Configured VPN access, what incoming traffic do I need to block to be safe?

by dadde   Last Updated October 17, 2019 01:00 AM

I am not a server guy at all so forgive me if my questions seem somewhat odd.

So I've set up a few Windows Server 2016's with internet access and I've created a VPN solution to be able to RDP to them. One of the servers is an Active Directory Domain Controller.

The servers only need to be accessible via RDP using the VPN, so I have no need to expose them in any way to the internet, i.e. no web servers or such things. The servers are not super sensitive, I just want to follow common sense and secure things on an appropriate level following best practice.

My question is basically if there's anything else I should consider blocking?

I have blocked the following ports/protocols on ALL SERVERS for all incoming traffic except for the IP range used by the VPN connection.

  • 3389/tcp & udp Remote desktop

And the following ONLY on the server running the AD domain controller (for all incoming traffic)

  • 53/tcp domain
  • 88/tcp kerberos-sec
  • 123/udp ntp
  • 135/tcp msrpc
  • 139/tcp netbios-ssn
  • 389/tcp ldap
  • 445/tcp microsoft-ds
  • 464/tcp kpasswd5
  • 593/tcp http-rpc-epmap
  • 636/tcp ldapssl
  • 3268/tcp globalcatLDAP
  • 3269/tcp globalcatLDAPssl
  • 9389/tcp ADWS

Outgoing traffic has been blocked (I'll open up the things I need when I realize I'll need them).

I'm using the built-in Windows firewall.

Related Questions

Updated June 14, 2017 16:00 PM

Updated October 08, 2019 12:00 PM

Updated February 24, 2017 22:00 PM

Updated March 18, 2019 14:00 PM

Updated October 01, 2019 01:00 AM