We already open all this ports on our AD environment going to the 2nd AD Domain, but we would also like to identify which ports should be open, going to client workstations.
Apparently both of our AD Environment is on seperate location:
Current Setup of Domain & Client Workstation:
AD Domain 1: (Primary) Located at City 1
AD Domain 2: (Secondary) Located at City 2
Client Workstations: Located at City 3
Connection use is via firewall policies to connect to the primary domain on different location.
Port Description Port Details
LDAP TCP -389
LDAP SSL TCP - 636
Kerberos TCP - 88
DNS TCP - 53
LDAP TCP - 389
LDAP (Secure) TCP - 636
RPC / Replication TCP – 135
DFSN, NetBIOS Session Service, Net Logon TCP - 139
Global Catalog TCP - 3268
Global Catalog (Secure) TCP - 3269
Authentication, Trusts and Group Policy
Kerberos Password Change TCP - 464
DFSR, File Replication TCP – 5722
Replication, User / Computer TCP - 49152-65535 (are this port range required to be open ranging from 49152 up to 65535?)
What are the risk in opening all this ports? as we need to justify on the audit team each port with risk that will be needed for the ad policies to work properly.
Appreciate if you can help me on this case.