Re: [ActiveDir] Locking down network access

[Cass Gowins]

Try these sites:   www.chebucto.ns.ca/~rakerman/port-table.html   http://www.iss.net/security_center/advice/Exploits/Ports/   Cass M. Gowins / Network consultant Stark/Portage Area Computer Consortium 2100 38th St. N.W. Canton, Ohio  44709 cell (330) 705-9162 office (330) 492-8136  x-391 [EMAIL PROTECTED] ----- Original Message ----- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 4:43 PM Subject: Re: [ActiveDir] Locking down network access There is a technote out there but this may help How to enable communication from a Windows OS Active Directory Client to the Active Directory Server across a firewall   The following ports will be used for outbound communication from the client to the server. This assumes that a stateful firewall is being used to allow inbound communication from the server.   DNS will be using TCP and UDP port 53 Network Time Protocol (NTP) if required uses TCP port 123 Microsoft’s implementation of Kerberos will be using TCP and UDP port 88 (Note this may be non-standard compared to the MIT Kerberos implementation) The EndpointMapper for RPC services will use TCP port 135 LDAP will use TCP port 389 and Microsoft uses an LDAP “ping” on UDP port 389 Server Messaging Block services (SMB, SAMBA) will use TCP port 445 Global Catalog services use TCP port 3268 – this should be necessary when logging into forests with more than one domain The last port is used for Active Directory Logon and replication. Normally this is a dynamic port. For security reasons this should be configured to use a static port, so that the firewall rules can be specific. To configure this open the registry on each Domain controller that needs to be contacted through the firewall. Navigate to the following Key – HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters Add a new value with the following properties: Value Name: “TCP/IP Port” Data Type: “REG_DWORD” Radix: “Decimal” Value: some number between 1025 and 65534, we will standardize on “1025”   Additional configuration will be needed for specific application access and use, such as Exchange "Brad Martin" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 02/13/2003 04:37 PM Please respond to ActiveDir                 To:        "Active Directory Mailing List" <[EMAIL PROTECTED]>         cc:                 Subject:        [ActiveDir] Locking down network access Does anyone have a list of what ports need to be open on a firewall to access things like Active Directory, WINS, DNS, mapping drives, etc.?  We need to lock down a section of our network and we only want to let the bare minimum through our firewall.  Thanks.   Brad Martin Go Daddy Software, Inc. 480.505.8800 ext. 250 [EMAIL PROTECTED] http://www.godaddy.com