[Dshield] Active Directory Firewall rules

Roger A. Grimes roger at banneretcs.com
Mon Aug 29 23:34:00 GMT 2005


This seems like a perfect case for IPSec. Enable IPSec for the needed
ports between the DCs using Kerberos for machine authentication.

Roger

************************************************************************
***
*Roger A. Grimes, Banneret Computer Security, Consultant 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, CHFI, TICSA
*email: roger at banneretcs.com
*cell: 757-615-3355
*Author of Honeypots for Windows (Apress)
*http://www.apress.com/book/bookDisplay.html?bID=281
************************************************************************
****

 

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Mrcorp
Sent: Monday, August 29, 2005 6:34 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Active Directory Firewall rules

I know this is going to sound like no help at all, but the firewall
amdins are trying to save time.  Not everything is documented when it
comes to MS, so they are trying to avoid "testing"
things and just requesting to open it up.  I agree with you, let's
tighten it up.  Unfortunatly, there is a large series of ports that it
uses.

http://support.microsoft.com/kb/q179442/  

Is a good point to start.  I have had to do this in the past, and it is
not easy.

Good luck my friend.

Mrc.

--- dave brookshire <dsb at parapet.net> wrote:

> If the AD servers are configured to be in different "sites" you can 
> choose "SMTP" as the Inter-site transport and permit only SMTP traffic

> between the two servers.  That's the theory, at least.
> 
> My $0.02.
> 
> -db
> 
> warwick ackfin wrote:
> 
> >Greetings all -
> >
> >    I'm being told by someone higher than I in the AD food chain here

> >at Ivory Towers Inc that I have to add a rule in my firewall that 
> >says ROOT_DC ANY to MY_DC ANY.  Now, color me ignorant, but I thought

> >AD traffic used a FINITE group of ports(actually I'm being kind...i 
> >thought it was only tcp445).  Why should I open everything to these 
> >people?
> >
> >
> >  
> >
> 
> 
> _______________________________________________
> send all posts to list at lists.dshield.org To change your subscription 
> options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 


_______________________________________________
send all posts to list at lists.dshield.org To change your subscription
options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list