Hi,
I decided to relook at our firewall rules and start from scratch, (for a number of reasons).
So I logged on to a client as admin, wiped all the existing rules, then initially created 1 rule for 'Block, All traffic, on all network adaptors'. I then started to create specific rules for specific traffic/ports and add them above the block rule. I think I have most domain required traffic allowed, but I've noticed that computer startup & logon is a lot slower.
Looking at the logs I have noticed that there is a lot of incoming UDP traffic on ports 137 & 138 targetting ntoskrnl.exe, a lot is coming from random IPs on our network, which is probably fine to leave blocked, but quite a bit is coming from our 2 domain controllers around the time the clients tried to logon. Do I need to allow incoming UDP 137/138 traffic from domain controllers?
I've also noticed that Outbound TCP traffic on port 1025 from lsass.exe to the domain controllers, is also being blocked, anyone know what this would be for, and if I need to allow it?
Rules I have so far are:
Ping - ICMP type 0,8,11 - incoming/outgoing - ping.exe
Internet - TCP 80, 443, 53 - outgoing - all applications
SMB TCP - (TCP) 135, 139, 445 - outgoing - NT Kernal & System (ntoskrnl.exe), Windows Explorer (explorer.exe), LSA Shell (lsass.exe), Generic Host Process (svchost.exe)
SMB UDP - (UDP) 137-138 - outgoing - NT Kernal & System (ntoskrnl.exe), Windows Explorer (explorer.exe), LSA Shell (lsass.exe)
Directory Access (TCP) - 53, 88, 389, 636, 1026, 3268, 3269 - outgoing - LSA Shell (lsass.exe), Generic Host Process (svchost.exe), Windows NT Logon (winlogon.exe), Userinit Logon Application (userinit.exe)
Directory Access (UDP) - 53, 88, 389 - outgoing - LSA Shell (lsass.exe)
NTP - 123 - outgoing - all applications
Block Everything Else - All IP Types - incoming/outgoing - all applications
Is there anything on the list above that shouldn't be there, or anything that should?
Thanks
Ben