If your Active Directory is accessible over the internet, you need to configure Windows Firewall to prevent exposure of certain services.
If you set up Active Directory on a server that has Internet access, you’ll need to modify the Windows Firewall so you don’t expose certain services. This guide is intended for those who use Active Directory solely to run a terminal server where multiple users can be logged into the server at the same time.
Backup of existing firewall rules
Before you begin, back up the existing firewall rules by opening a command prompt and running the following command: netsh advfirewall export "c:\advfirewallpolicy.wfw"
Open ports, risks, and how to protect yourself
Below is a list of the ports that become active after installing Active Directory. These should not be exposed externally, as they could be exploited for denial‑of‑service attacks against both your server and other servers on the internet.
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
123/udp open ntp
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
9389/tcp open ADWS
To disable the ports, open a PowerShell window and paste the following lines:
If you run into trouble
If something stops working after the change, you can easily restore the rules from the backup you created at the beginning of this how-to. Simply run the following command:
If this results in you locking yourself out of the server, you can connect to the server via the console. Read more about accessing the console here.
Questions? If you have any questions or concerns about the firewall or Active Directory, please do not hesitate to contact our support team.
