\nPersonally, I wouldn’t firewall AD but that’s just me.<\/p>\n<\/blockquote>\n<\/aside>\n
I wouldn’t either, but if you’re writing the profiles from a security point of view, the common methodology is to deny all then poke the required holes as needed, yes?<\/p>\n<\/blockquote>\n<\/aside>\n
No.<\/p>\n
There is a difference between securing something for practical reasons versus security potentially causing more problems.<\/p>\n
Because of the way AD works, I wouldn’t block any of it’s ports. If there are genuine security concerns then there are better ways to lock down your AD servers.<\/p>","upvoteCount":0,"datePublished":"2015-05-05T09:57:28.000Z","url":"https://community.spiceworks.com/t/firewall-rule-cheat-sheet/401296/6","author":{"@type":"Person","name":"Gary-D-Williams","url":"https://community.spiceworks.com/u/Gary-D-Williams"}},{"@type":"Answer","text":"\n\n
<\/div>\n
Optimaximal:<\/div>\n
\n\n\n
<\/div>\n
Gary D Williams:<\/div>\n
\nPersonally, I wouldn’t firewall AD but that’s just me.<\/p>\n<\/blockquote>\n<\/aside>\n
Also, Spiceworks requires inbound TCP 139 & 445 and UDP 137 & 138 for the scans, according to the documentation.<\/p>\n<\/blockquote>\n<\/aside>\n
Correct as well as TCP 22 and more but that’s outbound, not inbound.<\/p>","upvoteCount":0,"datePublished":"2015-05-05T09:58:07.000Z","url":"https://community.spiceworks.com/t/firewall-rule-cheat-sheet/401296/7","author":{"@type":"Person","name":"Gary-D-Williams","url":"https://community.spiceworks.com/u/Gary-D-Williams"}},{"@type":"Answer","text":"\n\n
<\/div>\n
Gary D Williams:<\/div>\n
\nNo.<\/p>\n
There is a difference between securing something for practical reasons versus security potentially causing more problems.<\/p>\n
Because of the way AD works, I wouldn’t block any of it’s ports. If there are genuine security concerns then there are better ways to lock down your AD servers.<\/p>\n<\/blockquote>\n<\/aside>\n
Then maybe I’m being stupid, but how do you work around the Windows Firewall concept of ‘Inbound connections that do not match a rule are blocked’ if you are not defining the rules?<\/p>\n
I see now that a number of Core Networking rules are already defined in the local WFwAS Rules. I wasn’t intending to override them, just making sure all the boxes are ticked and ensuring I can turn the Windows Firewall Domain Profile from ‘Allow All’ to ‘Block (Default)’ in GP and not<\/strong><\/em> have the entire company come crashing down.<\/p>","upvoteCount":0,"datePublished":"2015-05-05T10:07:56.000Z","url":"https://community.spiceworks.com/t/firewall-rule-cheat-sheet/401296/8","author":{"@type":"Person","name":"optimaximal","url":"https://community.spiceworks.com/u/optimaximal"}},{"@type":"Answer","text":"\n\n
<\/div>\n
Gary D Williams:<\/div>\n
\nI don’t use the windows firewall on anything other than laptops. On the servers, I’m using vlans so that, if required, other tools such as IDS systems can examine the traffic as it passes between networks.<\/p>\n<\/blockquote>\n<\/aside>\n
Good point. Maybe I’m approaching this problem the wrong way around - IDS via Snort on pfSense is on the todo list. I guess I just wanted to stop Windows Action Centre from moaning about the Firewall status without simply just ‘disabling the message’…<\/p>","upvoteCount":0,"datePublished":"2015-05-05T10:15:14.000Z","url":"https://community.spiceworks.com/t/firewall-rule-cheat-sheet/401296/10","author":{"@type":"Person","name":"optimaximal","url":"https://community.spiceworks.com/u/optimaximal"}}]}}
Does anyone have an at-a-glance list of common, required Firewall rules?
