Locking down AD ports

Printable View

28-03-2012
Domon

Locking down AD ports

Hi guys,

Our company is currently planning to deploy RODC in our branch offices. So the end result is that we will have two sites, HQ and branch office. The communications between the RODC and Writeable DC will also pass through our firewall.

We are looking to reduce the no of ports needed to open on the firewall level especially the RPC ports used for AD communtications. We read some of Microsoft articles and they recommend us to restrict the following ports to a fixed ports on our DCs.

1) Netlogon
2) NTFRS / DRS
3) NTDS

But a few articles included the mean of reducing the RPC port range as well. Hence, I would like to check with you guys if restricting the ports for the 3 services above is enough or we should reduce the RPC port range as well?

Regards
28-03-2012
EINSTEIN_007

Re: Locking down AD ports

You can checkout the link of the kb article for restricting Active Directory replication traffic and client RPC traffic to a specific port
http://support.microsoft.com/kb/224196. This will cause AD replication traffic to use the port you specify. Keep in mind the endpoint mapper still needs to be available (so 135 is a must regardless) but instead of it randomly negotiating a port after 135, it will use the one you configure.
29-03-2012
Domon

Re: Locking down AD ports

Hi EINSTEIN_007,

Thanks for the advise. Will check it out. Probably I will also test out the rules in our developlement servers.

Regards
15-04-2012
Domon

Re: Locking down AD ports

Hi EINSTEIN_007,

I did some testing on our development setup. We setup one writable DC (in site 1) and a RODC (in site 2). We also simulate a firewall between them using ISA server 2006. In ISA server, we also setup access rules to allow the ports required be DC stated in the given article (TCP 135, 445 etc) and also fixed the NTFRS, NTDS and NETLOGON ports to a fixed one. They are also allowed in ISA server. But we didn't allow the dynamic RPC range.

Not sure if we ISA rules is setup wrongly, we have been seeing replication errors between the DCs. Hence, we would like clarify with you if dynamic RPC ranges are required for replication to works even we have fixed the AD ports to specific ports.

Regards