Security Basics mailing list archives

Re: Windows firewall on active directory servers

From: jfvanmeter () comcast net
Date: Wed, 06 Feb 2008 17:04:02 +0000

Iv'e done it, the real issue is restricting dynamic RPC ports to a range

Hope these links help, I have to say that was one project that was a real pain

http://support.microsoft.com/kb/154596 How to configure RPC dynamic port allocation to work with firewalls
http://support.microsoft.com/kb/224196 restricting AD Repl traffic
http://support.microsoft.com/kb/555381 how to config Win2k3 firewall on a DC

Good Luck --John

 -------------- Original message ----------------------
From: "Paul J. Brickett" <swarzkopf () legolas sinnerz us>

By policy, they don't have firewalls between their
internal network and their external network, but rather only have
firewalls implemented on each server.  The reason for this is that are
more concerned with their internal users (the students) than any host
out on the Internet.


Mother of god.

My suggestion: Strongly suggest that they reconsider their policies. 
You're going to run into all sorts of issues here!

Good luck.

PJB

On Wed, 6 Feb 2008, Dani Houpt wrote:

All, I'm working for a large school and we are deploying a new
AD Forest.  By policy, they don't have firewalls between their
internal network and their external network, but rather only have
firewalls implemented on each server.  The reason for this is that are
more concerned with their internal users (the students) than any host
out on the Internet.

When deploying AD, we came up with an issue with using the windows
fireall on the AD servers. After more research, we found out that
Microsoft does not recommend using the Windows firewall on AD servers.
The issue has to do with limitting the RPC ports.  The MS KB articles
that we found specify to open 100 RPC ports but this does not seem to
be enough.

Has anyone had to deploy a FW on an AD DC in a large domain/forest?
If so, how did you manage the RPC settings and which FW did you use?

Thanks so much for your help!

-Dani Houpt
Dhoupt613 (at) gmail dot com



On 2/5/08, Yousef Syed <yousef.syed () gmail com> wrote:

I need some advice.
I'm currently staying in an apartment complex that provides free
wireless Internet access.
The access has zero crypto - not even WEP.

What can I do on my own Laptops (Mac OS X and Windows XP Pro) to make
my browsing/internet usage more secure? I also want to ensure that no
one else on the network is entering my systems.

The Windows Laptop already has Kaspersky Internet Security and various
spyware/adware checkers etc

Thanks,
ys

--
Yousef Syed
CISSP

http://www.linkedin.com/in/musashi


-- 
Sent from Gmail for mobile | mobile.google.com

Current thread:

Windows firewall on active directory servers Dani Houpt (Feb 06)
- Re: Windows firewall on active directory servers Paul J. Brickett (Feb 06)
- Re: Windows firewall on active directory servers Ansgar -59cobalt- Wiechers (Feb 06)
- RE: Windows firewall on active directory servers Dan Lynch (Feb 06)
- <Possible follow-ups>
- Re: Windows firewall on active directory servers jfvanmeter (Feb 07)