> For the complete documentation index, see [llms.txt](https://docs.glesys.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.glesys.com/products/compute/guides-for-server-management/secure-active-directory-with-windows-firewall.md). # Secure Active Directory with Windows Firewall *** If you set up Active Directory on a server that has Internet access, you’ll need to modify the Windows Firewall so you don’t expose certain services. This guide is intended for those who use Active Directory solely to run a terminal server where multiple users can be logged into the server at the same time. ## Backup of existing firewall rules Before you begin, back up the existing firewall rules by opening a command prompt and running the following command: `netsh advfirewall export "c:\advfirewallpolicy.wfw"` ## Open ports, risks, and how to protect yourself Below is a list of the ports that become active after installing Active Directory. These should not be exposed externally, as they could be exploited for denial‑of‑service attacks against both your server and other servers on the internet. ``` PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 123/udp open ntp 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 9389/tcp open ADWS ``` To disable the ports, open a PowerShell window and paste the following lines: {% code title="Multiple commands" %} ```powershell Get-NetFirewallPortFilter | where LocalPort -eq 53 | Get-NetFirewallRule | Disable-NetFirewallRule Get-NetFirewallPortFilter | where LocalPort -eq 88 | Get-NetFirewallRule | Disable-NetFirewallRule Get-NetFirewallPortFilter | where LocalPort -eq 123 | Get-NetFirewallRule | Disable-NetFirewallRule Get-NetFirewallPortFilter | where LocalPort -eq 135 | Get-NetFirewallRule | Disable-NetFirewallRule Get-NetFirewallPortFilter | where LocalPort -eq 136 | Get-NetFirewallRule | Disable-NetFirewallRule Get-NetFirewallPortFilter | where LocalPort -eq 137 | Get-NetFirewallRule | Disable-NetFirewallRule Get-NetFirewallPortFilter | where LocalPort -eq 138 | Get-NetFirewallRule | Disable-NetFirewallRule Get-NetFirewallPortFilter | where LocalPort -eq 139 | Get-NetFirewallRule | Disable-NetFirewallRule Get-NetFirewallPortFilter | where LocalPort -eq 389 | Get-NetFirewallRule | Disable-NetFirewallRule Get-NetFirewallPortFilter | where LocalPort -eq 445 | Get-NetFirewallRule | Disable-NetFirewallRule Get-NetFirewallPortFilter | where LocalPort -eq 464 | Get-NetFirewallRule | Disable-NetFirewallRule Get-NetFirewallPortFilter | where LocalPort -eq 593 | Get-NetFirewallRule | Disable-NetFirewallRule Get-NetFirewallPortFilter | where LocalPort -eq 636 | Get-NetFirewallRule | Disable-NetFirewallRule Get-NetFirewallPortFilter | where LocalPort -eq 3268 | Get-NetFirewallRule | Disable-NetFirewallRule Get-NetFirewallPortFilter | where LocalPort -eq 3269 | Get-NetFirewallRule | Disable-NetFirewallRule Get-NetFirewallPortFilter | where LocalPort -eq 9389 | Get-NetFirewallRule | Disable-NetFirewallRule ``` {% endcode %} ## If you run into trouble If something stops working after the change, you can easily restore the rules from the backup you created at the beginning of this how-to. Simply run the following command: {% code title="Command" %} ``` netsh advfirewall import "c:\advfirewallpolicy.wfw" ``` {% endcode %} If this results in you locking yourself out of the server, you can connect to the server via the console. Read more about accessing the console [here](/products/compute/kvm-virtual-machines/how-tos/connect-to-the-vm-console.md). **Questions?** If you have any questions or concerns about the firewall or Active Directory, please do not hesitate to contact our support team. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.glesys.com/products/compute/guides-for-server-management/secure-active-directory-with-windows-firewall.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.