Block all connections between domain PCs.

We want to block all connections between client computers on our Active Directory domain except for those in an administrative group and of course between servers and clients.  I want to use IP ranges as the basis for the blocking or allowing, i.e. the ranges handed out by DHCP for clients would be blocked from connecting to each other but IPs outside of those ranges and on our subnets would be allowed to connect.  What rule could be implemented to either block a range completely and/or allowing only connections from within a range?  Also, is this a good way to approach this?  We have multiple AD sites and subnets.  I would like to implement this through group policy.
habs1994Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Justin OwensITIL Problem ManagerCommented:
I would suggest that instead of using GP, you use VLANs and lock them down that way... Servers in 1 VLAN.  Clients in others... Traffic to and from Server VLAN is open, traffic in client VLANs is locked down.  That is, by far, the simplest solution.

DrUltima
0
McKnifeCommented:
By default, there is no way for clients to communicate.
->the firewall is on
->network discovery is off
->file and printer sharing is off

Did you change these? Then undo those changes.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
habs1994Author Commented:
These were undone at one time and I can probably fis that with Group Policy.  Is this as effective as blocking all traffic for internal (excepting admin and server) IP ranges?
0
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

habs1994Author Commented:
fix with Group Policy...I mean
0
McKnifeCommented:
Yes it is. If you enable the firewalls, just make sure that no unwanted exceptions are active (or disallow exceptions altogether). Exceptions could have been set by administrators or by program installations (performed by admins, again). I would only block the incoming traffic, not the outgoing.
0
habs1994Author Commented:
Thanks.  What we are trying to prevent is access of a desktop by another desktop that has been compromised and possibly remote controlled.
0
McKnifeCommented:
Sure, that's what the local Firewall is good for with default Settings.
0
habs1994Author Commented:
I first created an inbound allow all rule for for all programs and all ports for admin and server subnets.  I then created a inbound deny all rule for other internal subnets where clients live and the same for outbound.  This prevents all connections...rdp, ping, etc. between domain clients while allowing our admins to be able to assist remotely.  This seems to work well but tweaking will be required.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.