Security Basics mailing list archives
RE: Windows firewall on active directory servers
From: "Dan Lynch" <DLynch () placer ca gov>
Date: Wed, 6 Feb 2008 10:45:49 -0800
I'll first agree with Paul and Ansgar. Proper network segmentation is essential in a school environment. That said, see these two docs for details on constructing IPSec tunnels between servers and limiting the range of dynamic RPC ports. Active Directory Replication over Firewalls http://technet.microsoft.com/en-us/library/bb727063.aspx Active Directory in Networks Segmented by Firewalls http://www.microsoft.com/downloads/details.aspx?familyid=c2ef3846-43f0-4 caf-9767-a9166368434e&displaylang=en Dan Lynch, CISSP Information Technology Analyst County of Placer
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Dani Houpt Sent: Wednesday, February 06, 2008 7:01 AM To: security-basics () securityfocus com Subject: Windows firewall on active directory servers All, I'm working for a large school and we are deploying a new AD Forest. By policy, they don't have firewalls between their internal network and their external network, but rather only have firewalls implemented on each server. The reason for this is that are more concerned with their internal users (the students) than any host out on the Internet. When deploying AD, we came up with an issue with using the windows fireall on the AD servers. After more research, we found out that Microsoft does not recommend using the Windows firewall on AD servers. The issue has to do with limitting the RPC ports. The MS KB articles that we found specify to open 100 RPC ports but this does not seem to be enough. Has anyone had to deploy a FW on an AD DC in a large domain/forest? If so, how did you manage the RPC settings and which FW did you use? Thanks so much for your help! -Dani Houpt Dhoupt613 (at) gmail dot com On 2/5/08, Yousef Syed <yousef.syed () gmail com> wrote:I need some advice. I'm currently staying in an apartment complex that provides free wireless Internet access. The access has zero crypto - not even WEP. What can I do on my own Laptops (Mac OS X and Windows XPPro) to makemy browsing/internet usage more secure? I also want toensure that noone else on the network is entering my systems. The Windows Laptop already has Kaspersky Internet Securityand variousspyware/adware checkers etc Thanks, ys -- Yousef Syed CISSP http://www.linkedin.com/in/musashi-- Sent from Gmail for mobile | mobile.google.com
Current thread:
- Windows firewall on active directory servers Dani Houpt (Feb 06)
- Re: Windows firewall on active directory servers Paul J. Brickett (Feb 06)
- Re: Windows firewall on active directory servers Ansgar -59cobalt- Wiechers (Feb 06)
- RE: Windows firewall on active directory servers Dan Lynch (Feb 06)
- <Possible follow-ups>
- Re: Windows firewall on active directory servers jfvanmeter (Feb 07)