Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Cajuntank
Contributor II

IPS to protect AD servers

Playing around with doing some prep work on security profiles I will be implementing once I micro-segment my datacenter traffic some. It's pretty straight forward based on the IPS filtering options, to create a sensor to protect a DHCP or DNS server for example. It's not so "clear cut" to protect a Microsoft AD server. My AD servers are also DNS servers (so got the DNS portion of it locked down), so just wondering if anyone has correctly created a sensor to protect AD servers that could share?

My initial guess (and this is just taking a logical shot in the dark) was to filter signatures based on Server, varied degrees of severity, DNS and LDAP and RPC protocols, and Windows OS as my first signature list. Then add another signature list based on the keyword of Kerberos and add those as the second list. Doing the same again with the keyword SMB for my third list. Just feel like I am missing something or gone overboard with it..i.e..maybe something dealing with those AD servers also being global catalog servers, and/or overboard with the RPC, SMB, etc...  

2 REPLIES 2
abarushka
Staff
Staff

Hello,

 

There is no universal profile for AD servers, since different services/protocols can be running.

FortiGate
Cajuntank

I understand. I implement mine as core installations so the attack surface is much smaller compared to that of a GUI install. Would the next step then be to treat it like tuning internal DoS policies...see how it operates in a monitoring situation under normal conditions and go from there in regards to implementing blocks and such?

Labels
Top Kudoed Authors