Host firewall on DC

Discussion in 'Server Security' started by SA, Sep 3, 2004.

  1. SA

    SA Guest

    I was looking for an article to implement the host firewal on a DC. Any
    links?

    SA.
     
    SA, Sep 3, 2004
    #1
    1. Advertisements

  2. SA

    Miha Pihler Guest

    Hi,

    There is really not much point in putting firewall on DC to protect it from
    clients. With everything that you would need to open there is not much you
    could protect it from.

    You would need to open these:

    RPC endpoint mapper 135/tcp, 135/udp
    NetBIOS name service 137/tcp, 137/udp
    NetBIOS datagram service 138/udp
    NetBIOS session service 139/tcp
    RPC dynamic assignment 1024-65535/tcp
    SMB over IP (Microsoft-DS) 445/tcp, 445/udp
    LDAP 389/tcp
    LDAP over SSL 636/tcp
    Global catalog LDAP 3268/tcp
    Global catalog LDAP over SSL 3269/tcp
    Kerberos 88/tcp, 88/udp
    DNS 53/tcp, 53/udp
    WINS resolution (if required) 1512/tcp, 1512/udp
    WINS replication (if required) 42/tcp, 42/udp
    Network time protocol (NTP) 123/udp
    ICMP

    and inbound traffic on any port above 1023.

    Also it would need to be quite a good host based firewall to reliably
    configure all these...

    Mike
     
    Miha Pihler, Sep 3, 2004
    #2
    1. Advertisements

  3. Miha,

    A firewall can be good for a number of reasons, such as:

    - preventing malicious/badly formatted packets arriving at
    vulnerable services/applications (both known and unknown
    vulnerabilities)
    - limiting protocols/ports being accessed
    - limiting clients/servers accessing the server
    - preventing unwanted applications/services accessing external
    resources

    Yes, I know that some of these features can be enabled by Windows
    itself, but even Windows code is not always secure.


    Regards,
    Lars Olaussen
     
    Lars Olaussen, Sep 3, 2004
    #3
  4. It's really no different from implementing a firewall anywhere else. If
    you're confused about what ports to use, you can try to enable it, only
    configure the rules you think you should use to permit but log packets, then
    check back after a week or so to see which ports are being used that you
    don't know about that would have been blocked by your rules.
     
    Karl Levinson [x y] mvp, Sep 4, 2004
    #4
  5. The links below should help. Note that dynamic RPC presents a special challenge for
    firewall configuration and see the article on how to use a registry setting to limit
    the range of ports that it assigns. What happens is that dynamic RPC uses a random
    above 1024 port but the firewall does not know this and will block the port. ---
    Steve

    http://support.microsoft.com/default.aspx?scid=kb;en-us;179442
     
    Steven L Umbach, Sep 4, 2004
    #5
  6. SA

    Maciej Guest

    IMHO it's nearly a host IDS or IPS solution, not just simple packet filter
    :)

    best regards

    Maciej, Poland
     
    Maciej, Sep 6, 2004
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.