Sekar Chinnakannu
asked on
Disable internet access to 2012 domain controllers
Due to security reason I dont want internet access in my domain controllers, I need help to know the best practices to disable internet in Domain Controllers.
create root zone on domain controller, it will stop internet access and internet name resolution from all domain controller
but is this your intention ?
but is this your intention ?
That will stop internet name resolution, not internet access
it depends on how internet is accessed
After creating root zone On domain controllers, if proxy is used to access internet and if that proxy is not dependent on domain controller for name resolution, you can access internet,
otherwise if proxy is dependent on domain controllers for name resolution, you cannot access internet no matter if you have internet access on proxy or not and then this will be applicable to clients as well.
If there is no proxy defined, and domain controller only responsible for name resolution, still you cannot access internet, note that all clients will not be able to access internet as well
After creating root zone On domain controllers, if proxy is used to access internet and if that proxy is not dependent on domain controller for name resolution, you can access internet,
otherwise if proxy is dependent on domain controllers for name resolution, you cannot access internet no matter if you have internet access on proxy or not and then this will be applicable to clients as well.
If there is no proxy defined, and domain controller only responsible for name resolution, still you cannot access internet, note that all clients will not be able to access internet as well
If there is no proxy defined, and domain controller only responsible for name resolution, still you cannot access internetOf course you can, just not by name
it's too difficult to access internet by entering public ip addresses
ASKER
Thanks Guys, All i need is just want to disable internet access only to DC's. Also we don't have a proxy.
then disable it on network level as suggested by shaun
ASKER
Is there any specific configuration we need to consider?
u need to block outbound 80 & 443 from domain controller s towards extra net / internet
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks
Blocking it from a Network layer is best