I'm currently trying to tighten outbound traffic on user workstations when they're connected to Public and Private network profiles. My goal is to only allow HTTP (port 80) and HTTPS (port 443). Here's what I've set up:
- For Private networks: Block all outbound traffic by default.
- For Public networks: Block all outbound traffic by default.
- For Domain networks: Keep outbound traffic allowed as there's a corporate firewall.
I've even created a permissive Allow rule for all ports and programs going out to any IP, while still keeping Public and Private networks blocked. However, I'm running into a big issue. When a client connects to the corporate network, it can't get an IP via DHCP, and essential services like DHCP, DNS, and LDAP are being dropped, leading to the client receiving a 169.254.x.x APIPA address.
In Wireshark, there's no DHCP traffic, and Windows Defender's firewall log shows UDP packets being dropped. I suspect that Windows applies the Public profile first until it verifies it's on a Domain. Since Public outbound is fully blocked, it fails to communicate for DHCP and DNS, preventing it from detecting the domain.
So my question is: How can I configure this to ensure essential services work on corporate networks while still blocking most outbound traffic on Public and Private networks?
3 Answers
Remember that DHCP works over UDP, not TCP, and requires certain inbound communication to establish a connection. Make sure your firewall settings allow that incoming DHCP traffic, otherwise your computer will struggle to get an IP and connect to the necessary domain services.
To lease an IP from a DHCP server, your computer needs to be able to communicate on a network, but you're limiting it to just 80 and 443. Think about it—how will your machine determine its network type if it can only talk via those ports? Most communications necessary to establish a Domain connection can't happen under such strict rules.
Connecting to a Domain isn't instantaneous; your device needs to reach a domain controller first to switch profiles. Before it knows it's on a domain, it operates under the Public profile. You can't rely solely on HTTP or HTTPS to get an IP address or DNS information, so you'll need to open up other ports temporarily for DHCP and DNS to solve this problem.
Got it! I'll need to make that adjustment to ensure the DHCP traffic can get through. Thanks!