[Dshield] Active Directory Firewall rules

Mrcorp mrcorp at yahoo.com
Mon Aug 29 22:34:21 GMT 2005


I know this is going to sound like no help at all, but the firewall amdins are trying to save
time.  Not everything is documented when it comes to MS, so they are trying to avoid "testing"
things and just requesting to open it up.  I agree with you, let's tighten it up.  Unfortunatly,
there is a large series of ports that it uses.

http://support.microsoft.com/kb/q179442/  

Is a good point to start.  I have had to do this in the past, and it is not easy.

Good luck my friend.

Mrc.

--- dave brookshire <dsb at parapet.net> wrote:

> If the AD servers are configured to be in different "sites" you can 
> choose "SMTP" as the Inter-site transport and permit only SMTP traffic 
> between the two servers.  That's the theory, at least.  
> 
> My $0.02.
> 
> -db
> 
> warwick ackfin wrote:
> 
> >Greetings all -
> >
> >    I'm being told by someone higher than I in the AD food chain here
> >at Ivory Towers Inc that I have to add a rule in my firewall that says
> >ROOT_DC ANY to MY_DC ANY.  Now, color me ignorant, but I thought AD
> >traffic used a FINITE group of ports(actually I'm being kind...i
> >thought it was only tcp445).  Why should I open everything to these
> >people?
> >
> >
> >  
> >
> 
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 



More information about the list mailing list