Block access to specific IPs and ports based on AD group.

Valeri Milev 26 Reputation points

Hello All,

I have small domain which consists of 1 DC and 2 more domain joined servers.
I need to block the access to certain IP address and / or Ports based on AD group membership.
How can I achieve this .
DC is Windows server 2012R2 .
If it is now possible please advice me what I need in order to achieve this?


Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,524 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,799 questions
0 comments No comments
{count} vote

Accepted answer
  1. Pierre Audonnet - MSFT 10,161 Reputation points Microsoft Employee

    There are several steps to make it work.

    Let's assume you have SERVER1 on which you want to restrict the access to port 80 to users member of a specific AD group called CONTOSO\Access80.

    On SERVER1, you need to do two things. All is happening in the Firewall console (that you can launch with the shortcut wf.msc):

    1. Set the Inbound rule of the firewall to Allow connection if it is secure
      Then click to Customize and click Allow the connection to use null encapsulation.
      This option will essentially not encrypt the data. The reason why I suggest this option is that you don't say you need encryption, you say you need to authenticate and restrict. With this option, the traffic will still show up as usual hence facilitating the network troubleshooting if you have issues (which might be the case if you are new to IPSec - because yes, all we do here is configure IPSec).
      Then on the Remote Users tab, check Only allow connections from these users and pick your group from the picker.
    2. Now, still on SERVER1 you need a Connection Security Rule. Still on your Firewall console, right click on Connection Security Rules and click New.
      In the first screen, select Custom (the wizard is hiding a complexity which I don't believe exist... So we go custom right away as it often makes it simplier at the end).
      In the next screen, you can leave everything by default.
      Then pick the second option Require authentication for inbound connections and request authentication for outbound connections.
      Then leave the default option in the Authentication Method.
      In the Protocol and Ports, pick TCP, on Enpoint 1 port select Specified Ports and 80. Don't change anything on Endpoint 2 port.
      Leave all Profile enabled, click Next and give it a name before saving.

    Then on the clients used by your users (and you can do that directly through the Firewall console or your can deploy that through group policy), you need to do only one thing:

    1. Create a Connection Security Rule. The equivalent of the opposite rule we created on the SERVER1.
      You pick Custom again.
      In Endpoints you can specify the IP address of SERVER1 in the Which computers in Endpoint 2 section.
      In Requirements you can pick the first option Request authenication for inbound and outbound connections.
      Leave the Default option in the Authentication Method.
      In Protocol and Ports use the reverse config such as:
      Leave all profile on and give it a name before saving.

    Now you server will require IPSec authentication for the inbound port 80 and your clients will try to do IPSec authentication when they connect to the port 80 of the SERVER1 (because of its IP address). And for the connection to work, SERVER1 will enforce the group membership you have set in the inbound rule.

    1 person found this answer helpful.
    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Gary Nebbett 5,721 Reputation points

    Hello @Valeri Milev ,

    You can make the connections "secure" by defining appropriate security rules:


    There is no other way. The higher level protocols that use ports (e.g. HTTP, LDAP) might "authenticate" their principals, but this is protocol specific and might occur some time after the connection is established. Using IPsec to "authenticate" is the only way to convey identities in a form that can be checked by Windows Defender Firewall.


    1 person found this answer helpful.
    0 comments No comments

  2. Valeri Milev 26 Reputation points

    Thanks for the reply!

    This way I am unable to set allowed security group.

    Is there another way?