Click here to get back home

Securing a DC with firewall?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Securing a DC with firewall? Gaspar 01-26-2006
Posted by Gaspar on January 26, 2006, 9:36 am
Please log in for more thread options
 Is it a good practice to secure each AD controller with the Windows 2003's
build it firewall? Or windows 2003 already secures ports by opening those
necessary to run Active Directory (and closing all others)?

Thanks



Posted by Ondrej Sevecek on January 26, 2006, 10:57 am
Please log in for more thread options
 it would probably be a problem because you will have to open a lot of ports
manually. Quite every port that is opened by the system itself is required
to be accessible remotely on DC. But with the firewall you get at least
spoofing protection and also, anything you unitentionally install on the DC
will be protected by the firewall unless explicitly opened.

But by my opinion, it is unnecessary.

O.


> Is it a good practice to secure each AD controller with the Windows 2003's
> build it firewall? Or windows 2003 already secures ports by opening those
> necessary to run Active Directory (and closing all others)?
>
> Thanks
>



Posted by S. Pidgorny on January 27, 2006, 5:12 am
Please log in for more thread options
No, it is not a good practice. Keep your authentication domains and your
firewall zones same.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

> Is it a good practice to secure each AD controller with the Windows 2003's
> build it firewall? Or windows 2003 already secures ports by opening those
> necessary to run Active Directory (and closing all others)?
>
> Thanks
>



Posted by Steven L Umbach on January 28, 2006, 2:58 am
Please log in for more thread options
Windows 2003 does a pretty decent job of enabling necessary services for the
domain controller unlike Windows 2000 that would also have IIS5.0 running
whether you knew it or not. In most cases there is not much to gain by
having the Windows Firewall enabled on a domain controller assuming the
admins are pretty competent and responsible and of course assuming that a
firewall is protecting the network from untrusted networks. For those that
want to try and enable the Windows Firewall on a Windows 2003 DC if you have
SP1 installed the Security Configuration Wizard [see link below] can help in
configuring the Windows Firewall and more especially in regards to
services. Microsoft did a good job with it and the rollback ability is
especially appreciated so that you can get back to where you were without
any worry though backups of the System State are always still best
practice.---- Steve

http://www.microsoft.com/windowsserver2003/technologies/security/configwiz/default.mspx

> Is it a good practice to secure each AD controller with the Windows 2003's
> build it firewall? Or windows 2003 already secures ports by opening those
> necessary to run Active Directory (and closing all others)?
>
> Thanks
>



Similar ThreadsPosted
Re: Securing SQL November 29, 2005, 3:27 pm
Securing FTP October 16, 2007, 7:22 pm
Securing IIS IUSER October 17, 2005, 2:18 pm
Securing with templates November 16, 2005, 3:58 am
Securing Network January 31, 2008, 10:53 pm
Securing management access? February 16, 2008, 7:52 am
Solution for securing VPN/IAS using 2-factor SMS Authentication June 11, 2005, 1:37 pm
Securing Remote Desktop To Server August 11, 2005, 10:30 am
Strategy for securing user account February 26, 2006, 11:36 am
securing mobile users at hotspots October 5, 2006, 8:45 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap