Re: Windows firewall on active directory servers

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2008-02-06 Dani Houpt wrote:
> All, I'm working for a large school and we are deploying a new
> AD Forest.  By policy, they don't have firewalls between their
> internal network and their external network, but rather only have
> firewalls implemented on each server.

Bad policy. Don't do that.

> The reason for this is that are more concerned with their internal
> users (the students) than any host out on the Internet.

Bad reason. The users on their internal network need access to their AD.
Everyone outside their internal network does not and thus should not
have access to it.

> When deploying AD, we came up with an issue with using the windows
> fireall on the AD servers. After more research, we found out that
> Microsoft does not recommend using the Windows firewall on AD servers.
> The issue has to do with limitting the RPC ports.  The MS KB articles
> that we found specify to open 100 RPC ports but this does not seem to
> be enough.

Do proper network segmentation with firewalls on the borders of each
network segment. You definitely don't want to do host-based packet
filtering in such scenarios. If the policy requires something like that:
fix the policy, because it's broken.

Regards
Ansgar
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq