- Remove From My Forums
Question
Hi,
We are currently running an Active Directory environment containing 2008 Domain Controllers and 2008/2003 Member servers.
The Windows firewall is currently turned off but security have requested that we turn it on. I looked for a document which explains the standard settings which should be implemented on the Windows Firewall so that Active Directory will continue to function properly.
It is just the settings for the domain controller for now as we are doing member servers at a later date.
Does anybody know which ports/program exceptions are required on the Windows Firewall on a 2008 domain controller?
Thanks!
Answers
You need to exclude these ports, listed in the table below
Possible Rule name
Description
Port
Path
Active Directory Domain Controller - LDAP [TCP-In]
Inbound rule for the Active Directory Domain Controller service to allow remote LDAP traffic. [TCP 389]
389
%systemroot%\System32\lsass.exe
Active Directory Domain Controller - LDAP [UDP-In]
Inbound rule for the Active Directory Domain Controller service to allow remote LDAP traffic. [UDP 389]
389
%systemroot%\System32\lsass.exe
Active Directory Domain Controller - LDAP for Global Catalog [TCP-In]
Inbound rule for the Active Directory Domain Controller service to allow remote Global Catalog traffic. [TCP 3268]
3268
%systemroot%\System32\lsass.exe
Active Directory Domain Controller - NetBIOS name resolution [UDP-In]
Inbound rule for the Active Directory Domain Controller service to allow NetBIOS name resolution. [UDP 138]
138
System
Active Directory Domain Controller - SAM/LSA [NP-TCP-In]
Inbound rule for the Active Directory Domain Controller service to be remotely managed over Named Pipes. [TCP 445]
445
System
Active Directory Domain Controller - SAM/LSA [NP-UDP-In]
Inbound rule for the Active Directory Domain Controller service to be remotely managed over Named Pipes. [UDP 445]
445
System
Active Directory Domain Controller - Secure LDAP [TCP-In]
Inbound rule for the Active Directory Domain Controller service to allow remote Secure LDAP traffic. [TCP 636]
636
%systemroot%\System32\lsass.exe
Active Directory Domain Controller - Secure LDAP for Global Catalog [TCP-In]
Inbound rule for the Active Directory Domain Controller service to allow remote Secure Global Catalog traffic. [TCP 3269]
3269
%systemroot%\System32\lsass.exe
Active Directory Domain Controller - W32Time [NTP-UDP-In]
Inbound rule for the Active Directory Domain Controller service to allow NTP traffic for the Windows Time service. [UDP 123]
123
%systemroot%\System32\svchost.exe
Active Directory Domain Controller [RPC]
Inbound rule to allow remote RPC/TCP access to the Active Directory Domain Controller service.
Dynamic RPC
%systemroot%\System32\lsass.exe
Active Directory Domain Controller [RPC-EPMAP]
Inbound rule for the RPCSS service to allow RPC/TCP traffic to the Active Directory Domain Controller service.
135
%systemroot%\System32\svchost.exe
Active Directory Domain Controller [TCP-Out]
Outbound rule for the Active Directory Domain Controller service. [TCP]
Any
%systemroot%\System32\lsass.exe
Active Directory Domain Controller [UDP-Out]
Outbound rule for the Active Directory Domain Controller service. [UDP]
Any
%systemroot%\System32\lsass.exe
DNS [TCP, Incoming]
DNS inbound
53
%systemroot%\System32\dns.exe
DNS [UDP, Incoming]
DNS inbound
53
%systemroot%\System32\dns.exe
DNS [TCP, outbound]
DNS outbound
53
%systemroot%\System32\dns.exe
DNS [UDP, outbound]
DNS outbound
53
%systemroot%\System32\dns.exe
DNS RPC, incoming
Inbound rule for the RPCSS service to allow RPC/TCP traffic to the DNS Service
135
%systemroot%\System32\dns.exe
DNS RPC, incoming
Inbound rule to allow remote RPC/TCP access to the DNS service
Dynamic RPC
%systemroot%\System32\dns.exe
If you need to deploy this on a large number of server or clients, you can configure this in the Group Policy. You can access all of these group policy settings from the Server 2008 group policy management MMC snap in under Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security. Right clicking any of the listed options will allow you to create new rules for the firewall.
Does this help you?
Certifications: MCSA 2003 MCSE 2003
- Edited by Monday, August 10, 2009 5:02 PM
- Proposed as answer by Guido van Brakel Monday, August 10, 2009 5:03 PM
- Marked as answer by Virtualmanc Thursday, August 13, 2009 11:00 PM