Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
AD Fixed RPC
Information regarding firewall
configuration
Index
Preface..................................................................................................................................................... 2
The registry hack ..................................................................................................................................... 2
Ports needed to be opened..................................................................................................................... 2
Traffic flow............................................................................................................................................... 3
Conclusion ............................................................................................................................................... 4
Preface
The environment consists of two network segments like:
IP: 192.168.1.0
Mask: 255.255.255.0
Router: 192.168.1.254
IP: 192.168.2.0
Mask: 255.255.255.0
Router: 192.168.2.254
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
"TCP/IP Port"=dword:0000c000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters]
This hack will set the AD port to TCP 49152 and FRS port to TCP 49153. Do this on
all your Active Directory servers. You must restart them for the change to take effect.
Service Port/protocol
Service Port/protocol
LDAP 389/tcp
You still need the endpoint mapper because clients will not know that you fixed the
ports. The endpoint mapper always returns your fixed ports when clients request the
port numbers associated with AD's and FRS's RPC UUIDs.
Traffic flow
The log below shows what happens when a regular Windows XP (sp2) client joins
the AD domain:
The log below shows what happens when a regular Windows XP (sp2) logs on to the
AD domain:
Conclusion
This works very well and as far as I´ve investigated this there are no drawbacks
except using ye old NBT traffic and the flaws that comes with that, but if you can live
with that, this is far more secure than allowing ANY between your servers on different
segments or through VPNs.