Thursday, December 11, 2008 10:55 AM Tom Decaluwé

Windows firewall Advanced security, Part 2

In a previous post I showed you the different profiles and basic setup you can do when starting to use the advanced security firewall in vista for the first time.  However when you use this configuration you will notice your system will lose domain connectivity.

For the system to be able to detect your domain and shift from public / private mode to domain you need to open a number of protocols or your client will be unable to detect your domain controllers and thus be unable to shift to this security profile.

What do you need for the network detection:

NLA requires the defalut protocols of a DC to be available

  • TCP 135 => RPC connectivity
  • TCP 445/139  | UDP 138/137 => file share connectivity
  • UDP 53 => DNS
  • TCP 389 | UDP 389 => LDAP

image

when configuring the protocols don't forget we are looking at destination ports and not source ports.

image

in my setup i limited the connectivity down to only the Domain Controller as destination to lock down the environment as much as possible.

image