Segmenting Networks with ISA 2004 – Filtering access to Domain Controllers

Purpose

This document explains how to use ISA Server 2004 as an application layer firewall between a Windows 2000 domain controller and a Windows 2000 member server.
 
This configuration allows:

- Integrate a stand alone server in a Windows 2000 Active Directory
- open user session
- apply Group policies

Network diagram

 

Network rules Matrix

Source IP

Source Port

Transport

Protocol

Destination IP

Destination port

Commentaries

Member servers in DMZ

*

UDP

TCP (1)

DNS

DNS Server used for AD resolution

53

Name resolution

Member servers in DMZ

*

UDP

TCP (2)

Kerberos-Sec

AD - Domain Controllers

88

Authentication mechanism

Member servers in DMZ

*

UDP

NTP

AD - Domain Controllers

123

Time synchronization

Member servers in DMZ

*

TCP

RPC End Pointmapper

AD - Domain Controllers

135

Necessary to ask it first to retrieve port value for RPC Service.

Member servers in DMZ

*

UDP

TCP

LDAP

AD - Domain Controllers

389

Use to query Active Directory

Member servers in DMZ

*

TCP

Microsoft CIFS

AD - Domain Controllers

445

Microsoft File share. Necessary for applying Group Policies

Member servers in DMZ

*

TCP

Microsoft CIFS

DFS root servers

445

Microsoft File share

Member servers in DMZ

*

TCP

Microsoft CIFS

DFS replicas servers

445

Microsoft File share

Member servers in DMZ

*

TCP

RPC (All interfaces)

AD - Domain Controllers

>1024

Can be an IP range on a traditional firewall.

Not necessary to define if you use ISA 2004 RPC filter.

Member servers in DMZ

N/A

ICMP

Ping

AD - Domain Controllers

N/A

AD - Domain Controllers

N/A

ICMP

Ping

Member servers in DMZ

N/A

*: all
N/A: Non Applicable

(1) TCP is used for DNS zone transfer and when answer exceed 512 bytes
(2) By default, Windows 2000 and Windows XP use UDP when the data can be fit in packets fewer than 2,000 bytes. Any data above this value uses TCP to carry the packets. The value of 2,000 bytes is configurable by modifying a registry key and value.

Additional information:

  How to Force Kerberos to Use TCP Instead of UDP
  https://support.microsoft.com/default.aspx?scid=kb;EN-US;244474

  HOWTO: Configure RPC Dynamic Port Allocation to Work with Firewall
  https://support.microsoft.com/default.aspx?scid=kb;en-us;154596

Firewall Rules to define on ISA Server 2004 between a DC and a member server

In this example:
- LAN3 contains member servers
- Internal (192.168.102.x/24) contains the Domain Controller (192.68.102.10)

2 protocols are analyzed deeply: DNS and RPC

DNS AD firewall access rule detect and block
- DNS length overflow
- DNS zone transfer
- DNS name overflow

RPC AD firewall access rule limits RPC traffic to UUIDs that are mandatory to open a user session and to apply Group Policies.

UUID

RPC Service

{12345778-1234-ABCD-EF00-0123456789AB}

LSA

{12345778-1234-ABCD-EF00-0123456789AC}

SAM

{12345778-1234-ABCD-EF00-01234567CFFB}

Net Logon

{6BFFD098-A112-3610-9833-012892020162}

Computer Browser

{E3514235-4B06-11D1-AB04-00C04FC2DCD2}

MS NT Directory DRS Interface

{F5CC59B4-4264-101A-8C59-08002B2F8426}

Directory DRS

{F5CC5A18-4264-101A-8C59-08002B2F8426}

Directory NSP

{F5CC5A7C-4264-101A-8C59-08002B2F8426}

Directory XDS

To define AD RPC Firewall Publishing Rule, you need previously to create a protocol definition (RPC for AD Logon):

ISA Server 2004 includes a RPC filter that allows dynamic open for high ports used by RPC applications (those high port numbers are returned by the RPC End Port Mapper to the RPC client). By this way, it is unnecessary to open static high ports for RPC.

RPC Filter allows to filter RPC Request by interfaces (UUID)