Block access to specific IPs and ports based on AD group.

Valeri Milev 21 Reputation points
2021-11-29T15:08:55.083+00:00

Hello All,

I have small domain which consists of 1 DC and 2 more domain joined servers.
I need to block the access to certain IP address and / or Ports based on AD group membership.
How can I achieve this .
DC is Windows server 2012R2 .
If it is now possible please advice me what I need in order to achieve this?

BR!
Valeri

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,643 questions
Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,128 questions
No comments
{count} votes

Accepted answer
  1. Pierre Audonnet - MSFT 9,976 Reputation points Microsoft Employee
    2021-11-30T14:30:54.837+00:00

    There are several steps to make it work.

    Let's assume you have SERVER1 on which you want to restrict the access to port 80 to users member of a specific AD group called CONTOSO\Access80.

    On SERVER1, you need to do two things. All is happening in the Firewall console (that you can launch with the shortcut wf.msc):

    1. Set the Inbound rule of the firewall to Allow connection if it is secure
      153715-image.png
      Then click to Customize and click Allow the connection to use null encapsulation.
      153755-image.png
      This option will essentially not encrypt the data. The reason why I suggest this option is that you don't say you need encryption, you say you need to authenticate and restrict. With this option, the traffic will still show up as usual hence facilitating the network troubleshooting if you have issues (which might be the case if you are new to IPSec - because yes, all we do here is configure IPSec).
      Then on the Remote Users tab, check Only allow connections from these users and pick your group from the picker.
      153680-image.png
    2. Now, still on SERVER1 you need a Connection Security Rule. Still on your Firewall console, right click on Connection Security Rules and click New.
      In the first screen, select Custom (the wizard is hiding a complexity which I don't believe exist... So we go custom right away as it often makes it simplier at the end).
      153698-image.png
      In the next screen, you can leave everything by default.
      153716-image.png
      Then pick the second option Require authentication for inbound connections and request authentication for outbound connections.
      153763-image.png
      Then leave the default option in the Authentication Method.
      153717-image.png
      In the Protocol and Ports, pick TCP, on Enpoint 1 port select Specified Ports and 80. Don't change anything on Endpoint 2 port.
      153772-image.png
      Leave all Profile enabled, click Next and give it a name before saving.
      153756-image.png

    Then on the clients used by your users (and you can do that directly through the Firewall console or your can deploy that through group policy), you need to do only one thing:

    1. Create a Connection Security Rule. The equivalent of the opposite rule we created on the SERVER1.
      You pick Custom again.
      In Endpoints you can specify the IP address of SERVER1 in the Which computers in Endpoint 2 section.
      153757-image.png
      In Requirements you can pick the first option Request authenication for inbound and outbound connections.
      Leave the Default option in the Authentication Method.
      In Protocol and Ports use the reverse config such as:
      153764-image.png
      Leave all profile on and give it a name before saving.

    Now you server will require IPSec authentication for the inbound port 80 and your clients will try to do IPSec authentication when they connect to the port 80 of the SERVER1 (because of its IP address). And for the connection to work, SERVER1 will enforce the group membership you have set in the inbound rule.

    No comments

3 additional answers

Sort by: Most helpful
  1. Valeri Milev 21 Reputation points
    2021-11-30T08:06:39.96+00:00

    Thanks for the reply!

    This way I am unable to set allowed security group.

    153550-screenshot-3.jpg
    Is there another way?

    BR!


  2. Gary Nebbett 3,831 Reputation points
    2021-11-30T12:28:10.45+00:00

    Hello @Valeri Milev ,

    You can make the connections "secure" by defining appropriate security rules:

    153658-image.png

    There is no other way. The higher level protocols that use ports (e.g. HTTP, LDAP) might "authenticate" their principals, but this is protocol specific and might occur some time after the connection is established. Using IPsec to "authenticate" is the only way to convey identities in a form that can be checked by Windows Defender Firewall.

    Gary

    No comments