Configuration of Comodo Firewall 5.3 with Active Directory

Hello to everybody from a new user of Comodo products

I’m an user of Windows 2003 SP2 and Comodo Internet Security 5.3. I’m trying to set a domain controller up with DHCP, DNS and Wins servers.

The server PC has 2 ethernet ports. Port 1 is connected to a simple cable-modem (not a router), port 2 is connected to a gigabit ethernet switch.

2 more client PCs (with Windows XP) are connected to the switch.

A standard ADSL router with wireless capability is connected to the switch through one of its 100 Mbits Ethernet ports to provide access to the Internet and files on the server to users with wireless devices.

What I’d like to achieve is connect all machines to the internet and have them share files with the maximum possible security level.

I’ve read some documents online from Microsoft explaining I need to modify the registry and open some ports used by Active Directory, but I’m obviously confusing stuff since those documents are meant for Windows firewall.

I would greatly appreciate it if somebody could help me configure Comodo firewall for that purpose.

Thank you very much in advance for your much needed help, and kudos for a great product!

Just to make sure I understand completely. You wish to run CIS on the DC, workstations or both?

Is the diagram about right?

[attachment deleted by admin]

Thank you Radaghast for your reply.

I intend to run CIS on every computer in the domain. Domain controller and workstations.

Your diagram is pretty good, I have edited it to show my configuration.

[attachment deleted by admin]

Thanks for correcting the diagram.

As far as I’m aware, CIS is not designed to run on server platforms, however, it will work. I’ll put together a guide for how to approach this. May I assume you’re familiar with creating a DC and setting up the services you wish to use?

I'll put together a guide for how to approach this.

That would be fantastic, I’m sure many users will find it most useful!

May I assume you're familiar with creating a DC and setting up the services you wish to use?

Yes I’m familiar with setting up a DC. Or at least I know how to use the wizard that actually sets up everything for me ;D.

Apologies for the delay, busy day.

There are a few ways you can approach this, it really depends how you feel about creating rules.

Option 1 - Don’t make any changes to the default settings in CIS, and place the firewall in ‘Training’ mode
Option 2 - Remove the default firewall rules, increase the Firewall security Level to custom Policy and Alerts to Very high. Manually create rules from the captured data.
Option 3 - Similar to Option 2 but make life a bit easier for ourselves.

Under the Stealth Port Wizard, Select ‘Alert me to incoming connections and make my ports stealth on a per case basis’

Personally, I’m not a great fan of the ‘Training’ mode option, It’s going to capture a lot of junk you don’t need and you won’t learn a great deal. It also doesn’t do what one might expect. Option 2 Is the most difficult, as it requires some knowledge of the underlying system processes and rule creation. Option 3 is principally the same as option 2, but we create a few rules up front, so we’re not inundated with lots of indecipherable information.

As far as requirements go, at least for the purpose of getting DC established and clients connecting:

Server: Firewall requirements for system processes:

Svchost.exe
System.exe
dns.exe
lsass.exe
tcpsvcs.exe
Wins.exe

You also need to make sure RPC (RCP Port 135), NetBIOS (TCP-UDP Ports 137 to 139) and SMB (TCP Port 445) traffic has full LAN access.

In addition to the above, depending upon your environment, you may also need to allow for LDAP, FRS and AD replication as well as Kerberos authentication.

Client: requirements for system processes:

Svchost.exe
System.exe
Lsass.exe
ping.exe
w32tm.exe

The same consideration must also be made for NetBIOS and SMB traffic.

To allow our DC and clients to talk to one another, we need to allow communication to take place both inbound and outbound. To achieve this in CIS we make use of Application rules for controlling the outbound flow and Global rules for controlling the inbound flow.

We could create separate, unique rules, to cater for each service and protocol requirement, however, that’s laborious and unnecessary. Instead we will create a couple of rules for each service that meets our needs.

First we need to make sure we have a correctly defined Network Zone that corresponds to our LAN IP block. For example, if the IP addresses we use on our LAN are from the 192.168 range, we can create a Network Zone called LAN with the IP address of 192.168.1.1 and the Net mask or 255.255.255.0. This will cater for all devices with an IP address between 192.168.1.1 and 192.168.1.255. If you have left CIS in it’s default state, it should, upon first use, identify and create this Zone for you.

Now we have a LAN Zone, we can create a pair of rules for each of the services we identified above. for example System.exe:

Allow IP OUT From ANY to LAN where protocol is ANY
Allow IP IN From LAN to ANY where protocol is ANY

These two rules will allow all traffic between all stations on the LAN

If you create this pair of rules for each or the services listed above, with the exception of WINS (see later paragraph), you’re pretty much covered for Application rules. For Global rules, create the same pair or rules and place them at the top of the list. Block rules may then be placed below.

For WINS you need to create a rule that allows:

Allow UDP OUT From ANY to 224.0.1.24 where Destination Port is 42

In addition to the aforementioned rules, you will find, on the DC at least, most services will require a loopback rule for LDAP:

Allow TCP OUT From 0.0.0.0 to 127.0.0.1 where Destination Port is 389

Svchost.exe will also require a loopback rule for RPC:

Allow TCP OUT from 0.0.0.0 to 127.0.0.0 where Destination Port is 135

Create the same pair of rules for each of the services listed under Client, above. It’s less important to have this pair of rules listed under Global, as most of the traffic from the client is outbound and the firewall supports stateful packet inspection. That said, there’s no harm and possibly even benefit by including these.

You will also need to allow ping.exe and w32tm.exe:

PING.exe - Allow ICMP OUT From ANY to [Your DC]
w32tm.exe - Allow TCP OUT From ANT to {Your DC] where Destination Port is 123

As stated above, you could tighten these rules by making them more explicit, for example, In Global rules only allowing inbound traffic for DNS.

I hope this helps. Don’t forget, these are just the basics, enough to get a DC running and clients connecting. if you add additional services, you will require additional rules.

Good luck.

Thank you very much for your time and nice guide, you’ve been very helpful!

I’m still a bit confused about details, and I fear I’m not understanding too well how firewalls work, but at least client computers can browse the web and share files now.

Is there a way I can test the firewalls? Some web that somehow simulates intrusions or hostile behavior?

Thank you very much for your time and nice guide, you've been very helpful!

You’re welcome.

I'm still a bit confused about details, and I fear I'm not understanding too well how firewalls work, but at least client computers can browse the web and share files now.

If you have any specific questions, please feel free to ask.

Is there a way I can test the firewalls? Some web that somehow simulates intrusions or hostile behavior?

ShieldsUP !
PC Flank
Symantec Security Check

There are others. Remember, if you wish to test the effectiveness of the firewall, you must bypass your router, otherwise you will testing the routers ports and not those of the PC/firewall.