Endpoint Protection

Hi,

I decided to relook at our firewall rules and start from scratch, (for a number of reasons).

So I logged on to a client as admin, wiped all the existing rules, then initially created 1 rule for 'Block, All traffic, on all network adaptors'. I then started to create specific rules for specific traffic/ports and add them above the block rule. I think I have most domain required traffic allowed, but I've noticed that computer startup & logon is a lot slower.

Looking at the logs I have noticed that there is a lot of incoming UDP traffic on ports 137 & 138 targetting ntoskrnl.exe, a lot is coming from random IPs on our network, which is probably fine to leave blocked, but quite a bit is coming from our 2 domain controllers around the time the clients tried to logon. Do I need to allow incoming UDP 137/138 traffic from domain controllers?

I've also noticed that Outbound TCP traffic on port 1025 from lsass.exe to the domain controllers, is also being blocked, anyone know what this would be for, and if I need to allow it?

Rules I have so far are:

Ping - ICMP type 0,8,11 - incoming/outgoing - ping.exe
Internet - TCP 80, 443, 53 - outgoing - all applications
SMB TCP - (TCP) 135, 139, 445 - outgoing - NT Kernal & System (ntoskrnl.exe), Windows Explorer (explorer.exe), LSA Shell (lsass.exe), Generic Host Process (svchost.exe)
SMB UDP - (UDP) 137-138 - outgoing - NT Kernal & System (ntoskrnl.exe), Windows Explorer (explorer.exe), LSA Shell (lsass.exe)
Directory Access (TCP) - 53, 88, 389, 636, 1026, 3268, 3269 - outgoing - LSA Shell (lsass.exe), Generic Host Process (svchost.exe), Windows NT Logon (winlogon.exe), Userinit Logon Application (userinit.exe)
Directory Access (UDP) - 53, 88, 389 - outgoing - LSA Shell (lsass.exe)
NTP - 123 - outgoing - all applications
Block Everything Else - All IP Types - incoming/outgoing - all applications

Is there anything on the list above that shouldn't be there, or anything that should?

Thanks

Ben

 LSASS picks a random port above 1024 on which to listen Mostly 1025

TCP ports 139 and 445, and UDP ports 137 and 138 are used for File and print sharing.
So if you keep this blocked you wont able to access any files on the client from the server or any computer.
Mostly it becomes a problem when you try to deploy any software remotely on these computers.

You see more that these ports in use more oftenly, you can create a new network service in SEPM->Policies->POlicy Components
You can specify all the required ports in that service and make a rule to allow the traffic for that service.

Cheers,
Aniket

I did not see any rules created there for incoming or outoing traffic for Mail.

Ports 25, 110, 143 -> SMTP, POP, IMAP
Port 389 -> LDAP queries (if applicable)
Port 161 -> SNMP
port 162 -> SNMP traps
port 23 -> Telnet
TCP port 20 for FTP printing
TCP port 515 for LPD (unix) & 721 ~ 731
TCP port 631 for Internet Printing Protocol
port 22 -> SSH
port 5800 and 5801 OR 5900 and 5901 -> VNC (if applicable)
TCP port 3389 -> Remote desktop

* * * * * * * *
You can go one further depending on your requirements....  Here is an example....

HP JetDirect print servers
Port 9100 is used for printing. Port numbers 9101 and 9102 are for parallel ports 2 and 3 on the three-port HP JetDirect external print servers

**Edit Again**

Forgot a few...

Do you use WSUS for updates or Windows Update directly?
Windows Update uses ports 80 and 443...
WSUS will use the port you defined on the server or in the GPO.

SEPM and SEP:
Client-Server Communication:
For IIS SEP uses HTTP or HTTPS between the clients or Enforcers and the server. For the client server communication it uses port 80 (or 8014) and 443 by default. In addition, the Enforcers use RADIUS to communicate in real-time with the manager console for clients authentication. This is done on UDP port 1812.