Active Directory: Firewall Ports For Client-to-Domain Controller (DC) Communication

By |2023-02-10T13:22:45-08:00Sep 2, 2022 - Friday|Security, Technology|
Read: 3 mins.

Firewall Ports

It has been over three years since I had transitioned my career from a Senior IT Systems Engineer to one in Cybersecurity, and my day-to-day knowledge of Active Directory has slowly become a bit fuzzy. Recently, there was a need to look into what firewall ports were required for an Active Directory client machine and Domain Controller (DC) to communicate, and I was surprised that there was no clear, definite list available directly from Microsoft. I did find two articles:

There are many reasons why a firewall should restrict communication between two endpoints to just what is necessary, including security, compliance, and good housekeeping.

Active Directory

Microsoft’s Active Directory (AD) is a service that governs how resources can be utilized by a collection of users, groups, and computers. Enterprises use AD to authenticate, authorize, secure, and audit access within a security boundary — a Domain — to file servers, computers, emails, and more. You are given a user account (often referred to as your “network login”) to access what has been made available to you. A Domain Controller (DC) is the server that contains a copy of the AD database and is responsible for the replication of said data between all other DCs within the Domain.

To secure the company network, Active Directory uses Group Policy Objects (GPOs) to define various user- and computer-related settings, including firewall rules.

Tips: See my Active Directory Account Lockouts and Modifications article to learn how to analyze account events with Windows Event IDs and Logon Types. You can also visualize account lockout events with AD Lockout Splunk Dashboards to identify patterns. For investigating Group-related events, see my Group and Membership Changes post.

Ports: Client-DC Communication

To help with locating what ports are required for an AD client to communicate with its domain controller, we began by running a Nmap scan against the DC holding the PDC Emulator FSMO role. The PDC Emulator processes AD account lockouts.

Here is an example of a Nmap scan of a DC:

Starting Nmap 6.40 ( http://nmap.org ) at 2022-09-02 12:05 PDT
Nmap scan report for YuenX-DC1 (192.168.123.10)
Host is up (0.00047s latency).
rDNS record for 192.168.123.10: YuenX-DC1.yuenx.com
Not shown: 892 closed ports
PORT      STATE SERVICE           VERSION
53/tcp    open  domain            Microsoft DNS
88/tcp    open  kerberos-sec      Windows 2003 Kerberos
135/tcp   open  msrpc             Microsoft Windows RPC
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  netbios-ssn
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap
| ssl-cert: Subject: commonName=ldaps.yuenx.com
| Not valid before: 2022-01-01T12:14:44+00:00
|_Not valid after:  2024-02-04T14:31:28+00:00
3268/tcp  open  ldap
3269/tcp  open  globalcatLDAPssl?
3389/tcp  open  ms-wbt-server?

Cross-referencing the scan and the two Microsoft articles I had found, the required firewall ports are listed below:

Server PortServiceProtocolComment
53DNSTCP, UDP
88KerberosTCP, UDP
123W32Time (NTP or SNTP)UDP*Optional: Windows Server 2008 and later
135RPC Endpoint MapperTCP
139NetBIOSTCP
389LDAPTCP, UDP
445SMBTCP
464Kerberos Password ChangeTCP, UDPWindows Server 2008 and later
636LDAP SSLTCP
3268GC LDAPTCPGlobal Catalog
3269GC LDAP SSLTCPGlobal Catalog Secure
49152 - 65535RPC Dynamic (Ephemeral)TCP, UDPWindows Server 2000, Vista, and later
1025 - 5000RPC Dynamic (Ephemeral)TCP, UDPWindows Server 2000-2008 only
137-138NetBIOS Netlogon*UDP*Optional: Only when NetBIOS is required
PingICMPWindows Server 2003, XP only
Required Firewall Ports for AD Client-Domain Controller Communication

Notes

  • Microsoft cautioned: “Not all the ports that are listed … are required in all scenarios. For example, if… you know that no clients use LDAP with SSL/TLS, you don’t have to open ports 636 and 3269”
  • TCP/593 (RPC over HTTP) has been deprecated for Exchange Online/Microsoft 365
  • TCP/3389 (RDP) is not needed by clients unless there is a need to perform a Remote Desktop connection to the DC. This is NOT advised for non-Active Directory administrators

RPC Dynamic (Ephemeral)

AD Users, Groups: SIDs with no Display Name

AD Users, Groups: SIDs with no Display Name

  • Are the ephemeral ports required? Short answer: Yes
    • RPC communication is done over those ports (range can be narrowed) and is utilized by “server applications and remote administration applications, such as [DHCP and WINS] Manager”
  • A firewall administrator once refused to open the dynamic ports because he did not see any blocks in the logs at the time. For 5+ months, end users and AD administrators ran into intermittent, odd issues, including the inability to resolve SIDs when looking at resources’ Security permissions. Once another admin finally allowed those ports to go through, the AD issues went away

Credits:
– Featured Image by Israel Palacio via Unsplash

References

Related Posts

About the Author:

Michael is an outdoor enthusiast and a Cybersecurity Engineer with a 17-year background in IT Systems Engineering. He aims to live a life that is good and inspired. He enjoys being a parent, hiking, photography, food, technology, DIY projects, travel, mentoring, and building relationships. See his family's story.
Subscribe
Notify on
guest

0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Go to Top