How to secure your Active Directory from attackers from outside world

 Of course. You are looking at a standard Nmap scan of a Windows Domain Controller. Blocking these ports will severely break or completely disable your Active Directory domain and related services. Clients will be unable to log in, access files, or use domain resources.

 

Warning: Do not block these ports on a Domain Controller without a deep understanding of the consequences. These are not "default ports to be blocked"; they are core service ports required for the server to function.

 

A more secure approach is to control access to these ports rather than blocking them entirely.

 

Here is a breakdown of what each service does and the correct way to secure it.

 

---

 

 Understanding the Ports & The Secure Alternative to Blocking

 

Instead of blocking, you should implement Windows Firewall with Advanced Security to restrict which source IPs are allowed to connect to these services.

 

| Port | Service | Purpose | Consequence of Blocking | Recommended Security Action |

| :--- | :--- | :--- | :--- | :--- |

| 53DNS | Name resolution for the entire domain. | Clients and servers cannot find each other. Domain breaks. | Restrict DNS queries to only your internal network subnets. |

| 88 | Kerberos | Authentication for the entire domain. | No one can log in. | Restrict to your domain-joined clients and servers. |

| 135MSRPC | Remote Procedure Call. Used by many management tools. | Breaks management tools and inter-service communication. | Hard to restrict, but can be limited to specific server IPs. |

| 139/445NetBIOS/SMB | File and printer sharing, network logon. | Clients cannot access shared drives or group policy. | Ensure SMB signing is enforced. Restrict to domain networks. |

| 389/636LDAP/LDAPS | Directory services queries (e.g., user/group lookups). | Applications and users cannot query AD. Logins fail. | Enforce LDAP signing/channel binding. Restrict client IP ranges. |

| 3268/3269Global Catalog | LDAP for forest-wide searches (e.g., Universal Groups). | Multi-domain logins and searches fail. | Same as LDAP. Restrict access. |

| 464kpasswd | Kerberos password change. | Users cannot change their passwords. | Restrict to domain networks. |

| 593RPC over HTTP | Remote procedure calls over HTTP. | May break specific distributed applications. | Usually required by specific apps. Restrict if not needed. |

| 3389RDP | Remote Desktop. | You cannot administer the server remotely. | This is a critical one to secure. Use a VPN or restrict RDP to a dedicated "jump box" or specific admin IPs. |

| 5985WinRM | Windows Remote Management (PowerShell remoting). | Breaks PowerShell-based management and automation. | Use it over HTTPS (5986) instead, and restrict source IPs. |

 

---

 

 How to Implement the Secure Approach: Restricting Access with Windows Firewall

 

The correct method is to create Inbound Firewall Rules that allow traffic only from authorized subnets.

 

Step-by-Step Guide:

 

1.  Open Windows Firewall with Advanced Security (``wf.msc``).

 

2.  For each port, you will create a custom rule. Let's use LDAP (Port 389) as an example.

 

    *   Click on Inbound Rules -> New Rule...

    *   Rule Type: Select Port -> Click Next.

    *   Protocol and Ports: Select TCP and enter Specific local ports: `389` -> Click Next.

    *   Action: Select Allow the connection -> Click Next.

    *   Profile: Select all that apply (Domain, Private, Public) or just "Domain" for maximum security -> Click Next.

    *   Name: Give it a clear name, e.g., "LDAP (389) - Restricted to Internal Network".

 

3.  The Most Important Step - Scope the Rule:

·       After creating the rule, find it in the Inbound Rules list and double-click to open its properties.

·       Go to the Scope tab.

·       Under Remote IP address, select These IP addresses:.

·       Click Add... and enter the IP ranges of your internal corporate network (e.g., `192.168.1.0/24`).

·       Click OK.

