-1

I have a bunch of Windows servers belonging to various customers, each with isolated public facing IP addresses.

The servers also have a second network connection to our backup network, which is a internal private network for backup traffic.

If we go into 'Network' on any of these machines, we have noted that they can see each other.

I'm assuming that they are doing network discovery on the backup network and, as such, can detect each other there. Other than disabling Network Discovery, Is there anything I can do to prevent this?

I don't want to disable network discovery as users could just turn that back on and I need the clients to be permanently isolated.

Thanks in advance.

John
  • 525
  • 3
  • 16
  • 32

3 Answers3

3

What is your goal?

If it is to disable network discovery, then disable the service.

If it's to harden security so that if one server is compromised, it cannot be used to access other servers, then you want to look at a few things:

  • Segregating or isolating each server using software (host-based) firewalls

  • Segregating or isolating each server using hardware, such as VLANs and firewall rules.

  • Introduce micro-segmentation into your environment, which is basically a combination of all-of-the-above in a software-defined approach.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
1

Edit - based on comment that I should do better to explain.

If you want to isolate the servers' communication on the cable, disregarding any services you may use, VLANs is one of the options. VLAN (virtual LAN) is a way which isolates the computer at data link layer alias for OSI model layer 2. You will have to change your firewall and routing to accommodate the changes.

On the Windows level you need to enable tagging on the NIC (go to the NIC properties and you should select an option named VLAN). On the switch you need to addadd multiple VLANs to the port the NIC is connected to and the tagging will determine which VLAN the traffic goes to.

If you have cisco you can add (I prefer this one as it is non-destructive) it (e.g. VLAN 10): switchport trunk allowed vlan Add vlan10

or you can overwrite your current VLAN config with: switchport trunk allowed vlan 10,20,30,90

Recommended reading: Vlan vs. subnets - VLANs work on OSI layer 2 (data) and subnets on OSI layer 3 (network) - Vlan or Subnet.

Edit for the comment:

@Cory Knutson - Are you saying to create vlans with /29 subnets, and have the backup server have an IP in each?

Depends on how many servers can be at one VLAN if only one he could have /30 - 2 hosts (that would have only backup server and the server itself -> not that practical). If he wants more, which is unknown, he may want to have /29 for 6 hosts; /28 for 14 hosts etc. you know how to do the subnet calculation.

tukan
  • 138
  • 5
  • For someone who understands VLANs, this is a bit unclear. This should be more descriptive for a user trying to learn how to do something. Are you saying to create vlans with /29 subnets, and have the backup server have an IP in each? – Cory Knutson Oct 09 '17 at 15:18
  • @CoryKnutson: you are right I should have provided more information, which I'll do right now. On the other hand the question was rather generic so I have picked the "best" solution in my eyes. MDMarra has answered in more complete way. – tukan Oct 10 '17 at 08:09
0

Disable network discovery:

  1. disable via GPO or local GPO then the option would be grayed out for the users.
  2. disable the service (could be completed via GPO)
  3. Or block it via the windows firewall. (could be completed via GPO)

If your users are admins then blocking via windows might not be the best option. But at least a domain GPO will keep disabling it.

SpiderIce
  • 551
  • 2
  • 9