encoad
asked on
Any negative side effects to removing the gateway IP on active directory domain computers?
I have some computers in an engineering department and I'd like to minimize data loss. If I remove the gateway IP address from those computers, will the only side effect be their ability to access outside of the subnet (internet, other local subnets etc...)?
All computers are part of a Windows 2012 R2 active directory domain and I do not want them to have any internet access at all.
Anything I need to worry about?
All computers are part of a Windows 2012 R2 active directory domain and I do not want them to have any internet access at all.
Anything I need to worry about?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Better to just set up a proxy service through dhcp and deny them internet service that way.
AD ,DNC,DHCP role servers (most probably all in your Active directory Domain controller) are in the same Subnet or in same network then you can simply remove the Gateway.What about your users? Techies or non techies? If non techies then leave it the other ways to access internet like adding static routes etc. But If techies then you might need some proxy or firewall.If you are providing internet with a router or router with modem then may it has the ability to filter (MAC /IP access filter). check it .The other way is if the logged in users are not with admin privilege then you can prevent to deny adding static route via GPO (just a thought)
The default gateway for a host is used to send packets to a routing device that can handle and "forward" packets to any destination outside the host's subnet.
If you want to keep all the nodes of your subnet unable to reach any other subnet (including teh Internet), you can remove the default gateway from each host's IP configuration.
This means no access to Internet, and certainly no access to email (unless you have a local email server that can connect to the Internet).
Now, techies could change that configuration and add a working default gateway again. Ti avoid that, you could set rules on the default gateway...
Check this links for more details:
http://en.wikipedia.org/wiki/Default_gateway
http://en.wikipedia.org/wiki/Default_route
http://en.wikipedia.org/wiki/IP_forwarding_algorithm
If you want to keep all the nodes of your subnet unable to reach any other subnet (including teh Internet), you can remove the default gateway from each host's IP configuration.
This means no access to Internet, and certainly no access to email (unless you have a local email server that can connect to the Internet).
Now, techies could change that configuration and add a working default gateway again. Ti avoid that, you could set rules on the default gateway...
Check this links for more details:
http://en.wikipedia.org/wiki/Default_gateway
http://en.wikipedia.org/wiki/Default_route
http://en.wikipedia.org/wiki/IP_forwarding_algorithm
ASKER
pgm554, I suspect a proxy is my best bet. Can someone point me towards a decent windows based proxy since Microsoft appears to have discontinued all proxy products.
I've requested that this question be closed as follows:
Accepted answer: 168 points for cgaliher's comment #a40799632
Assisted answer: 166 points for pgm554's comment #a40799637
Assisted answer: 166 points for sransom_au's comment #a40799635
for the following reason:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Accepted answer: 168 points for cgaliher's comment #a40799632
Assisted answer: 166 points for pgm554's comment #a40799637
Assisted answer: 166 points for sransom_au's comment #a40799635
for the following reason:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Depending on your network confinguration you need to make sure that the gateway server does not also provide DHCP or DNS services that the PCs may require.