Windows 7 Firewall Outbound Rules in Active Directory environment
Hi! I have been going nuts when configuring Windows Firewall in the way that all outbound traffic is blocked except the traffic configured on outbound access rules. I haven't been able to configure the firewall in the way that the computer works on active directory environment. I have checked all the dropped packages from the firewall log, but the problem is that it don't tell the program that tried to create a connection. The set of outbound rules that i have created (also i have used all predefined core networking access rules): (program - protocol - remote port) lsass.exe TCP 389 lsass.exe UDP 389 lsass.exe TCP 1025-65535 lsass.exe TCP 636 lsass.exe TCP 3269 svchost.exe TCP 135 svchost.exe UDP 123 system UDP 138 system TCP 445 system UDP 445 lsass.exe TCP 88 lsass.exe UDP 88 So basically i checked what ports are configured on domain controllers inbound access rules and i made same set of outbound rules on workstation (I haven't found a good article about how to configure outbound rules in active directory environment). This set of rules almost works, but not quite. If i create additional outbound rule -> all programs TCP 389 -> It works (Domain profile on Windows Firewall is enabled and no dropped packages). So my question is that what would be a correct outbound rule set in this scenario (if i want to control outbound access on program, protocol and port level)? What programs i am missing?
January 25th, 2011 4:10am

You have to apply rules on the service level for NetLogon and the Workstation Service as these services use dynamic ports. Here is the list I used: Allow outbound traffic to UDP/TCP Port 53 to DNS Servers Allow outbound traffic from UDP137 to UDP137 to WINS Servers Allow outbound traffic to UDP/TCP 389 to any system Allow outbound UDP and TCP traffic from the Netlogon Service to any system Allow outbound UDP and TCP traffic from the Workstation Service to any system If you use Secure LDAP, you have to add those ports. Also allow DHCP traffic if your systems rely on DHCP.Ray - Author of Windows 7 for XP Professionals
Free Windows Admin Tool Kit Click here and download it now
January 25th, 2011 5:29am

Thanks! I made these changes lsass.exe TCP 389 lsass.exe UDP 389 lsass.exe TCP 1025-65535 lsass.exe TCP 636 lsass.exe TCP 3269 svchost.exe TCP 135 svchost.exe UDP 123 system UDP 138 system TCP 445 system UDP 445 lsass.exe TCP 88 lsass.exe UDP 88 Netlogon service TCP any Netlogon service UDP any Workstation service TCP any Workstation service UDP any any UDP 137 Now when i have rebooted the computer a few times i have had domain profile on firewall enabled all the time and no packages have been dropped. Does UDP 137 for WINS have any program or service attached to it? There is also one behaviour that i have been wondering... if you distribute the firewall rules with group policy, the default access rules don't disappear from the workstation. If you enabled predefined access rules in group policy, and those settings are already on the workstation by default, you will see double rules on Windows Firewall with Advanced Security MMC console when you open the console after GPO settings were distributed to the workstation. I wonder if this is the way it should be? Why the settings configured locally on the workstation does not disappear? Even if you enable the setting Apply local firewall rules: NO.
January 25th, 2011 6:44am

Does UDP 137 for WINS have any program or service attached to it? Only if you have configured WINS servers in the TCP/IP settings. AFAIK local firewall settings are always visible. If they are in effect depends on the GPO configuration.Ray - Author of Windows 7 for XP Professionals
Free Windows Admin Tool Kit Click here and download it now
January 25th, 2011 6:50am

You have to apply rules on the service level for NetLogon and the Workstation Service as these services use dynamic ports. Here is the list I used: Allow outbound traffic to UDP/TCP Port 53 to DNS Servers Allow outbound traffic from UDP137 to UDP137 to WINS Servers Allow outbound traffic to UDP/TCP 389 to any system Allow outbound UDP and TCP traffic from the Netlogon Service to any system Allow outbound UDP and TCP traffic from the Workstation Service to any system If you use Secure LDAP, you have to add those ports. Also allow DHCP traffic if your systems rely on DHCP.Ray - Author of Windows 7 for XP Professionals
January 25th, 2011 1:26pm

Does UDP 137 for WINS have any program or service attached to it? Only if you have configured WINS servers in the TCP/IP settings. AFAIK local firewall settings are always visible. If they are in effect depends on the GPO configuration.Ray - Author of Windows 7 for XP Professionals
Free Windows Admin Tool Kit Click here and download it now
January 25th, 2011 2:47pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics