We are currently segmenting our network. We will move the servers in another subnet than the clients. Of course the clients still need access to the domain controller to authenticate against it.
I found various articles about the ports that need to be accessible between the domain controllers to allow replication but none about the ports that are important for the clients. I'm pretty sure the client won't directly access the LDAP database for example and I want to reduce the attack surface as much as possible.
So which ports are needed for a client to be able to work with a domain controller?
Best Answer
You can minimize the high-port range by configuring a static RPC port for Active Directory.
Restricting Active Directory RPC traffic to a specific port
https://support.microsoft.com/en-us/kb/224196
It's usually a good idea to force Kerberos to use only tcp/ip, particularly if you have a large, complex network, or accounts are members of large number of groups/large token size.
How to force Kerberos to use TCP instead of UDP in Windows
https://support.microsoft.com/en-us/kb/244474