I want to make sure that administrative access to Windows domain controllers are allowed only from specific IP addresses.
Note: I mean not only RDP access but ANY port/protocol that allows administrative access: SMB, WMI, LDAP, ADSI, etc.
Most of these ports on DCs are exposed to client computers by default. Thus I cannot put IP filters to block them.
I need a user/group based solution that allow admin logon only from some specific IP range.
What is the best way to do it?
The only idea I have is to make a script checking for some login events in real-time and killing unwanted connections. This is not very elegant and does not guarantee instant blocking.
This should be a very common issue in big networks and multi-tenant environments.
Is there any better idea?
