Re: Help Understanding LDAP Variants
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Wed, 03 Jan 2007 10:34:37 -0500
The GC ports are used A LOT by normal Windows operations - it is how Windows finds things in the directory. For instance START | SEARCH | PRINTERS, COMPUTERS, OR PEOPLE will hit the GC.
If you don't have certs on the DCs the ports are effectively dead. Apps will connect to the port and send a SSLV2 Hello and then get bounced by the DS service when it realizes it doesn't have a cert. Nothing else on the DC should be able to use those ports as LSASS will grab them right off.
Obviously if you really want to know if you can block a port, the best way is to do a long term trace on the machine for the ports in question and look at what is coming through. Untold numbers of issues have been caused by people just throwing up traffic filters and then having no clue how it will impact them and then when weird things occur don't make the connection with the changes they made. From that you can probably see that I am not a proponent of firewalling between DCs any anything.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Will wrote:
"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message.
news:eA#02eBLHHA.1248@xxxxxxxxxxxxxxxxxxxxxxx
They can all be used at different times by different applications/users.
They have different purposes.
The GC port is regular LDAP, only it gives you a view of all objects in
the forest but a partial set of attributes for all of them. It is
generally used when you are looking for a specific object or set of
objects across an entire forest and you aren't sure what domain the
object is in. Say a specific user.
Is the GC port used by any Microsoft-distributed applications that an end
user (non administrator) would run? We are putting some firewall
restrictions on the domain controllers and I don't want to block anything
that might get used by an end user.
The SSL ports (aka LDAPS) versions of the ports cause the data
transferred to be encrypted. It requires some sort of certificate to
enable the encryption.
So by default it cannot be used without special setup on the server, and I
therefore assume if we block the encrypted ports 636 and 3269, no one is
going to notice them missing. I would prefer to not leave open ports that
do not connect to an actual service, since hackers love such situations as a
way to run their own programs on those ports and have it look like approved
network traffic.
- Follow-Ups:
- Re: Help Understanding LDAP Variants
- From: Will
- Re: Help Understanding LDAP Variants
- References:
- Re: Help Understanding LDAP Variants
- From: Will
- Re: Help Understanding LDAP Variants
- Prev by Date: Re: User Creation problem in AD
- Next by Date: Re: Joining 500 Novell PC's to AD Domain - can I turn off all default AD GPO's?
- Previous by thread: Re: Help Understanding LDAP Variants
- Next by thread: Re: Help Understanding LDAP Variants
- Index(es):
Relevant Pages
|
Loading
