Firewall ports for Active Directory

Yashy
Yashy used Ask the Experts™
on
Hi guys

I'm trying to lock down our VPN tunnels and firewall rules between sites. The one thing I am seeing in some places are that there are 'any' ports set up which is not explicit.

So one place that always creates problems is the Active Directory systems. We have PC's in remote locations that talk to remote AD servers.

In order for the systems to not get affected, I need to be absolute in every single port I set up as I will be killing the 'any' port.

This MS article covers ports domains and trusts: https://support.microsoft.com/en-gb/help/179442/how-to-configure-a-firewall-for-domains-and-trusts

But then for RPC, it has ports 1024-65535/TCP!!

Do you have a setup on your firewalls in the same way as MS has described? And what about the RPC port? Not over-exposed?!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
While I am a fan of defense in-depth, a VPN is exactly that. It extends a network virtually over encrypted tunnels.

In your LAN, do you have a firewall blocking ports between clients and DCs? If not, why do you want to do this on a VPN?? Doing one and not the other doesn't make much sense to me.

Author

Commented:
It's for PCI DSS. I have to prove why there are 'any' to 'any' rules set up and not explicit ones.

I completely understand where you are coming from here. I'm being asked to do this via our new I.T director.
Distinguished Expert 2018
Commented:
If you are having to do that for PCI compliance, there is *almost certainly* something wrong.  Either with the network design, where credit card info is processed and/or stored, or a misinterpretation of PCI requirements.  At any rate, even if you do find you have to account for that for some strange reason, PCI doesn't disallow them. You just have to justify them. And in a domain environment, that and the traffic being secured via VPN, (and showing that the tunnel is indeed secured) is often enough justification for the rules.

Or you can remove the any rules. And open the large swathe of ports required. It's effectively still almost any port. But maybrle that "almost" is enough to appease the director.

Regardless, the point is you can keep the any, or open those ports (which is not "over exposed" when a VPN is in consideration), or edit the registry to have some RPC stuff happen over single ports per service. Which is actually the least secure option.
MaheshArchitect
Distinguished Expert 2018
Commented:
The rpc port range is dynamic, means server has liberty to choose few ports for communications from entire range and its not listening on all port range
This is done purposely to distribute traffic on multiple ports and bit difficult for intruders attack
This is actually better than freezing all traffic to specific port and by any means no rpc port is exposed to the internet
Vpn tunnel is secured with ssl
Still if you want to restrict rpc port range, i would recommend to brought down entire rpc range on ad server instead of freezing traffic on single port
For example - 49152-49500
The ports range should not be less than 255 which is i believe limit
Netsh commands are available for same

https://support.microsoft.com/en-us/help/929851/the-default-dynamic-port-range-for-tcp-ip-has-changed-in-windows-vista

Note that changes need to done on all AD servers

Author

Commented:
I appreciate the feedback guys.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial