AD Web Services security

  • Last Post 16 November 2015
fuscob posted this 16 November 2015

I’m looking for some information on best practices for firewalling of AD Web Services (9389/tcp on domain controllers). Currently, we only expose it to restricted VPN networks as just a few admins have cause to use it. Are others on the list doing similar things, or are you just exposing it to all internal clients along with the rest of the ports required for AD DS?   Thanks,   Brendan A. Fusco DePaul University, Information Services

Order By: Standard | Newest | Votes
bdesmond posted this 16 November 2015

I don’t see any reason not to expose it to all your clients. It’s another abstraction over the data stored in AD…



Brian Desmond


(w) 312.625.1438 | (c) 312.731.3132



ZJORZ posted this 16 November 2015

Why are you closing that down?

Met vriendelijke groet / Kind regards,

Jorge de Almeida Pinto

E-Mail: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx

Tel.: +31-(0)6-

(+++Sent from my mobile device +++)

(Apologies for any typos)


fuscob posted this 16 November 2015

The original decision wasn’t my call; I inherited the environment the way it currently is. I couldn’t think of any good reason to close it either, so I thought

I’d ask to see if there was something I wasn’t thinking of before I open it up.



darren posted this 16 November 2015

I think it’s important to note, that if the original intent for this is about controlling of access to AD, then the ADWS is not the only way to access AD. You

of course have LDAP ports that remain available, even if ADWS is blocked. And ultimately, the underlying AD security model is your best place to control access.





fuscob posted this 16 November 2015

That was my thinking as well; I don’t see the logic in locking down ADWS when other vectors exist and are already open to every client. Thanks Darren, Jorge,

and Brian for your input.