Firewall policy help

N

nuclearsnake

Limp Gawd
Joined
Mar 8, 2003
Messages
445
I'm trying to build a firewall policy that will do the following on a Windows 2003 Server

From the 2003 Server, allow it to contact the DC to process logons
Not allong the same server to browse the network. IE: no outbound connections

I'm having issues with the Windows TCP and UDP Ports that need to be setup...

oh, I'm using SEP's Firewall
 
Have you tried google?

The first hit when searching for "Ports for Windows Login" takes you to a MS KB doc that outlines all the ports needed to process AD logins.
 
Yep ;)

The issue is that when I block outbound TCP 139 and 445 and UDP 137 and 138, the server returns a message when I try to logon with a new account

"The system cannot log uoi on due to the following error:
The RPC server is unavailable
Please try again or consult your system administrator"

but the blocking of the file shares works for any user who's already logged on
 
You might have noticed that share access and authentication access use the same ports (and group policy processing is dependent on being able to access file shares on the DCs).

http://support.microsoft.com/kb/832017/

You can specify the rules to only allow outbound traffic over those ports to DCs only (specifying all of your DCs by IP address). That would let logons and group policy processing work with access to shares on DCs being the only one's accessible.

You need to make some registry changes on your DCs as they select some ports randomly on each startup, or open really large port ranges, only to your DCs.

http://support.microsoft.com/kb/224196/
http://support.microsoft.com/kb/154596/
 
nessus said:
You might have noticed that share access and authentication access use the same ports (and group policy processing is dependent on being able to access file shares on the DCs).
http://support.microsoft.com/kb/832017/
Click to expand...
Yeah, that's the issue I'm having. Is there a seperate application/service for each of the events (Fileshare vs logon) that I can use to build a policy around on the firewall? If they are both ntoskrnl.exe then I'm hosed eh?

You can specify the rules to only allow outbound traffic over those ports to DCs only (specifying all of your DCs by IP address
Click to expand...
The DC is the file server... sigh
 
You must log in or register to reply here.
Back
Top