Prohibit Non-domain computers from accessing the network using the domain ipsec Policy

Implementation Method:
1. The company's computer automatically obtains a fixed ip address on the DHCP server based on the mac address. The dns points to the company's dns server, and the dns server can forward dns queries.
2. the dns server and the Domain Server are on the same server.
3. The company has an application-level firewall, adding a policy that only the dns server can access the udp port 53 of the internet dns.
4. Using ip Security Policies, you can only access the udp53 port of the dns server on the computer in the domain.

Domain ipsec Policy Configuration:
1. Server Configuration:
In this case, the dns server and the Domain Server are the same server. You do not need to create a new server ou or a new gpo, and directly edit the Default Domain Controllers Policy.
1) first create an ip address filtering list, which is equivalent to acl. You can create multiple ACLs. For example, the udp53 port from any ip address to my ip address. Select lan as the connection type.
2) create a Filter list. This is important because negotiation security should be established and others should be kept by default. Encryption integrity and encryption. This filter ensures that the computer in the domain can obtain the ipsec Policy execution and negotiate with the server. If the computer in the domain cannot negotiate with the server, the server cannot be accessed.
You can also set up operations to allow and block operations.
3) Based on the above results, create a new ip Security Policy. You can add multiple ip security policies, such as leading uncontrolled ip access policies and blacklisted ip address blocking policies. Do not select to activate the default rule. And assign.

2. Client Configuration:
1) create a new client ou and add the domain computer to access. If you do not add the ou, you will not be able to access the server. Create a gpo in this ou.
2) create an ip Filter list like the server. You can specify the Server ip address this time. For example, from my ip address to the fixed ip address port 53.
3) Select the same Filter list on the server. And assign.
3. gpupdate/force
4. On the server, the client uses gpresult to view the policies executed by the domain computer.
5. troubleshooting:
1) the computer does not execute the ipsec Policy for the domain:
My actual solution: create another ou, put the computer in, and create a new gpo. You can put it back.
2) After the computer is added to the domain, it will return to the domain:
Search with oldcmp
6. Methods to crack restrictions:
Damage is always easier than construction. I have tried several methods. I will not write it here, so that it will not be seen by the company. I can't do it either.

Author "dancing"