Ports for Domain Controller

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi,
As per our requirement, our domain controller will have a public ip and all
the clients will be on the internet. The domain controller will have to
implement group policies on the clients. Please enlighten me the required
ports that have to be opened on the server side and their direction.
(Incoming, outgoing, bidirectional).

Regards
Ram
 
From: "Ram" <[email protected]>

| Hi,
| As per our requirement, our domain controller will have a public ip and all
| the clients will be on the internet. The domain controller will have to
| implement group policies on the clients. Please enlighten me the required
| ports that have to be opened on the server side and their direction.
| (Incoming, outgoing, bidirectional).
|
| Regards
| Ram

NetBIOS over IP. This is a BAD idea to have these ports exposed to the Internet !
It will leave you vulnerable to hackers and Internet worms.

TCP and UDP ports 135 ~ 139 and 445.
 
Ram said:
Hi,
As per our requirement, our domain controller will have a public ip
and all the clients will be on the internet. The domain controller
will have to implement group policies on the clients. Please
enlighten me the required ports that have to be opened on the server
side and their direction. (Incoming, outgoing, bidirectional).

Regards
Ram
Click to expand...

I don't think you will be able to secure this setup. You will be vulnerable
to many Internet attacks. What are you trying to accomplish with this? The
proper way to set this up would be with VPN's.
 
I don't think you will be able to secure this setup. You will be
vulnerable to many Internet attacks. What are you trying to accomplish
with this? The proper way to set this up would be with VPN's.
Click to expand...

I agree. However, the ports that will be used are here:

http://securityadmin.info/faq.asp?firewallproblem

specifically:

How to configure a firewall to allow Windows domain networking [or consider
using PPTP or VPN instead]:
http://support.microsoft.com/?kbid=179442
http://support.microsoft.com/?kbid=154596
 
Exactly what are your requirements and what access level do users need to
the domain controller?? Do you have any other servers? What you describe is
very insecure and would be highly unusual if I understand you correctly. I
understand that many ISPs block file and print sharing ports over there
network since blaster. Also understand that domain users can logon to their
computer with cached domain credentials once they have authenticated with
the domain controller. Cached domain logons also retain Group Policy
settings. As others have mentioned VPN may be what you really want.

Steve
 
Hi,

The sole purpose of this domain controller would be to implement group
polices. We are not providing any services like internet, email etc through
this domain. The servers providing these services will not be part of this
domain. The clients will be on the internet. We are planning to implement
internet kiosks all over our state.

Please let me know the exact ports and their direction and also the
procedure involved in joining clients on the internet to this domain
controller.

Regards
Ram
 
Hi
Also please let me know how to secure this setup, as I learnt from you,
that this scenario is very vulnerable.

Regards
Ram
 
Please let me know the exact ports and their direction and also the
procedure involved in joining clients on the internet to this domain
controller.
Click to expand...

See the links in my post. The first Microsoft.com link also mentions using
PPTP to create an authenticated VPN, so that you don't have to open all
those ports on your firewall and aren't letting just anyone in to your DC.
Clicking Start, Help in Windows, or searching Google or Microsoft.com, will
give you more information on setting up a PPTP, L2TP or IPSec VPN.
 
Ram said:
Hi
Also please let me know how to secure this setup, as I learnt from
you, that this scenario is very vulnerable.

Regards
Ram
Click to expand...

It sounds like you may need to hire someone who knows how to do this. This
is a complex setup that needs to be done right. Internet kiosks are common
enough that there are off the shelf solutions that in the end may be cheaper
and easier than trying to come up with your own. If you are stuck at this
very early point how will you support these sites when things go wrong.

http://www.google.com/search?hl=en&q=internet+kiosk&btnG=Google+Search
 
I think you are going to find that it will not work as expected for that
purpose with one big reason being the slowness of an internet connection
which will cause complications with applying Group Policy and using secure
solutions such as a VPN endpoint would cause even more overhead for the
connection. I would not even consider it without using ipsec endpoint
devices in every location and testing locations of various connection speeds
for considering rolling out. Like I said a lot of ISPs will filter out ports
for direct traffic needed to make this work in the first place. But to
answer your question the link below shows the port requirements and be sure
to read the information about dynamic RPC.

http://support.microsoft.com/default.aspx?scid=kb;en-us;179442

I agree with Kerry in that there are other solutions that may include images
of hardened operating systems to install. The free Microsoft Shared Computer
Toolkit may be helpful in your case to do that.

Steve

http://www.microsoft.com/windowsxp/sharedaccess/default.mspx --- Shared
Computer Toolkit
 
Back
Top