I'm trying to lock down our VPN tunnels and firewall rules between sites. The one thing I am seeing in some places are that there are 'any' ports set up which is not explicit.
So one place that always creates problems is the Active Directory systems. We have PC's in remote locations that talk to remote AD servers.
In order for the systems to not get affected, I need to be absolute in every single port I set up as I will be killing the 'any' port.
This MS article covers ports domains and trusts: https://support.microsoft.com/en-gb/help/179442/how-to-configure-a-firewall-for-domains-and-trusts
But then for RPC, it has ports 1024-65535/TCP!!
Do you have a setup on your firewalls in the same way as MS has described? And what about the RPC port? Not over-exposed?!