[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 215
  • Last Modified:

Block all connections between domain PCs.

We want to block all connections between client computers on our Active Directory domain except for those in an administrative group and of course between servers and clients.  I want to use IP ranges as the basis for the blocking or allowing, i.e. the ranges handed out by DHCP for clients would be blocked from connecting to each other but IPs outside of those ranges and on our subnets would be allowed to connect.  What rule could be implemented to either block a range completely and/or allowing only connections from within a range?  Also, is this a good way to approach this?  We have multiple AD sites and subnets.  I would like to implement this through group policy.
0
habs1994
Asked:
habs1994
  • 4
  • 3
1 Solution
 
Justin OwensITIL Problem ManagerCommented:
I would suggest that instead of using GP, you use VLANs and lock them down that way... Servers in 1 VLAN.  Clients in others... Traffic to and from Server VLAN is open, traffic in client VLANs is locked down.  That is, by far, the simplest solution.

DrUltima
0
 
McKnifeCommented:
By default, there is no way for clients to communicate.
->the firewall is on
->network discovery is off
->file and printer sharing is off

Did you change these? Then undo those changes.
0
 
habs1994Author Commented:
These were undone at one time and I can probably fis that with Group Policy.  Is this as effective as blocking all traffic for internal (excepting admin and server) IP ranges?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
habs1994Author Commented:
fix with Group Policy...I mean
0
 
McKnifeCommented:
Yes it is. If you enable the firewalls, just make sure that no unwanted exceptions are active (or disallow exceptions altogether). Exceptions could have been set by administrators or by program installations (performed by admins, again). I would only block the incoming traffic, not the outgoing.
0
 
habs1994Author Commented:
Thanks.  What we are trying to prevent is access of a desktop by another desktop that has been compromised and possibly remote controlled.
0
 
McKnifeCommented:
Sure, that's what the local Firewall is good for with default Settings.
0
 
habs1994Author Commented:
I first created an inbound allow all rule for for all programs and all ports for admin and server subnets.  I then created a inbound deny all rule for other internal subnets where clients live and the same for outbound.  This prevents all connections...rdp, ping, etc. between domain clients while allowing our admins to be able to assist remotely.  This seems to work well but tweaking will be required.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now