Block IP Addresses Using Group Policy (GPO) in Active Directory

Posted on Matthew By Matthew No Comments on Block IP Addresses Using Group Policy (GPO) in Active Directory
How to Block IP Addresses Using Group Policy (GPO) in Active Directory
How to Block IP Addresses Using Group Policy (GPO) in Active Directory

Blocking specific IP addresses using Group Policy can be helpful when you want to restrict internet access or control network traffic on certain devices in an Active Directory environment. This guide will walk you through how to block IP addresses using Group Policy (GPO) in Active Directory by creating a Group Policy Object (GPO) that uses the Windows Firewall and a proxy configuration to prevent access to external IP addresses. Please see, Restrict IP Address Range on Windows PC and How to Remove Bing Chat Button from Edge Sidebar..

This method ensures security across Windows-based devices and minimizes potential gaps in network restrictions.

Also, see How to Fix Microsoft Edge Not Responding on Windows 11Remove clickable icons from the Edge browser, and how to Reload all Microsoft Edge Browser TabsHow to Perform a Reverse Image Search on Your Browsers,

Why Block IP Addresses?

Blocking IP addresses is useful for several reasons, including how to block IP addresses using Group Policy.

  • Restricting Internet Access: Sometimes, you may want to block internet access on specific devices or for particular users.
  • Enhanced Security: Prevent unauthorized traffic from reaching external networks by restricting IP ranges.
  • Traffic Control: Simplify network management by controlling traffic flow to and from your internal network.

This setup has been tested on Windows 7 and Windows 10, but it should work well across various Windows versions.

Setting Up IP Blocking with Windows Firewall

To create a policy that effectively blocks external IP addresses, we’ll use the Windows Firewall with Advanced Security settings through Group Policy to demonstrate how the GPO can be configured.

Step 1: Create a New Group Policy Object (GPO)

Launch the GPMC on your domain controller.

How to Block IP Addresses Using Group Policy (GPO) in Active Directory: Launch group policy management console
Launch group policy management console

Right-click the Organizational Unit (OU) where you want the policy applied and select Create a GPO in this domain, and Link it here.

How to Block IP Addresses Using Group Policy (GPO) in Active Directory: Create a new GPO
Create a new GPO

Give it a meaningful name, such as “Block External IPs” for easy identification.

How to Block IP Addresses Using Group Policy (GPO) in Active Directory: Enter GPO name
Enter GPO name

Step 2: Set Up the Windows Firewall Block Rules

Right-click on your new GPO and select Edit. This is a critical step in how to block IP addresses using Group Policy (GPO) in Active Directory.

How to Block IP Addresses Using Group Policy (GPO) in Active Directory: Edit GPO
Edit GPO

Go to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security.

How to Block IP Addresses Using Group Policy (GPO) in Active Directory: Select Windows Firewall with Advanced Security
Select Windows Firewall with Advanced Security

Right-click on Outbound Rules and select New Rule.

Create new outbound rule
Create new outbound rule

Choose Custom as the rule type and click Next.

Select custom rule
Select custom rule

Leave the default All Programs selected and click Next.

Choose all programs
Choose all programs

Leave the protocol setting at Any and click Next.

Leave the default option
Leave the default option

On the Which remote IP addresses does this rule apply to? screen, select These IP addresses.

List IP Addresses
List IP Addresses

Click Add, then choose This IP address range.

Enter IP address range
Enter IP address range

Enter the IP range you want to block one at a time. For example, these ranges cover external, non-private IPs:

  • 0.0.0.1 – 9.255.255.255
  • 11.0.0.0 – 126.255.255.255
  • 128.0.0.0 – 169.253.255.255
  • 169.255.0.0 – 172.15.255.255
  • 172.32.0.0 – 192.167.255.255

Repeat this for each range until all are added and click Next.

Confirm IP addresses
Confirm IP addresses

Set the rule to Block the connection and click Next.

Block connection
Block connection

On the profile screen, you can leave all profiles checked (Domain, Private, and Public) and click Next.

Select all profile
Select all profile

Give this rule a descriptive name, like “Block External IPs” or “Internet Block Rule,” and click Finish.

Apply the settings
Apply the settings

Verifying the Configuration

After implementing the GPO to block IP addresses, test it to confirm that it’s working as expected. Restart a client machine in the target OU, then try to access an external IP. It should be blocked.

You can verify that the firewall is actively blocking traffic to external IP ranges by viewing the logs. Enable firewall logging if necessary through Windows Firewall with Advanced Security settings.

Conclusion

By following these steps, you can effectively restrict internet access and control network traffic through a well-structured Group Policy Object in Active Directory.

This setup uses the Windows Firewall for enhanced security, ensuring that users cannot easily bypass the blocks you’ve put in place.

I hope you find this post helpful on how to block IP addresses using Group Policy (GPO) in Active Directory. If you have any questions, feel free to leave them in the comment section below.

5/5 - (1 vote)
Network | Monitoring, Windows Server Tags:,

Related Posts

More Related Articles

WDS An error occurred while trying to start the Windows deployment services error 0x906 Windows Server
adc How to add a second Domain Controller Windows Server
banner 3 How to Set Network Adapter Priority on Windows 11 Network | Monitoring
email How to monitor Windows Server backup via PowerShell Windows Server
Interactive logon Message for Users Display interactive logon messages for Windows PCs via GPO Windows
WinServer Log Off: How to sign out of Windows Server 2012 Windows Server

Leave a Reply