Public draft (#1)

Author: MichaelGrafnetter

.editorconfig

@@ -0,0 +1,8 @@
+root = true
+
+# Text files
+[*.md,*.yml,*.json,*.ps1,*.sh,*.lua]
+  indent_style = space
+  indent_size = 2
+  insert_final_newline = true
+  trim_trailing_whitespace = true

.github/README.md

@@ -0,0 +1,31 @@
+# Active Directory Firewall
+
+## Introduction
+
+This project aims to provide production-ready and well-tested guidelines on configuring the Windows Firewall for Active Directory-related server roles.
+
+![Windows Firewall with Advanced Security Screenshot](../Images/Screenshots/dc-firewall.png)
+
+## Domain Controller Firewall
+
+The following materials are currently available:
+
+- 🛠️[Domain Controller Firewall Tool (DCFWTool)](https://github.com/MichaelGrafnetter/active-directory-firewall/releases/latest) (zipped distribution of the [source code](../ADDS/DCFWTool/))
+- 📄[Whitepaper](https://github.com/MichaelGrafnetter/active-directory-firewall/releases/latest) (PDF [generated](workflows/generate-whitepaper.yml) from the [ADDS/README.md](../ADDS/README.md) file)
+- 📜[Sample Firewall GPO HTML Report](../ADDS/GPOReport.html)
+- 📋[List of Built-In Firewall Rules](../ADDS/inbound-builtin-firewall-rules.csv)
+
+## References
+
+### Active Directory Domain Services
+
+- 🌐[How to configure a firewall for Active Directory domains and trusts](https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/config-firewall-for-ad-domains-and-trusts)
+- 🌐[Service overview and network port requirements for Windows](https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements)
+
+### Active Directory Certificate Services
+
+- 🌐[Firewall Rules for Active Directory Certificate Services](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/firewall-rules-for-active-directory-certificate-services/ba-p/1128612)
+
+### Active Directory Federation Services
+
+- 🌐[AD FS Required Ports and Protocols](https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#ports-required)

.github/workflows/generate-whitepaper.yml

@@ -0,0 +1,57 @@
+name: Generate Whitepaper
+
+on:
+  push:
+    paths:
+      - 'ADDS/README.md'
+      - '.github/workflows/generate-whitepaper.yml'
+
+jobs:
+  generate:
+    name: Generate
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout the repository
+        uses: actions/checkout@v4
+
+      - name: Get the current date
+        id: get_date
+        run: echo "date=$(date '+%B %e, %Y')" > $GITHUB_OUTPUT
+
+      - name: Generate the whitepaper using Pandoc
+        uses: docker://pandoc/extra
+        with:
+          args: >-
+            --output=Domain_Controller_Firewall.pdf
+            --from=markdown
+            --to=pdf
+            --pdf-engine=xelatex
+            --shift-heading-level-by=-1
+            --top-level-division=section
+            --table-of-contents
+            --toc-depth=2
+            --number-sections
+            --template=eisvogel
+            --lua-filter=pandoc.lua
+            --variable=lof:true
+            --variable=classoption:oneside
+            --variable=geometry:a4paper,margin=2cm
+            --variable=colorlinks:true
+            --variable=linkcolor:"[HTML]{4077C0}"
+            --variable=titlepage:true
+            --variable=titlepage-rule-color:de0000
+            --variable=titlepage-rule-height:40
+            --variable=header-includes:"\usepackage{sectsty} \sectionfont{\clearpage}"
+            --variable=caption-justification:centering
+            --variable=listings-disable-line-numbers:true
+            --metadata date="${{ steps.get_date.outputs.date }}"
+            --resource-path="ADDS:/.pandoc/templates"
+            ADDS/README.md
+
+      - name: Publish the whitepaper as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: Whitepaper
+          path: Domain_Controller_Firewall.pdf
+          if-no-files-found: error

.gitignore

@@ -0,0 +1,2 @@
+*.pdf
+*.docx

.vscode/extensions.json

@@ -0,0 +1,14 @@
+{
+    "recommendations": [
+      "ms-vscode.PowerShell",
+      "GitHub.vscode-pull-request-github",
+      "GitHub.vscode-github-actions",
+      "EditorConfig.EditorConfig",
+      "DavidAnson.vscode-markdownlint",
+      "bierner.markdown-preview-github-styles",
+      "mechatroner.rainbow-csv",
+      "GrapeCity.gc-excelviewer",
+      "GitHub.copilot",
+      "GitHub.copilot-chat"
+    ]
+  }

ADCS/builtin-firewall-rules.csv

@@ -0,0 +1 @@
+Direction,Name,Group,Protocol,Port,Program,Service,Remote Address,Notes

