PLEASE please stop requiring so many port ranges!

[mikeely]

I think I first asked about this in 2017 and three years later, here I am yet again stymied by the fact that somebody didn't bother considering the needs of sysadmins when they decided to assign 800 ports here, 30 ports there, 28000 ports yet elsewhere... which is all the more frustrating when many of these port ranges are just simple control data. There's no justification for it other than lazy implementation and it's maddening to have to bother three different departments to get firewall rules added. Just set up SOAP and send all your control data over 443 instead of the current madness. Enough already!

[Andreas Neufert]

Hi Mike, thanks for the feedback. Yes, this is something we all feel when interacting with security departments in the field.
You will see some changes in v11 that go in the needed direction.

Based on my tests we got nearly completely rid of the internal requirement for dynamic RPC port range.
The main point here is that if you want to login into a blank windows, then you have to use what is already there and that is RemoteRPC with all the port madness.
Our guest processing in v11 has the option to use a helper client that reduces the port range to 2 ports for the guest interaction (3 if you want to use log shipping).
This was the most critical part reported by the security admins (get rid or RPC/CIFS port range requirements).

I think v10 reduced our transport port range already to not include the RDP port anymore. That was the most critical one as more than a 1/3 of the ransomware is spread over RDP.

You will see changes on other places as well in v11 and over time.