Also note that with the Windows Server 2008 AD infrastructure, there are
going to be some features that might more closely address what you are
looking in a branch office environment.

With the advent of officially supported, native, read-only domain
controllers, depending on your user volume in those remote offices, you now
have a capability where you can use low cost site to site VPN links over
standard internet or WAN connections to allow users to login and update AD
stored data entries while still maintaining your primary credential cache
close to the segment of your user base. The primary item of interest here
is potentially lower administration overhead and an element of risk
mitigation inherent in your infrastructure architecture by limiting the
threat to your potentially more "exposed" branch office servers.

James Eaton-Lee has provided you the principal resources here that really
govern how to work with AD in a segmented infrastructure, use those and at
2008 RTM you may want to examine your environment to see if there are risk
factors that you might be able to re-assess at that time with updated
windows products.

Wayne S. Anderson
http://www.linkedin.com/in/wayneanderson

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of James (njan) Eaton-Lee
Sent: Tuesday, July 24, 2007 1:31 PM
To: 'Focus-MS'
Subject: Re: win2k3 active directory - firewall ports

dubaisans dubai wrote:
> i want to put win2k3 active directory server behind the corporate
> firewall. we are using windows xp clients and also group policy

See the following for information on AD in segmented networks, and what
the firewall implications are for Login, Authentication, Fileshare,
Replication traffic, etc:

http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4
caf-
9767-a9166368434e&DisplayLang=en

This is well worth reading from start to finish and as well as simple
port listings, it provides substantial guidance on segregating AD in
various ways and how you should & shouldn't go about doing it, with
discussion of IPSec.

> what ports need to be allowed on firewall ? is there any fine tuning
> that can be done on AD to make it more firewall friendly?

Yes. See the following: http://support.microsoft.com/kb/224196

> i have some DC is remote locations . what ports need to be allowed
between DCs?

In order to allow replication to happen over a firewall, see the following:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologie
s/ac
tivedirectory/deploy/confeat/adrepfir.mspx

See also the "Active Directory in Networks Segmented by Firewalls" guide
both for this and for more information on IPSec.

It is not to be recommended, however, to do this over the internet. You
almost certainly want to consider IPSec and/or a site-to-site VPN or
private circuit.

Hope that helps,

- James.

--
James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org

"All at sea again / And now my hurricanes
Have brought down this ocean rain / To bathe me again"

https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3
--

[ reply ]