Active Directory Fixed RPC when using firewalls

AD Fixed RPC
Information regarding firewall
configuration
Index
Preface..................................................................................................................................................... 2
The registry hack ..................................................................................................................................... 2
Ports needed to be opened..................................................................................................................... 2
Traffic flow............................................................................................................................................... 3
Conclusion ............................................................................................................................................... 4

Johan Engdahl 2007 page 1

 Active Directory Fixed RPC when using firewalls

Preface
The environment consists of two network segments like:

Network A (AD_2003 Server)

IP: 192.168.1.0
Mask: 255.255.255.0
Router: 192.168.1.254

Network B (XP_LABB Workstation)

IP: 192.168.2.0
Mask: 255.255.255.0
Router: 192.168.2.254

The registry hack

This information is only intended to show what kind of traffic flows through a firewall
when using Microsoft best practice Active Directory lockdown guide Active Directory
replication over firewalls to lock down RPC ports using registry hack.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]

"TCP/IP Port"=dword:0000c000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters]

"RPC TCP/IP Port Assignment"=dword:0000c001

This hack will set the AD port to TCP 49152 and FRS port to TCP 49153. Do this on
all your Active Directory servers. You must restart them for the change to take effect.

Ports needed to be opened

A complete list of ports needed to be opened in the firewall shown below:

Service Port/protocol

RPC endpoint mapper 135/tcp, 135/udp

NetBIOS name service 137/tcp, 137/udp

NetBIOS datagram service 138/udp

NetBIOS session service 139/tcp

RPC static port for AD replication <AD-fixed-port>/TCP

RPC static port for FRS <FRS-fixed-port>/TCP

SMB over IP (Microsoft-DS) 445/tcp, 445/udp

Johan Engdahl 2007 page 2

 Active Directory Fixed RPC when using firewalls

Service Port/protocol

LDAP 389/tcp

LDAP ping 389/udp

LDAP over SSL 636/tcp

Global catalog LDAP 3268/tcp

Global catalog LDAP over SSL 3269/tcp

Kerberos 88/tcp, 88/udp

DNS 53/tcp, 53/udp

You still need the endpoint mapper because clients will not know that you fixed the
ports. The endpoint mapper always returns your fixed ports when clients request the
port numbers associated with AD's and FRS's RPC UUIDs.

Traffic flow
The log below shows what happens when a regular Windows XP (sp2) client joins
the AD domain:

Service Source Destination Protocol Rule Source Port

domain-udp XP_LABB AD_2003 udp 2 1067
ldap_ping XP_LABB AD_2003 udp 2 1068
domain-udp XP_LABB AD_2003 udp 2 1047
domain-udp XP_LABB AD_2003 udp 2 1069
ldap_ping XP_LABB AD_2003 udp 2 1070
ldap_ping XP_LABB AD_2003 udp 2 1071
ldap_ping XP_LABB AD_2003 udp 2 1072
domain-udp XP_LABB AD_2003 udp 2 1073
microsoft-ds XP_LABB AD_2003 tcp 2 DaCryptic
ldap_ping XP_LABB AD_2003 udp 2 1077
Kerberos_v5_UDP XP_LABB AD_2003 udp 2 1078
Kerberos_v5_UDP XP_LABB AD_2003 udp 2 1079
Kerberos_v5_UDP XP_LABB AD_2003 udp 2 socks
domain-udp XP_LABB AD_2003 udp 2 1081
ldap_ping XP_LABB AD_2003 udp 2 1082
ldap_ping XP_LABB AD_2003 udp 2 1083
ldap_ping XP_LABB AD_2003 udp 2 1084
microsoft-ds XP_LABB AD_2003 tcp 2 1085
Kerberos_v5_UDP XP_LABB AD_2003 udp 2 1087
Kerberos_v5_UDP XP_LABB AD_2003 udp 2 1088
Kerberos_v5_UDP XP_LABB AD_2003 udp 2 1089
ldap XP_LABB AD_2003 tcp 2 1090
Kerberos_v5_UDP XP_LABB AD_2003 udp 2 1091

Johan Engdahl 2007 page 3

 Active Directory Fixed RPC when using firewalls

Kerberos_v5_UDP XP_LABB AD_2003 udp 2 1092

nb_135_tcp XP_LABB AD_2003 tcp 2 1093
rpc_49152 XP_LABB AD_2003 tcp 2 1094
Kerberos_v5_UDP XP_LABB AD_2003 udp 2 1095
ldap_ping XP_LABB AD_2003 udp 2 1098
domain-udp XP_LABB AD_2003 udp 2 1099
ldap_ping XP_LABB AD_2003 udp 2 1100
nb_135_tcp XP_LABB AD_2003 tcp 2 1101
rpc_49152 XP_LABB AD_2003 tcp 2 1102
rpc_49152 XP_LABB AD_2003 tcp 2 1103

The log below shows what happens when a regular Windows XP (sp2) logs on to the
AD domain:

Service Source Destination Protocol Rule Source Port

Kerberos_v5_UDP XP_LABB AD_2003 udp 2 1074
Kerberos_v5_UDP XP_LABB AD_2003 udp 2 1075
nb_135_tcp XP_LABB AD_2003 tcp 2 1078
rpc_49152 XP_LABB AD_2003 tcp 2 1079
Kerberos_v5_UDP XP_LABB AD_2003 udp 2 socks
Kerberos_v5_UDP XP_LABB AD_2003 udp 2 1081
microsoft-ds XP_LABB AD_2003 tcp 2 1076
Kerberos_v5_UDP XP_LABB AD_2003 udp 2 1082
domain-udp XP_LABB AD_2003 udp 2 1083
ldap_ping XP_LABB AD_2003 udp 2 1084
nb_135_tcp XP_LABB AD_2003 tcp 2 1085
nbname XP_LABB AD_2003 udp 2 nbname
nbdatagram XP_LABB AD_2003 udp 2 nbdatagram
nbsession XP_LABB AD_2003 tcp 2 1090
nbsession XP_LABB AD_2003 tcp 2 1091
microsoft-ds XP_LABB AD_2003 tcp 2 1092
nbsession XP_LABB AD_2003 tcp 2 1093

Conclusion
This works very well and as far as I´ve investigated this there are no drawbacks
except using ye old NBT traffic and the flaws that comes with that, but if you can live
with that, this is far more secure than allowing ANY between your servers on different
segments or through VPNs.

Johan Engdahl 2007 page 4