Because we’ll be doing internal pen tests to satisfy PCI regs, obviously now the internal defences need to come up, which ofc means our internal rule lists are tabula rasa.
Microsoft don’t make it easy with their dynamic ranges and multiple conflicting documents on TechNet/MSDN and there’s common services that we all just take for granted without thinking about whether they work or not.
Anyone out there have a de-facto list and or importable policy they repeatedly use, ideally split into Inbound & Outbound and Desktop vs. Server?
3 Spice ups
Optimaximal:
Does anyone have an at-a-glance list of common, required Firewall rules?
Because we’ll be doing internal pen tests to satisfy PCI regs, obviously now the internal defences need to come up, which ofc means our internal rule lists are tabula rasa.
If this is for PCI, don’t they have a list of requirements for firewalls that you can self audit against?
They have a short-list of the obvious unsecured ports that they require to be fudged into their secure alternatives, but I’m after a more functional list of common software…
I.e. What I mean is to make/compile a list of what would be required to make AD, SQL Server, Sharepoint, Spiceworks, RDP, Ninite, Dameware etc. work.
I’ve seen your name crop up in several posts relating to AD ports, which is a good start - care to contribute?
I’ll knock together a crowd-sourced Google Doc, if that will help.
Optimaximal:
I.e. What I mean is to make/compile a list of what would be required to make AD, SQL Server, Sharepoint, Spiceworks, RDP, Ninite, Dameware etc. work.
Personally, I wouldn’t firewall AD but that’s just me.
So you want a list of ports, ok:
Spiceworks - 80 (or 443 if you make it secure)
RDP - 3389 - unless it has been changed
Ninite - Remote Connection Information | Ninite Help
SQL Server - 1433 unless it’s running instances and then it can use random ports, these ports can be hard coded
Dameware - I’d be surprised if this is allowed in a PCI environment as it’s often a tool of choice for hackers.
Shareport - 80 and 443 (if you use SSL)
and the best is last. AD - Active Directory and Active Directory Domain Services Port Requirements
1 Spice up
I wouldn’t either, but if you’re writing the profiles from a security point of view, the common methodology is to deny all then poke the required holes as needed, yes?
Also, Spiceworks requires inbound TCP 139 & 445 and UDP 137 & 138 for the scans, according to the documentation.
Here’s the Google Doc, if you/anyone else want to contribute: Firewall Rule Cheat Sheet - Google Sheets
Optimaximal:
I wouldn’t either, but if you’re writing the profiles from a security point of view, the common methodology is to deny all then poke the required holes as needed, yes?
No.
There is a difference between securing something for practical reasons versus security potentially causing more problems.
Because of the way AD works, I wouldn’t block any of it’s ports. If there are genuine security concerns then there are better ways to lock down your AD servers.
Correct as well as TCP 22 and more but that’s outbound, not inbound.
Gary D Williams:
No.
There is a difference between securing something for practical reasons versus security potentially causing more problems.
Because of the way AD works, I wouldn’t block any of it’s ports. If there are genuine security concerns then there are better ways to lock down your AD servers.
Then maybe I’m being stupid, but how do you work around the Windows Firewall concept of ‘Inbound connections that do not match a rule are blocked’ if you are not defining the rules?
I see now that a number of Core Networking rules are already defined in the local WFwAS Rules. I wasn’t intending to override them, just making sure all the boxes are ticked and ensuring I can turn the Windows Firewall Domain Profile from ‘Allow All’ to ‘Block (Default)’ in GP and not
I don’t use the windows firewall on anything other than laptops. On the servers, I’m using vlans so that, if required, other tools such as IDS systems can examine the traffic as it passes between networks.
1 Spice up
Gary D Williams:
I don’t use the windows firewall on anything other than laptops. On the servers, I’m using vlans so that, if required, other tools such as IDS systems can examine the traffic as it passes between networks.
Good point. Maybe I’m approaching this problem the wrong way around - IDS via Snort on pfSense is on the todo list. I guess I just wanted to stop Windows Action Centre from moaning about the Firewall status without simply just ‘disabling the message’…
