Any negative side effects to removing the gateway IP on active directory domain computers?

I have some computers in an engineering department and I'd like to minimize data loss.  If I remove the gateway IP address from those computers, will the only side effect be their ability to access outside of the subnet (internet, other local subnets etc...)?

All computers are part of a Windows 2012 R2 active directory domain and I do not want them to have any internet access at all.

Anything I need to worry about?
LVL 1
encoadAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
If there are DCs in other subnets, you can end up with odd performance issues. Removing the default gateway also does not stop someone from creating static routes. Which in a data loss scenario, they are likely to do. A more effective strategy is to block traffic at the network edge with firewalls, and for sensitive data, employ fights management technologies with encryption at rest and in transit.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sransom_auCommented:
The default gateway tells the computer where to send the IP packets if no other route is defined (say in the Hosts file). Usually this then is a router/gateway that either passes things up stream to a box that knows, or it IS the box that knows.

Depending on your network confinguration you need to make sure that the gateway server does not also provide DHCP or DNS services that the PCs may require.
pgm554Commented:
Better to just set up a proxy service through dhcp and deny them internet service that way.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

sumeshbnrCommented:
AD ,DNC,DHCP role servers (most probably all in your Active directory Domain controller) are in the same Subnet or in same network then you can simply remove the Gateway.What about your users? Techies or non techies? If non techies then leave it the other ways to access internet like adding static routes etc. But If techies then you might need some proxy or firewall.If you are providing internet  with a router or router with modem then may it has the ability to filter (MAC /IP access filter). check it .The other way is if the logged in users are not with admin privilege then you can prevent  to deny adding static route via GPO (just a thought)
vivigattCommented:
The default gateway for a host is used to send packets to a routing device that can handle and "forward" packets to any destination outside the host's subnet.
If you want to keep all the nodes of your subnet unable to reach any other subnet (including teh Internet), you can remove the default gateway from each host's IP configuration.
This means no access to Internet, and certainly no access to email (unless you have a local email server that can connect to the Internet).

Now, techies could change that configuration and add a working default gateway again. Ti avoid that, you could set rules on the default gateway...

Check this links for more details:
http://en.wikipedia.org/wiki/Default_gateway
http://en.wikipedia.org/wiki/Default_route
http://en.wikipedia.org/wiki/IP_forwarding_algorithm
encoadAuthor Commented:
pgm554, I suspect a proxy is my best bet.  Can someone point me towards a decent windows based proxy since Microsoft appears to have discontinued all proxy products.
younghvCommented:
I've requested that this question be closed as follows:

Accepted answer: 168 points for cgaliher's comment #a40799632
Assisted answer: 166 points for pgm554's comment #a40799637
Assisted answer: 166 points for sransom_au's comment #a40799635

for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.