FRS and firewalls

Recently we began a lot of work tightening down our network at work. This included tightening the internal firewall settings such that inter-site connections were set up such that only traffic going over identified ports.

This is a good thing and a bad thing to have. It is good in that you can severely restrict what is able to process across the linkages and therefore prevent a lot of unneeded traffic from consuming your WAN links. It can be bad in a way too – it breaks things.

One such thing is file replication services. By locking down the firewalls between sites some components stop functioning due to their reliance on dynamic ports and FRS uses dynamic ports. FRS begins a conversation by communicating on port 135, but once the source communicates to the target they switch to a dynamically assigned port.

FRS in a 2003 domain is what is used to replicate the login scripts and GPOs via the SYSVOL share. No FRS replication means no SYSVOL replication, creating security holes in and of itself, in addition to messing up your day when login scripts aren’t updated on remote DCs.

The solution is to restrict the FRS service to a specified port.

First, identify a port not being used within your network. Avoid using anything below 1024. For the purpose of this discussion I’m going to use 12345.

Next, program your intermediate network devices to allow this port to and from specific hosts. In this case the domain controllers are the hosts and the port is going to be 12345.

Third, on each DC open regedit. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters. Add the DWORD value RPC TCP/IP Port Assignment. For the value data enter your port, 12345 in our example, IN DECIMAL FORMAT, not hexadecimal.

Finally, restart the FRS service on each DC. Within a few minutes you should start seeing your SYSVOL contents being replicated amongst the DCs again.

The Instagram/Facebook deal could be worrisome for Facebook’s IPO

According to the WSJ the recent Facebook/Instagram deal was done very quickly. Now there is nothing wrong with that. Deals can be done quickly. The details of how it was done are the problem.

Apparently the deal was done without any lawyers. Or financial experts. Or even the board beyond Zuckerberg.

This presents an interesting problem – Normally Wall Street types like to see certain things taking place to vet such a deal. Lawyers and accountants are normally brought in to look at the financials of the potential acquisition to verify there isn’t a problem such as an imminent bankruptcy or cooked books. Not saying that is an issue here but that is what normally done.

Going back to Facebook’s upcoming IPO : this could scare off investors who want all the ‘i’s dotted and ‘t’s crossed. The normal procedures are in place to protect the investors and their money. Any company that doesn’t follow them runs the risk of buying not only something worthless, but something that can drag down an otherwise sound company.

Comments Off on The Instagram/Facebook deal could be worrisome for Facebook’s IPO Posted in Uncategorized