On Fri, 13 Dec 2024 10:14:27 +0100 Ilias Chasapakis forumZFD via samba <samba at lists.samba.org> wrote:> Dear all, > > We (me and colleagues) were considering setting an RODC in our DMZ > for some authentication related questions. > > We were curious about any suggested best practices for those cases. > > We also notice that there are quite a lot of ports to open vs. the > ADs. > > * TCP 88 (Kerberos Key Distribution Center) > * TCP 135 (Remote Procedure Call) > * TCP 139 (NetBIOS Session Service) > * TCP 389 (LDAP) > * TCP 445 (SMB,Net Logon) > * UDP 53 (DNS) > * UDP 389 (LDAP, DC Locator, Net Logon) > * TCP 49152-65535 (Randomly allocated high TCP ports) > > Are there other suggestions from your side to approach the RODC in a > DMZ, keeping the securtity at a decent level? > > Many thanks in advance for your suggestions > > Best > Ilias >Well, personally, I wouldn't put anything to do with AD into a DMZ, but that is probably just me. Any AD client in a DMZ (and that includes an RODC) must 'talk' to an internal DC. If you must do this, Microsoft has documentation here: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd728034(v=ws.10)?redirectedfrom=MSDN Rowland
Der Rowland, We share that concerns actually and of course if there is a way to avoid it, it is always better. Another fellow suggested us an LDAP-Proxy instead (personally have never setup one). What we actually need in our case scenario, is only that service and not the rest of bells and whistles of an RODC. I just was wondering if someone had experience with what happens if one does actually close some of these ports which in the end are unused (of course join and replication should also be able to go on). The implications of opening anything on a DMZ to an internal network are for sure not nice (even with very restricted accesses) unless compromises are needed for practical reasons. Thanks for sharing your thought on this. Best Ilias Am 13.12.24 um 11:53 schrieb Rowland Penny via samba:> Well, personally, I wouldn't put anything to do with AD into a DMZ, but > that is probably just me. Any AD client in a DMZ (and that includes an > RODC) must 'talk' to an internal DC. > > If you must do this, Microsoft has documentation here: > > https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd728034(v=ws.10)?redirectedfrom=MSDN > > Rowland >-- ?forumZFD Entschieden f?r Frieden | Committed to Peace Ilias Chasapakis Referent IT | IT Referent Forum Ziviler Friedensdienst e.V. | Forum Civil Peace Service Am K?lner Brett 8 | 50825 K?ln | Germany Tel 0221 91273243 | Fax 0221 91273299 |http://www.forumZFD.de Vorstand nach ? 26 BGB, einzelvertretungsberechtigt|Executive Board: Alexander Mauz, Sonja Wiekenberg-Mlalandle VR 17651 Amtsgericht K?ln Spenden|Donations: IBAN DE90 4306 0967 4103 7264 00 BIC GENODEM1GLS -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 665 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20241213/b1286987/OpenPGP_signature.sig>