 

    [![Example of setting the scope for a firewall rule to specific IP addresses](https://i.imgur.com/2XpB3ehl.png)](https://i.imgur.com/2XpB3eh.png)

 

4.  Repeat this process for other critical services like RDP (3389), Kerberos (88), and WinRM (5985). For services like RDP, it is highly recommended to restrict the scope to a very small set of administrative workstations or a VPN subnet.

Summary: What You Should Do

 

1.  DO NOT BLOCK these ports outright. Your domain will stop working.

2.  DO SECURE them by creating firewall allow rules that are scoped to your specific internal IP ranges.

3.  PRIORITIZE securing RDP (3389) and WinRM (5985) first, as these are common attack vectors for remote access.

4.  Consider placing critical servers like Domain Controllers on a protected "server VLAN" with its own firewall rules, isolating them from general user traffic.

 

By following this method, you maintain the functionality of your essential services while significantly reducing your attack surface.

 


Comments

Post a Comment

Popular posts from this blog

How to install VNX Launcher that has embedded java and Firefox

Image
  Alternative for Adobe Flash Player to access Unisphere. Symptoms VNXe Unisphere in older OE revisions is not accessible after December 31, 2020. The Adobe Flash Player plug-in is no longer supported in browsers. VNXe Unisphere used to require a browser with the Flash Player plug-in. Cause When VNXe is running an older OE revision, Adobe Flash Player is required by Unisphere. Refer: https://elabnavigator.emc.com/vault/pdf/EMC_VNXe_ESSM.pdf?key=1588743011568 Adobe has expired Flash Player as of December 31, 2020.   Details: https://www.adobe.com/products/flashplayer/end-of-life.html Resolution Newer VNXe OE revisions support HTML5. Once the VNXe is upgraded, Unisphere will work. Since December 31, 2020 browsers do not support Adobe Flash Player. Most browsers support HTML5. VNXe Unisphere must also support HTML5 in order to use VNXe Unisphere. HTML5 support is delivered in these VNXe revisions:       ...
Read more

DHCP FAILED APIPA IS USED

Image
Hi to all, In a Cisco packet tracer while i am trying to connect the dhcp server to pc it will getting the error like dhcp failed. APIPA is being used. For this issues this is also one reason.dhcp is not configured correctly. If we create a  vlan's in the switch's and we configured dhcp server in the layer 3 switch or layer 2 switch or in router. VLAN 10 NAME SALES VLAN 20 NAME DATA We created two vlan's now creating dhcp server for that  Switch(config)#ip dhcp pool name sales (should be the vlan name. not any other name.) Switch(Dhcp-config)#network 192.168.10.0 255.255.255.0  Switch(dhcp-config)#default-router 192.168.10.1 Switch(dhcp-config)#exit Swithc(config)#ip dhcp pool name data Switch(dhcp-config)#network 192.168.20.0 255.255.255.0 Switch(dhcp-config)#default-router 192.168.20.1 Switch(dhcp-config)#exit
Read more

Zabbix Server is not working: the information dispaly may not be current

Image
  Details  Cannot display item queue. Connection to Zabbix server "localhost:10051" refused. Possible reasons: 1. Incorrect "NodeAddress" or "ListenPort" in the "zabbix_server.conf" or server IP/DNS override in the "zabbix.conf.php"; 2. Security environment (for example, SELinux) is blocking the connection; 3. Zabbix server daemon not running; 4. Firewall is blocking TCP connection. Connection refused Observation:- In Centos 9 [root@nmtool ~]# systemctl status zabbix-server.service ● zabbix-server.service - Zabbix Server      Loaded: loaded (/usr/lib/systemd/system/zabbix-server.service; enabled; vendor preset: d>     Active: activating (auto-restart) (Result: exit-code) since Fri 2023-02-03 10:36:52 IST;>    Process: 57289 ExecStart=/usr/sbin/zabbix_server -c $CONFFILE (code=exited, status=0/SUCC>    Process: 57295 ExecStop=/bin/kill -SIGTERM $MAINPID (code=exited, status=1/FAILURE)    Main PID: 57291 (cod...
Read more