Some just might say that security has gone mad these days, gone are the times when we only used firewalls to protect our internal network infrastructure from external attack. Certainly I now see many of our customers deploying internal firewalls to protect their sites but at the same time, cause poor old Active Directory some challenges.
Therefore with this ever growing popularity I figured it would be nice to have the main ports required to be open listed on a simple table. As one customer seemed to like it, I thought I may as well give it to you all. You never know if you will need it.
Possible Rule name
Description
Port
Path
Active Directory Domain Controller - LDAP (TCP-In)
Inbound rule for the Active Directory Domain Controller service to allow remote LDAP traffic. (TCP 389)
389
%systemroot%\System32\lsass.exe
Active Directory Domain Controller - LDAP (UDP-In)
Inbound rule for the Active Directory Domain Controller service to allow remote LDAP traffic. (UDP 389)
Active Directory Domain Controller - LDAP for Global Catalog (TCP-In)
Inbound rule for the Active Directory Domain Controller service to allow remote Global Catalog traffic. (TCP 3268)
3268
Active Directory Domain Controller - NetBIOS name resolution (UDP-In)
Inbound rule for the Active Directory Domain Controller service to allow NetBIOS name resolution. (UDP 138)
138
System
Active Directory Domain Controller - SAM/LSA (NP-TCP-In)
Inbound rule for the Active Directory Domain Controller service to be remotely managed over Named Pipes. (TCP 445)
445
Active Directory Domain Controller - SAM/LSA (NP-UDP-In)
Inbound rule for the Active Directory Domain Controller service to be remotely managed over Named Pipes. (UDP 445)
Active Directory Domain Controller - Secure LDAP (TCP-In)
Inbound rule for the Active Directory Domain Controller service to allow remote Secure LDAP traffic. (TCP 636)
636
Active Directory Domain Controller - Secure LDAP for Global Catalog (TCP-In)
Inbound rule for the Active Directory Domain Controller service to allow remote Secure Global Catalog traffic. (TCP 3269)
3269
Active Directory Domain Controller - W32Time (NTP-UDP-In)
Inbound rule for the Active Directory Domain Controller service to allow NTP traffic for the Windows Time service. (UDP 123)
123
%systemroot%\System32\svchost.exe
Active Directory Domain Controller (RPC)
Inbound rule to allow remote RPC/TCP access to the Active Directory Domain Controller service.
Dynamic RPC
Active Directory Domain Controller (RPC-EPMAP)
Inbound rule for the RPCSS service to allow RPC/TCP traffic to the Active Directory Domain Controller service.
135
Active Directory Domain Controller (TCP-Out)
Outbound rule for the Active Directory Domain Controller service. (TCP)
Any
Active Directory Domain Controller (UDP-Out)
Outbound rule for the Active Directory Domain Controller service. (UDP)
DNS (TCP, Incoming)
DNS inbound
53
%systemroot%\System32\dns.exe
DNS (UDP, Incoming)
DNS (TCP, outbound)
DNS outbound
DNS (UDP, outbound)
DNS RPC, incoming
Inbound rule for the RPCSS service to allow RPC/TCP traffic to the DNS Service
Inbound rule to allow remote RPC/TCP access to the DNS service