Disable internet access to 2012 domain controllers

Due to security reason I dont want internet access in my domain controllers, I need help to know the best practices to disable internet in Domain Controllers.
LVL 26
Sekar ChinnakannuStaff EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shaun VermaakTechnical SpecialistCommented:
Network or host-based Firewall (like Windows Firewall) will be able to block internet access

Blocking it from a Network layer is best
0
MaheshArchitectCommented:
create root zone on domain controller, it will stop internet access  and internet name resolution from all domain controller

but is this your intention ?
0
Shaun VermaakTechnical SpecialistCommented:
That will stop internet name resolution, not internet access
0
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

MaheshArchitectCommented:
it depends on how internet is accessed
After creating root zone On domain controllers, if proxy is used to access internet and if that proxy is not dependent on domain controller for name resolution, you can access internet,
otherwise if proxy is dependent on domain controllers for name resolution, you cannot access internet no matter if you have internet access on proxy or not and then this will be applicable to clients as well.

If there is no proxy defined, and domain controller only responsible for name resolution, still you cannot access internet, note that all clients will not be able to access internet as well
0
Shaun VermaakTechnical SpecialistCommented:
If there is no proxy defined, and domain controller only responsible for name resolution, still you cannot access internet
Of course you can, just not by name
0
MaheshArchitectCommented:
it's too difficult to access internet by entering public ip addresses
0
Sekar ChinnakannuStaff EngineerAuthor Commented:
Thanks Guys, All i need is just want to disable internet access only to DC's. Also we don't have a proxy.
0
MaheshArchitectCommented:
then disable it on network level as suggested by shaun
0
Sekar ChinnakannuStaff EngineerAuthor Commented:
Is there any specific configuration we need to consider?
0
MaheshArchitectCommented:
u need to block outbound 80 & 443 from domain controller s towards extra net / internet
0
Shaun VermaakTechnical SpecialistCommented:
Is there any specific configuration we need to consider?
You need to block all except private ranges, internet is more than just port 80/443
0
MaheshArchitectCommented:
The network firewall works on default rule /  principal that block everything except .....
u need to add domain controller ips in default internet block rule which should take care of everything
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sekar ChinnakannuStaff EngineerAuthor Commented:
Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.