1

I want to make sure that administrative access to Windows domain controllers are allowed only from specific IP addresses.

Note: I mean not only RDP access but ANY port/protocol that allows administrative access: SMB, WMI, LDAP, ADSI, etc.

Most of these ports on DCs are exposed to client computers by default. Thus I cannot put IP filters to block them.

I need a user/group based solution that allow admin logon only from some specific IP range.

What is the best way to do it?

The only idea I have is to make a script checking for some login events in real-time and killing unwanted connections. This is not very elegant and does not guarantee instant blocking.

This should be a very common issue in big networks and multi-tenant environments.

Is there any better idea?

aruna
  • 15
  • 3
coder56
  • 11
  • 2
  • 2
    That's what firewalls are for. – Gerald Schneider Sep 15 '18 at 06:12
  • Firewalls can't be used as regular clients need these ports too. – coder56 Sep 15 '18 at 06:21
  • They don't need RDP, they don't need remote management, everything in that category can and should be shut off with a firewall. The protocols that are needed for client authentication are already handled by permissions. – Gerald Schneider Sep 15 '18 at 06:28
  • Restricting RDP is easy and it is not exposed to users by default. I need to restrict other ports/services that are exposed to any AD user: SMB, LDAP, ADSI. I does not matter how strong my RDP controls are if the same admin password can used to take control of the forest via any of these ports. – coder56 Sep 15 '18 at 06:34
  • To the best of my knowledge, what you're trying to do isn't possible, Windows simply doesn't support it. Good idea though, and I could be wrong. +1. – Harry Johnston Sep 17 '18 at 02:05
  • How would a network connection know the difference between a user and administrator? You're trying to solve a layer 8 problem – spacenomyous Sep 17 '18 at 14:07
  • @spacenomyous, if the OS supported this functionality it would probably do it the other way around, i.e., when authenticating a user, require the component requesting authentication to indicate the source address of the attempted connection. – Harry Johnston Sep 17 '18 at 18:51
  • I suppose setting the "deny network logon" right for the Administrators group would block *all* network access. That would include RDP, so you'd need some other way to get to the console to administrate the machine, e.g., VNC, and then you could firewall that access as desired. Unfortunately, I have a strong suspicion this would break Active Directory, because the accounts used for replication would also be blocked. I suppose you could instead create a group of blocked accounts and put all your admin accounts in it. Messy, though, and kind of risky. – Harry Johnston Sep 17 '18 at 18:56
  • @HarryJohnston Yes he can restrict application access based on security groups using GPOs, but that's not what he asked for; he asked to restrict admin access to only certain IPs, while simultaneously allowing non-admin access, which is not possible. Role based access would be handled by the application permissions, IP based access would be handled by a firewall. BTW, RDP is not inherently administrative, just by default only admins are allowed to RDP. You can allow non-admins to RDP. – spacenomyous Sep 17 '18 at 19:04
  • @spacenomyous, I'm not quite sure which of my comments you're responding to, but I wasn't talking about application access. *Theoretically,* if he configured Windows to not allow any of the administrators to log in from the network at all, they could then do all the admin work on the physical console, or via a third-party product like VNC that behaves the same as the physical console. I'm not saying it's a good idea (better to just make sure you have strong passwords) and it might have unexpected side-effects, but it should work. – Harry Johnston Sep 17 '18 at 21:18

0 Answers0