0

Hi I'm setting up a little 2012R2 network.

Right now I want to setup an DC and connect a few windows machines with it. It's running virtualisied on my root server and unfortunatly I can't put it behind a firewall since it's internet is routed through a subnet with a router vm (thanks Hetzner).

To have atleast a bit of security I want to block all kinds of access (ping, rdp, etc...) unless it's coming from the ips of my subnet.

So basically I want to whitelist my subnet and deny what ever is coming from the internet.

Is there a way, or atleast a best practice to accomplish this?

Soundz
  • 109
  • 1
  • 4
  • *I can't put it behind a firewall since it's internet is routed through a subnet with a router vm* - what does this mean? Do you mean you can't put a hardware firewall in because the routing includes a virtual machine? Do you mean you don't want double-NAT and Hetzner is already converting public IPs to private addresses? Do you mean you don't want or can't have a virtual machine firewall (e.g. pfSense)? – TessellatingHeckler Nov 26 '15 at 18:57

1 Answers1

0

Create the appropriate rules in Windows Firewall - you can do this domain-wide via GPO. Another option would be to configured IPSEC isolation, so that all communication has to occur from trusted sources via IPSEC.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • Thanks for the fast reply, does this affect the connected machines? I want to setup an exchange server in the (near) future which pulls the users from the DC. So the exchange should be able to "do whatever" – Soundz Nov 26 '15 at 11:41
  • 1
    Why don't you read about the suggested options, learn about the technology, *then* ask follow up questions. – MDMarra Nov 26 '15 at 11:42
  • 1
    Frankly said because I don't want to screw arround more than I already do. Is there a need to learn about something that doesn't suit the needs? I have no problem learning about the technology if it is the right tool to work with. In the past I had more than enough of those "Well, I spent X hours learning about Y just to find out it wasn't what I'm looking for" situations. If you tell me "Yep, that's what you want" I gladly figure out the rest. All I want is the right direction. I'm sorry if I offended you – Soundz Nov 26 '15 at 11:48
  • *Is there a need to learn about something that doesn't suit the needs?* - maybe literally "no", but that leaves the tradeoffs to someone who doesn't know your situation and has no responsibility to maintain it. *"How do I setup x so it works"* is a factual question and answer. *"How can I setup Windows Firewall to do x"* is fact based. *"Choose how I will secure my servers, I don't want to learn about any ways except the one you pick for me"* isn't factual. You should research at least a bit, to make an informed decision about the pros and cons. internet advice can be bad (or wrong for *you)*. – TessellatingHeckler Nov 26 '15 at 19:13