[Dshield] Active Directory Firewall rules

Lepich, Jesse A Mr GLWACH Jesse.Austin.Lepich at us.army.mil
Mon Aug 29 22:56:56 GMT 2005


I'd start with the below then watch the firewall's hit counters and log
for rules that are not being used and for legitimate traffic that is
being blocked.
http://support.microsoft.com/default.aspx?scid=kb;en-us;555381&sd=rss&sp
id=3198 might be useful to you as well.

Good luck!
	Jesse Lepich

access-list ingress permit tcp host 1.1.1.1 host 2.2.2.2 eq 3389 
access-list ingress permit tcp host 1.1.1.1 host 2.2.2.2 eq domain 
access-list ingress permit udp host 1.1.1.1 host 2.2.2.2 eq domain 
access-list ingress permit tcp host 1.1.1.1 host 2.2.2.2 eq 88 
access-list ingress permit tcp host 1.1.1.1 host 2.2.2.2 eq 135 
access-list ingress permit tcp host 1.1.1.1 host 2.2.2.2 eq 137 
access-list ingress permit tcp host 1.1.1.1 host 2.2.2.2 eq netbios-ssn 
access-list ingress permit tcp host 1.1.1.1 host 2.2.2.2 eq ldap 
access-list ingress permit tcp host 1.1.1.1 host 2.2.2.2 eq 445 
access-list ingress permit tcp host 1.1.1.1 host 2.2.2.2 eq ldaps 
access-list ingress permit tcp host 1.1.1.1 host 2.2.2.2 eq 1056 
access-list ingress permit tcp host 1.1.1.1 host 2.2.2.2 eq 1270 
access-list ingress permit tcp host 1.1.1.1 host 2.2.2.2 eq 2650 
access-list ingress permit tcp host 1.1.1.1 host 2.2.2.2 eq 2701 
access-list ingress permit tcp host 1.1.1.1 host 2.2.2.2 eq 2702 
access-list ingress permit tcp host 1.1.1.1 host 2.2.2.2 eq 2703 
access-list ingress permit tcp host 1.1.1.1 host 2.2.2.2 eq 2704 
access-list ingress permit tcp host 1.1.1.1 host 2.2.2.2 eq 2967 
access-list ingress permit tcp host 1.1.1.1 host 2.2.2.2 eq 3268 
access-list ingress permit tcp host 1.1.1.1 host 2.2.2.2 eq 3269 
access-list ingress permit tcp host 1.1.1.1 host 2.2.2.2 eq 9998 
access-list ingress permit tcp host 1.1.1.1 host 2.2.2.2 eq 9999 
access-list ingress permit tcp host 1.1.1.1 host 2.2.2.2 eq 25010 
access-list ingress permit tcp host 1.1.1.1 host 2.2.2.2 eq 25011 
access-list ingress permit tcp host 1.1.1.1 host 2.2.2.2 eq 38292 
access-list ingress permit tcp host 1.1.1.1 host 2.2.2.2 eq 38293 
access-list ingress permit tcp host 1.1.1.1 host 2.2.2.2 eq 38037 
access-list ingress permit udp host 1.1.1.1 host 2.2.2.2 eq 88 
access-list ingress permit udp host 1.1.1.1 host 2.2.2.2 eq ntp 
access-list ingress permit udp host 1.1.1.1 host 2.2.2.2 eq netbios-ns 
access-list ingress permit udp host 1.1.1.1 host 2.2.2.2 eq netbios-dgm 
access-list ingress permit udp host 1.1.1.1 host 2.2.2.2 eq 389 
access-list ingress permit udp host 1.1.1.1 host 2.2.2.2 eq 445 
access-list ingress permit udp host 1.1.1.1 host 2.2.2.2 eq 1056 
access-list ingress permit udp host 1.1.1.1 host 2.2.2.2 eq 2701 
access-list ingress permit udp host 1.1.1.1 host 2.2.2.2 eq 2702 
access-list ingress permit udp host 1.1.1.1 host 2.2.2.2 eq 2703 
access-list ingress permit udp host 1.1.1.1 host 2.2.2.2 eq 2704 
access-list ingress permit udp host 1.1.1.1 host 2.2.2.2 eq 38292 
access-list ingress permit udp host 1.1.1.1 host 2.2.2.2 eq 38293 
access-list ingress permit udp host 1.1.1.1 host 2.2.2.2 eq 38037 
 

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Mrcorp
Sent: Monday, August 29, 2005 5:34 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Active Directory Firewall rules

I know this is going to sound like no help at all, but the firewall
amdins are trying to save time.  Not everything is documented when it
comes to MS, so they are trying to avoid "testing"
things and just requesting to open it up.  I agree with you, let's
tighten it up.  Unfortunatly, there is a large series of ports that it
uses.

http://support.microsoft.com/kb/q179442/  

Is a good point to start.  I have had to do this in the past, and it is
not easy.

Good luck my friend.

Mrc.

--- dave brookshire <dsb at parapet.net> wrote:

> If the AD servers are configured to be in different "sites" you can 
> choose "SMTP" as the Inter-site transport and permit only SMTP traffic

> between the two servers.  That's the theory, at least.
> 
> My $0.02.
> 
> -db
> 
> warwick ackfin wrote:
> 
> >Greetings all -
> >
> >    I'm being told by someone higher than I in the AD food chain here

> >at Ivory Towers Inc that I have to add a rule in my firewall that 
> >says ROOT_DC ANY to MY_DC ANY.  Now, color me ignorant, but I thought

> >AD traffic used a FINITE group of ports(actually I'm being kind...i 
> >thought it was only tcp445).  Why should I open everything to these 
> >people?
> >
> >
> >  
> >
> 
> 
> _______________________________________________
> send all posts to list at lists.dshield.org To change your subscription 
> options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 


_______________________________________________
send all posts to list at lists.dshield.org To change your subscription
options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list