I’m looking for some information on best practices for firewalling of AD Web Services (9389/tcp on domain controllers). Currently, we only expose it to restricted VPN networks as just a few admins have cause to use it. Are others on the list doing similar things, or are you just exposing it to all internal clients along with the rest of the ports required for AD DS? Thanks, Brendan A. Fusco DePaul University, Information Services
AD Web Services security
- 126 Views
- Last Post 16 November 2015
I don’t see any reason not to expose it to all your clients. It’s another abstraction over the data stored in AD…
(w) 312.625.1438 | (c) 312.731.3132
Why are you closing that down?
Met vriendelijke groet / Kind regards,
Jorge de Almeida Pinto
(+++Sent from my mobile device +++)
(Apologies for any typos)
The original decision wasn’t my call; I inherited the environment the way it currently is. I couldn’t think of any good reason to close it either, so I thought
I’d ask to see if there was something I wasn’t thinking of before I open it up.
I think it’s important to note, that if the original intent for this is about controlling of access to AD, then the ADWS is not the only way to access AD. You
of course have LDAP ports that remain available, even if ADWS is blocked. And ultimately, the underlying AD security model is your best place to control access.
That was my thinking as well; I don’t see the logic in locking down ADWS when other vectors exist and are already open to every client. Thanks Darren, Jorge,
and Brian for your input.