Resolved #6 and #8

MichaelGrafnetter · MichaelGrafnetter · commit dd1ef8ac11b8 · 2025-05-09T08:43:02.000+02:00
diff --git a/.markdownlint.json b/.markdownlint.json
@@ -8,5 +8,9 @@
         "$comment": "Allow long lines for code blocks.",
         "line_length": 120,
         "tables": false
+    },
+    "MD033": {
+        "$comment": "Allow inline HTML for MkDocs compatibility.",
+        "allowed_elements": [ "br", "sup" ]
     }
 }
diff --git a/ADDS/README.md b/ADDS/README.md
@@ -32,6 +32,7 @@ keywords:
 | 2025-01-11   | 1.3     | M. Grafnetter                 | Improved [helper scripts](#dcfwtool-distribution-contents).<br>Added the [Port Scanning](#port-scanning) and expanded the [System Reboots](#system-reboots) sections. |
 | 2025-02-24   | 1.3.1   | P. Formanek                   | Expanded the [Firewall Rule Merging](#firewall-rule-merging) section. |
 | 2025-03-19   | 1.3.2   | P. Formanek,<br>M. Grafnetter | Tested on Windows 2025 Server and expanded the [IPSec](#ipsec-rules) and [System Reboots](#system-reboots) sections. |
+| 2025-05-09   | 1.3.3   | M. Grafnetter | Expanded the [RPC Dynamic Port Allocation](#rpc-dynamic-port-allocation) and [Firewall Profiles](#firewall-profiles) sections. |
 
 Script files referenced by this document are versioned independently:
 
@@ -473,6 +474,14 @@ to avoid potential loss of network connectivity.
 
 ![Windows Firewall profiles](../Images/Screenshots/firewall-profiles.png){ width=400px }
 
+Additionally, some experts suggest [applying the following undocumented NLA setting](https://glennopedia.com/2024/06/01/network-location-awareness-service-revisited/),
+although this may be redundant with the aforementioned recommendation:
+
+> HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NlaSvc\\Parameters  
+> Value name: AlwaysExpectDomainController  
+> Value type: REG_DWORD  
+> Value data: 1
+
 ### Infeasibility of Outbound Traffic Filtering
 
 #### Reasons for Blocking Outbound Traffic
@@ -679,6 +688,17 @@ References:
 - [Setting Up a Fixed Port for WMI](https://learn.microsoft.com/en-us/windows/win32/wmisdk/setting-up-a-fixed-port-for-wmi)
 - [RPC Load Balancing Best Practices](https://learn.microsoft.com/en-us/windows/win32/rpc/load-balancing-best-practices)
 
+### RPC Dynamic Port Allocation
+
+For most Windows services, it is not possible to specify a dedicated RPC server port.
+Some network administrators prefer to at least [change the system-wide RPC dynamic port range](https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-rpc-dynamic-port-allocation-with-firewalls)
+from the default 49152-65535 interval to a narrower one, such as 5000-6000.
+
+However, this approach does not seem to provide any security benefits.
+Restricting the RPC port range does not prevent any hacking techniques or mitigate any security vulnerabilities,
+nor does it simplify the configuration of network firewalls.
+We have therefore decided against including this setting in the `DCFWTool`.
+
 ### RPC Filters
 
 #### RPC over Named Pipes
@@ -2881,7 +2901,6 @@ To simplify this process, the `Update-ADDSFirewallPolicy.bat` script contains al
 > at least one reboot is still necessary for the firewall to start logging dropped packets,
 > even if the `Update-ADDSFirewallPolicy.bat` script is executed.
 
-
 ### Multi-Domain Forests
 
 The firewall policy can be deployed to multiple AD domains at once.

Original file line number	Diff line number	Diff line change
`@@ -8,5 +8,9 @@`
`8`	`8`	`"$comment": "Allow long lines for code blocks.",`
`9`	`9`	`"line_length": 120,`
`10`	`10`	`"tables": false`
	`11`	`+ },`
	`12`	`+ "MD033": {`
	`13`	`+ "$comment": "Allow inline HTML for MkDocs compatibility.",`
	`14`	`+ "allowed_elements": [ "br", "sup" ]`
`11`	`15`	`}`
`12`	`16`	`}`