ADDS/ADMXSchema/BaseTypes.xsd

@@ -0,0 +1,104 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xs:schema id="ADMX" elementFormDefault="qualified" targetNamespace="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" xmlns:pd="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" version="1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
+
+  <xs:simpleType name="GUID">
+    <xs:annotation>
+      <xs:documentation>A standard {12345678-1234-1234-1234-123456789abcd} style guid string.</xs:documentation>
+    </xs:annotation>
+    <xs:restriction base="xs:string">
+      <xs:pattern value="\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\}"/>
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:simpleType name="versionString">
+    <xs:restriction base="xs:token">
+      <xs:pattern value="[0-9]{1,4}\.[0-9]{1,5}"/>
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:simpleType name="stringReference">
+    <xs:annotation>
+      <xs:documentation>A reference to a localized string in the localized string section/table.</xs:documentation>
+    </xs:annotation>
+    <xs:restriction base="xs:string">
+      <xs:pattern value="\$\(string\.(\p{L}|\p{N}|_)+\)"/>
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:simpleType name="presentationReference">
+    <xs:annotation>
+      <xs:documentation>A reference to a policy presentation in the localized presentation section/table.</xs:documentation>
+    </xs:annotation>
+    <xs:restriction base="xs:string">
+      <xs:pattern value="\$\(presentation\.(\p{L}|\p{N}|_)+\)"/>
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:simpleType name="resourceID">
+    <xs:annotation>
+      <xs:documentation>A localized string id (used in the localized string section/table).</xs:documentation>
+    </xs:annotation>
+    <xs:restriction base="xs:string">
+      <xs:pattern value="(\p{L}|\p{N}|_)+"/>
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:complexType name="Annotation" mixed="true">
+    <xs:sequence>
+      <xs:any processContents="skip"/>
+    </xs:sequence>
+    <xs:attribute name="application" type="xs:string" use="required"/>
+  </xs:complexType>
+
+  <xs:simpleType name="itemName">
+    <xs:annotation>
+      <xs:documentation>The base type for all defined type names, e.g. categories.</xs:documentation>
+    </xs:annotation>
+    <xs:restriction base="xs:string">
+      <xs:pattern value="(\p{L}|\p{N}|_)+"/>
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:simpleType name="itemReference">
+    <xs:annotation>
+      <xs:documentation>The base type for all references to defined types, e.g. categories.</xs:documentation>
+    </xs:annotation>
+    <xs:restriction base="xs:string">
+      <xs:pattern value="((\p{L}|\p{N}|_)+)|((\p{L}|\p{N}|_)+:(\p{L}|\p{N}|_)+)"/>
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:complexType name="LocalizedString">
+    <xs:annotation>
+      <xs:documentation>A localized string</xs:documentation>
+    </xs:annotation>
+    <xs:simpleContent>
+      <xs:extension base="xs:string">
+        <xs:attribute name="id" type="pd:resourceID" use="required"/>
+      </xs:extension>
+    </xs:simpleContent>
+  </xs:complexType>
+
+  <xs:simpleType name="registryKey">
+    <xs:annotation>
+      <xs:documentation>A valid registry key path (without reference to local system or user hive).</xs:documentation>
+    </xs:annotation>
+    <xs:restriction base="xs:string"/>
+  </xs:simpleType>
+
+  <xs:simpleType name="registryValueName">
+    <xs:annotation>
+      <xs:documentation>A valid registry value name.</xs:documentation>
+    </xs:annotation>
+    <xs:restriction base="xs:string"/>
+  </xs:simpleType>
+
+  <xs:simpleType name="fileName">
+    <xs:annotation>
+      <xs:documentation>A valid file name (without a file path).</xs:documentation>
+    </xs:annotation>
+    <xs:restriction base="xs:string"/>
+  </xs:simpleType>
+
+
+</xs:schema>

