|
|
|
|
|
Posted by babak via WinServerKB.com on July 12, 2006, 7:15 am
Please log in for more thread options
hi , friends
i want install a Firewall on my DC to close unwanted open ports , whitch
ports must be open on my firewall to it (my dc) works properly ?
the roles of my dc, are:
domain controller
dns server
dhcp server
iis server (http and ftp)
application server
and mail server
thnx for you times ..
--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-security/200607/1
|
|
Posted by karl levinson, mvp on July 12, 2006, 7:58 am
Please log in for more thread options
> hi , friends
> i want install a Firewall on my DC to close unwanted open ports , whitch
> ports must be open on my firewall to it (my dc) works properly ?
> the roles of my dc, are:
>
> domain controller
> dns server
> dhcp server
> iis server (http and ftp)
> application server
> and mail server
* domain controller: see below
* DNS: TCP/UDP 53
* DHCP: UDP 67 and 68
* HTTP: TCP 80
* FTP: TCP 21 and either TCP 20 or a randomly negotiated port depending on
whether Active or Passive FTP are used by the FTP client software
* mail server: what protocols are you using? SMTP uses TCP 25, IDENT /
AUTH uses TCP 113, POP3 uses TCP 110, IMAP uses TCP 143.
* application server: need more information
All of this information is listed in the file on your computer called
%windir%\system32\drivers\etc\services or at the links given below.
A good way to see what ports are being used is to run the server for a few
days with a sniffer like www.ethereal.com [yes, I know future releases are
at www.wireshark.org], or run your firewall for a week with no blocking
rules, but one rule that permits and logs basic information on all traffic.
You can then predict what traffic will be blocked by various rules.
Note that domain controllers sometimes use RPC, where by default random
ports are used. The third link below helps you address this.
from http://securityadmin.info/faq.asp?firewallproblem :
How to configure a firewall to allow Windows domain networking [or consider
using PPTP or VPN instead]:
http://support.microsoft.com/?kbid=179442
http://support.microsoft.com/?kbid=154596
You can find other common port numbers used by certain software services by
searching an Internet search engine such as www.google.com or by following
one of the links below:
http://www.chebucto.ns.ca/~rakerman/port-table.html
http://support.microsoft.com/?kbid=289241 [common ports on Windows 2000]
http://www.iana.org/assignments/port-numbers
http://www.iisfaq.com/default.asp?View=P106
--
kind regards,
Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
--------------------------------
Microsoft Security FAQ:
http://securityadmin.info
|
|
Posted by Steven L Umbach on July 12, 2006, 9:36 pm
Please log in for more thread options It sounds like your domain controller is a jack of all trades. Karl already
gave you good advice. I just wanted to add if your domain controller is
Windows 2003 and has SP1 installed you can use the Security Configuration
Wizard to help you configure the Windows Firewall to your needs and further
lock down the server. The Windows 2003 Server Security Guide from Microsoft
also has guidance on how to configure ipsec filter policy to manage network
traffic based on computer role or roles as in your case. It should also
apply to Windows 2000. --- Steve
http://www.microsoft.com/windowsserver2003/technologies/security/configwiz/default.mspx
--- Security Configuration Wizard
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx
--- Windows 2003 Server Security Guide
> hi , friends
> i want install a Firewall on my DC to close unwanted open ports , whitch
> ports must be open on my firewall to it (my dc) works properly ?
> the roles of my dc, are:
>
> domain controller
> dns server
> dhcp server
> iis server (http and ftp)
> application server
> and mail server
>
> thnx for you times ..
>
> --
> Message posted via WinServerKB.com
> http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-security/200607/1
|
|
Posted by karl levinson, mvp on July 13, 2006, 8:52 am
Please log in for more thread options
> It sounds like your domain controller is a jack of all trades. Karl
> already
Good point... I probably should have mentioned that it is not great security
to be running all those services, particularly Web and FTP, on your domain
controller. One problem is that a vulnerability in any one of those
services [or in your web page application code] allows access to all of
those servers and data. In other words, you're adding Web vulns to your DC
and DC vulns to your Web server
Another problem with running a web server on a DC is that the accounts used
by your web server, such as the accounts for anonymous web access, are now
domain accounts and could potentially be used to access other servers on
your domain.
It's totally your decision if you want or need to run all of these on one
server, for example due to financial limitations. If you have the money and
the need for security, you can choose to "upgrade" to separate servers.
--
kind regards,
Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
--------------------------------
Microsoft Security FAQ:
http://securityadmin.info
|
|
Posted by S. Pidgorny on July 13, 2006, 6:15 am
Please log in for more thread options The domain controller role includes Kerberos, LDAP/LDAP to GC, RPC (and a
RPC port for AD functionality), CIFS and ping. You'll find the port
information in the whitepaper on AD replication across firewalls.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
> hi , friends
> i want install a Firewall on my DC to close unwanted open ports , whitch
> ports must be open on my firewall to it (my dc) works properly ?
> the roles of my dc, are:
>
> domain controller
> dns server
> dhcp server
> iis server (http and ftp)
> application server
> and mail server
>
> thnx for you times ..
>
> --
> Message posted via WinServerKB.com
> http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-security/200607/1
|
| Similar Threads | Posted | | VPN and Firewall | November 20, 2005, 1:20 am |
| RPC over a Firewall | March 7, 2006, 9:21 am |
| firewall | June 19, 2006, 1:45 pm |
| server firewall? | July 15, 2005, 2:31 pm |
| Firewall problem | October 8, 2005, 1:01 am |
| firewall recommendation | December 6, 2005, 5:42 pm |
| Firewall recommendations for dmz | December 29, 2005, 9:31 am |
| Firewall Profiles | January 13, 2006, 3:13 pm |
| Securing a DC with firewall? | January 26, 2006, 9:36 am |
| Firewall Software and ASP .NET | February 14, 2006, 3:10 pm |
|
|
|
|
XML Sitemap