Active Directory domain in DMZ. Firewall rules.

Deploying an Active Directory domain in a perimeter network (or DMZ) usually requires some changes in firewalls. But the question is: what ports and from what computers must be opened?

The answer is not obvious. To simplify the firewalls rules deployment and (very important!) to simplify communication with Network Support team I designed an Excel spreadsheet. The spreadsheet has only one page that includes all groups and rules that must be configured on a firewall. You can easily customize it and then share with the network administrators.

Active Directory domain security hardening with Microsoft Security Compliance Manager (SCM). Twelve easy steps.

A step-by-step guide how to create, export and import Group Policy Objects with recommended security baselines for your domain.

The article provides a complete guide how to deploy the required GPO. The guide assumes that you deploy security baselines for Windows Server 2008 R2 SP1. You can easily adapt the guide for other versions of Windows.

Step 1. Prerequisites
Step 2. Domain Security Hardening GPO – Baseline design
Step 3. Domain Security Hardening GPO – Baseline export
Step 4. Domain Controllers Security Hardening GPO – Baseline customization
Step 5. Domain Controllers Security Hardening GPO – Baselines merge
Step 6. Domain Controllers Security Hardening GPO – Baselines export
Step 7. Member Servers Security Hardening GPO – Baseline design
Step 8. Member Servers Security Hardening GPO – Baseline export
Step 9. Target domain – GPO folders copying
Step 10. Target domain – The first GPO creation and settings import
Step 11. Target domain – Creation and import of two more GPO
Step 12. Target domain – GPO assignments


User Account Control issue

After applying security hardening CIS baselines to Windows Server you may notice an annoying window asking you to click Alt-Ctrl-End every time you try to perform some administrative task:


To fix the behaviour you must either change a Group Policy that contains the security baseline settings or the Local GPO (if the baseline was applied locally).

 
After the change all elevations will be performed without additional windows.