ADDS/ADMXSchema/PolicyDefinitionFiles.xsd

@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xs:schema id="ADMX" elementFormDefault="qualified" targetNamespace="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" xmlns:pd="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" version="1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
+  <xs:include schemaLocation="BaseTypes.xsd"/>
+  <xs:include schemaLocation="PolicyDefinitions.xsd"/>
+
+
+  <!--
+        Localization tables
+     -->
+  <xs:complexType name="Localization">
+    <xs:annotation>
+      <xs:documentation>A table of referenced localized strings and policy presentations.</xs:documentation>
+    </xs:annotation>
+    <xs:sequence>
+      <xs:element name="stringTable" minOccurs="0">
+        <xs:complexType>
+          <xs:sequence minOccurs="1" maxOccurs="unbounded">
+            <xs:element name="string" type="pd:LocalizedString"/>
+          </xs:sequence>
+        </xs:complexType>
+      </xs:element>
+      <xs:element name="presentationTable" minOccurs="0">
+        <xs:complexType>
+          <xs:sequence minOccurs="1" maxOccurs="unbounded">
+            <xs:element name="presentation" type="pd:PolicyPresentation"/>
+          </xs:sequence>
+        </xs:complexType>
+      </xs:element>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="LocalizationTable">
+    <xs:annotation>
+      <xs:documentation>A table of localization tables, one per language</xs:documentation>
+    </xs:annotation>
+    <xs:sequence>
+      <xs:element name="localization" type="pd:Localization" minOccurs="1" maxOccurs="unbounded"/>
+    </xs:sequence>
+    <xs:attribute name="fallbackCulture" type="xs:language" default="en-US"/>
+  </xs:complexType>
+
+
+  <!--
+        Special types and groups
+     -->
+  <xs:complexType name="FileReference">
+    <xs:attribute name="fileName" type="pd:fileName" use="required"/>
+  </xs:complexType>
+  
+  <xs:complexType name="PolicyList">
+    <xs:sequence minOccurs="1" maxOccurs="unbounded">
+      <xs:element name="policy" type="pd:PolicyDefinition"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="SupportedOnTable">
+    <xs:sequence>
+      <xs:element name="products" type="pd:SupportedProducts" minOccurs="0" maxOccurs="1"/>
+      <xs:element name="definitions" type="pd:SupportedOnDefinitions" minOccurs="0" maxOccurs="1"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="CategoryList">
+    <xs:sequence minOccurs="1" maxOccurs="unbounded">
+      <xs:element name="category" type="pd:Category"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="PolicyNamespaceAssociation">
+    <xs:attribute name="prefix" type="pd:itemName" use="required"/>
+    <xs:attribute name="namespace" type="xs:anyURI" use="required"/>
+  </xs:complexType>
+
+  <xs:complexType name="PolicyNamespaces">
+    <xs:sequence>
+      <xs:element name="target" type="pd:PolicyNamespaceAssociation"/>
+      <xs:element name="using" type="pd:PolicyNamespaceAssociation" minOccurs="0" maxOccurs="unbounded"/>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="LocalizationResourceReference">
+    <xs:attribute name="minRequiredRevision" type="pd:versionString" use="required"/>
+    <xs:attribute name="fallbackCulture" type="xs:language" default="en-US"/>
+  </xs:complexType>
+
+  <!--
+        Policy Definition file types and base element
+    -->
+  <xs:complexType name="PolicyDefinitions">
+    <xs:annotation>
+      <xs:documentation>The base type for general ADMX files with satellite resource files, etc.</xs:documentation>
+    </xs:annotation>
+    <xs:sequence>
+      <xs:element name="policyNamespaces" type="pd:PolicyNamespaces"/>
+      <xs:element name="supersededAdm" type="pd:FileReference" minOccurs="0" maxOccurs="unbounded"/>
+      <xs:element name="annotation" type="pd:Annotation" minOccurs="0" maxOccurs="unbounded"/>
+      <xs:element name="resources" type="pd:LocalizationResourceReference"/>
+      <xs:element name="supportedOn" type="pd:SupportedOnTable" minOccurs="0" maxOccurs="1"/>
+      <xs:element name="categories" type="pd:CategoryList" minOccurs="0" maxOccurs="1"/>
+      <xs:element name="policies" type="pd:PolicyList" minOccurs="0" maxOccurs="1"/>
+    </xs:sequence>
+    <xs:attribute name="revision" type="pd:versionString" use="required"/>
+    <xs:attribute name="schemaVersion" type="pd:versionString" use="required"/>
+  </xs:complexType>
+
+  <xs:complexType name="PolicyDefinitionResources">
+    <xs:annotation>
+      <xs:documentation>
+        The base type for localized RES.ADMX files with a single language/culture per file.
+        Localization files are always in the namespace of the associated PDX file and
+        never reference definitions from other namespaces.
+      </xs:documentation>
+    </xs:annotation>
+    <xs:sequence>
+      <xs:element name="displayName" type="xs:string"/>
+      <xs:element name="description" type="xs:string"/>
+      <xs:element name="annotation" type="pd:Annotation" minOccurs="0" maxOccurs="unbounded"/>
+      <xs:element name="resources" type="pd:Localization"/>
+    </xs:sequence>
+    <xs:attribute name="revision" type="pd:versionString" use="required"/>
+    <xs:attribute name="schemaVersion" type="pd:versionString" use="required"/>
+  </xs:complexType>
+
+  <!--
+        Used in conjuction: one ADMX file for policy definitions and an ADML file per language.
+    -->
+  <xs:element name="policyDefinitions" type="pd:PolicyDefinitions"/>
+  <xs:element name="policyDefinitionResources" type="pd:PolicyDefinitionResources"/>
+
+</xs:schema>