Re: [ActiveDir] Locking down network access

Thu, 13 Feb 2003 13:46:17 -0800


There is a technote out there but this may help


How to enable communication from a Windows OS Active Directory Client to the Active Directory Server across a firewall
 
The following ports will be used for outbound communication from the client to the server. This assumes that a stateful firewall is being used to allow inbound communication from the server.
 
  • DNS will be using TCP and UDP port 53
  • Network Time Protocol (NTP) if required uses TCP port 123
  • Microsoft’s implementation of Kerberos will be using TCP and UDP port 88 (Note this may be non-standard compared to the MIT Kerberos implementation)
  • The EndpointMapper for RPC services will use TCP port 135
  • LDAP will use TCP port 389 and Microsoft uses an LDAP “ping” on UDP port 389
  • Server Messaging Block services (SMB, SAMBA) will use TCP port 445
  • Global Catalog services use TCP port 3268 – this should be necessary when logging into forests with more than one domain
  • The last port is used for Active Directory Logon and replication. Normally this is a dynamic port. For security reasons this should be configured to use a static port, so that the firewall rules can be specific. To configure this open the registry on each Domain controller that needs to be contacted through the firewall. Navigate to the following Key – HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters Add a new value with the following properties:
    • Value Name: “TCP/IP Port”
    • Data Type: “REG_DWORD”
    • Radix: “Decimal”
    • Value: some number between 1025 and 65534, we will standardize on “1025”
     
    Additional configuration will be needed for specific application access and use, such as Exchange


    "Brad Martin" <[EMAIL PROTECTED]>
    Sent by: [EMAIL PROTECTED]

    02/13/2003 04:37 PM
    Please respond to ActiveDir

    		       
            To:        "Active Directory Mailing List" <[EMAIL PROTECTED]>
            cc:        
            Subject:        [ActiveDir] Locking down network access



    Does anyone have a list of what ports need to be open on a firewall to access things like Active Directory, WINS, DNS, mapping drives, etc.?  We need to lock down a section of our network and we only want to let the bare minimum through our firewall.  Thanks.
     
    Brad Martin
    Go Daddy Software, Inc.
    480.505.8800 ext. 250
    [EMAIL PROTECTED]
    http://www.godaddy.com
     

     
     

Reply via email to