Skip to content Skip to site navigation

ITS/AS/ACS Windows Systems Template Rules

Attention Application Owners & Rule Delegates

The following set of firewall policies, referred to as "Template Rules", are provided for administrators of Windows based servers that require a specific set of source hosts/nets and services allowed for administration.

When applying these Template rules, please consider any additional necessary "custom" policies to guarantee the inbound or outbound connectivity that servers will require. Those "custom" policy requests can be made via the Firewall Rule Request form.

Please contact the Firewall Team (firewall-team@lists.stanford.edu) with any questions.

Firewall Template Rules

Traffic Inbound to the Firewall
From To Ports Description
tw_monitoring_servers tw_windows_hosts tw_monitoring_ports Monitoring services
tw_rdp_servers tw_windows_hosts tw_rdp_ports RDP services
tw_ipmi_servers tw_windows_hosts tw_ipmi_ports IPMI services
g_su_admin_nets tw_windows_hosts tw_ipsec_ports IPSEC services
tw_ips_servers tw_windows_hosts tw_ips_ports IPS Services
tw_pbst_servers tw_windows_hosts tw_pbst_ports Bastion Services
Group Object Definitions
Group Members Ports
tw_monitoring_servers blackbeard
itadmin
msadmin
ntadmin
vmm-mgmt
winadmin
wst-om12
wst-ops1
wst-ops3
wst-ops1dev
wst-sccm2012
itadm		 microsoft-rpc (tcp:135)
netbios-ssn (tcp:139)
microsoft-ds (tcp:445)
wst-rpcserver(tcp:4900-5000)
http (tcp:80)
winrm (tcp:5985-5986)
tw_rdp_servers blackbeard
itadmin
msadmin
ntadmin
winadmin
itadm		 microsoft-rdp-vm (tcp:2179)
microsoft-rdp (tcp:3389)
tw_ipmi_servers blackbeard
itadmin
winadmin
wst-commandcenter-01
itadm		 IPMI RMCP (udp:623)
https (tcp:443)
DRAC-vmedia (tcp:3668)
DRAC-console (tcp:5900-5901)
tw_ips_servers wstsopohos
wst-tripwire
Bigfix-prod 171.67.0.240/28
Bigfix-relay 171.66.255.64/26
Bigfix-relay 171.67.29.0/25		 tripwire (tcp:18889)
sophosRMS (tcp:8192-8194)
g_su_admin_nets SU Admin Networks NAT-T (udp:4500)
IKE (udp:500)
ESP (IP Protocol 50)
AH (IP Protocol 51)
tw_pbst_servers crc-reserved01
crc-reserved02
crc-reserved03
e-pc-1
e-pc-2
e-pc-3
e-pc-4
e-pc-5
e-pc-6
e-pc-7
e-pc-8		 WIN SVCS (tcp/udp:135,139,445)
IPMI RMCP (udp:623)
https (tcp:443)
DRAC-vmedia (tcp:3668)
DRAC-console (tcp:5900-5901)
wst-rpcserver(tcp:4900-5000)

Roles

Template Owner

The Template Owner is responsible for determining, maintaining and modifying the template rules and membership of the different server groups. The application owner is notified regarding any changes to the template. The template owner controls the following groups:

  • template server groups
    (tw_monitoring_servers, tw_rdp_servers, tw_ipmi_servers, tw_ipsec_servers, tw_ips_servers, tw_pbst_servers)
  • template ports
    (tw_monitoring_ports, tw_rdp_ports, tw_ipmi_ports, tw_ipsec_ports, tw_ips_ports, tw_pbst_ports)

Current Template Owners

  • Laurie Miller

Application Owner

The Application Owner is responsible for approving the template rules initially and for requesting the addition of hosts behind the firewall to the "windows_hosts" group.

System Administrators

System Administrators request rule approval from the application owner to put in place the template rules or to apply them to hosts (adding them to the template "windows_hosts" group).

ISO Security

The ISO group will audit the rules and make recommendations as needed or upon request from either the System Administrators or the Application Owners. In addition, any changes to this template must be reviewed by ISO prior to implementation.

Last modified March 20, 2024