Tuesday, 17 March 2015

Active Directory Ports - Firewall Considerations

In order to make sure a domain controller works correctly through a firewall you should make sure the following ports are available:

Port 135 / TCP: RPC Endpoint Mapper - allows remote RPC clients to connect to a RPC service.
Port 137 / TCP: Provides NetBIOS reception for NetBIOS clients (for older clients e.g. Windows 2K etc.)
Port 138 / UDP: Provides NetBIOS datagram service.
Port 139 / TCP: NetBIOS session service
49152-65535 / TCP: RPC Dynamic Assignment
445 TCP / UDP: Provides UDP service
389 TCP: Provides LDAP service
3268 / TCP: Provides Global Catalog service
3269 / TCP: Provides Global Catalog service over SSL
88 TCP / UDP: Provides Kerboros service
53 TCP / UDP: Provides DNS service

Condensing RPC Ports to lessen the attack surface:
We can configure the RPC services to use a smaller pool of IP addresses - firstly we will configure AD replication:

Browse to they key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\
Add a new DWORD "TCP/IP Port" and specify a decimal value e.g. 49152.

For FRS (File Replication Service) browse to the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters\
And we add a new DWORD: "RPC TCP/IP Port Assignment" and set the decimal value e.g. 49153.

For DFSR we can change the RPC port assignements using the dfsrdiag command:
dfsrdiag StaticRPC /port: 49154 /Member: file-server.mydomain.com

Finally we resart the nescasery services:
Active Directory Domain Services
DFS Replication

0 comments:

Post a comment