to restrict rpc port range, i would recommend to brought down entire rpc range on ad server instead of freezing traffic on single port
For example - 49152-49500
The ports range should not be less than 255 which is i believe limit
Netsh commands are available for same

https://support.microsoft.com/en-us/help/929851/the-default-dynamic-port-range-for-tcp-ip-has-changed-in-windows-vista

Note that changes need to done on all AD servers
0
YashyAuthor Commented:
I appreciate the feedback guys.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.