Block user access to the domain based on specific IP

Edwald Neo 51 Reputation points
2022-09-10T06:39:19.153+00:00

Dear All,
I have a domain with several users. How do I prevent user login if they are out of my office allowable network ?

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,302 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Gary Reynolds 9,416 Reputation points
    2022-09-10T09:37:15.52+00:00

    Hi @Edwald Neo

    Your question raises a few concerns to start with, as you would expect that you already have controls on who can physically and virtually (VPN) connect to your network.

    There are a few options to block access at different levels, the easiest to implement rules at the Windows firewall level of the servers and workstations that will reject connection from uncontrolled networks. You should also implement rules to block unknown\unauthorized traffic at the network firewall level as well.

    You can also block specified IP addresses from performing ldap queries against the DCs - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/47e2d581-66c9-430b-bca1-c0a73485fd10

    Gary.

    0 comments No comments

  2. Nguyen Thanh Hai 1 Reputation point
    2022-09-10T10:07:49.557+00:00

    he IP Deny list specifies a set of IP addresses from which the DC will reject incoming LDAP connection requests. The IP Deny list is stored in the lDAPIPDenyList attribute on the queryPolicy object. The DC retrieves the lDAPIPDenyList attribute from the same queryPolicy object that it retrieves the lDAPAdminLimits attribute from in section 3.1.1.3.4.6

    The lDAPIPDenyList attribute is a multivalued attribute. Each value of the attribute is a string in the following form

    X.X.X.X M.M.M.M

    where X.X.X.X is an IP address and M.M.M.M is a network mask. A connection from an IP address Y.Y.Y.Y will be rejected if the bitwise AND of Y.Y.Y.Y and M.M.M.M equals X.X.X.X.

    For example, the value "157.59.132.0 255.255.255.0" would cause requests from IP addresses 157.59.132.0 through 157.59.132.255 to be rejected. The value "157.59.132.245 255.255.255.255" would reject only IP address 157.59.132.245.

    The IP Deny list is only supported on IPv4 connections. Active Directory does not support this mechanism on IPv6 connections.

    Website: https://dogforms.com/

    0 comments No comments

  3. Edwald Neo 51 Reputation points
    2022-09-11T22:11:40.063+00:00

    Dear All,
    Noted on the comments. How do I go about with the settings ? Pls advise

    Thanks

    0 comments No comments

  4. Gary Reynolds 9,416 Reputation points
    2022-09-12T08:21:22.047+00:00

    Hi,

    If you want to implement Windows firewall rules using GPOs, here is a post on how to implement new rules via GPOs - http://woshub.com/windows-firewall-settings-group-policy/

    If you want to set an LDAPIPDenyList option, this snippet provides the details on how to set - https://www.oreilly.com/library/view/active-directory-cookbook/0596004648/ch14s05.html

    Gary.

    0 comments No comments

  5. Limitless Technology 39,586 Reputation points
    2022-09-12T20:13:09.1+00:00

    Hello there,

    Is your organization using Microsoft 365 ?

    If you want to Restrict your users to access Microsoft 365 resource outside your Office network, based on my research, here are different suggestions you can have a try

    1. Deploy Microsoft 365 Azure AD conditional access policy for your online users, with this feature including Trust IP( locations etc) you would be able to block the user sign in from un-trusted IPs. For more details, please refer to https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/overview. However this feature may requires for Azure AD P1 license ( at least), please check if it is available to your tenant, thanks.
    2. Deploy Active Directory Federation Service (ADFS) and integrate with Microsoft 365 but without deploy ADFS proxy service (***), with this feature deployed, the federated users will only access Microsoft 365 from Intranet, they cannot access it outside your Office network, thanks. For more details. please refer to https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-overview and https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs.

    -----------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.