none
GPO For Disable Network Discovery

    Question

  • Hi s

    I have DC Windows Server 2008 R2 and clients with Windows 7, 8 and 8.1

    I want disable users Access to computers from Network Discovery.

    I apply GPO to remove Icon Network from Navigation Pane and it works perfect, but when users access to computer on network from RUN they see Network on Address bar. For example user access to Server from RUN \\Server\ if user do Click on Network on address bar see all computers on network.

    My Question is, How to prevent users see computers on network, how disable network discovery completely?

    Thanks.

    Saturday, March 21, 2015 1:52 AM

Answers

  • Hi,

    >>How to prevent users see computers on network, how disable network discovery completely?

    We can try the following solution to see if it helps. 

    In a new or existing GPO:

    1. On Computer configuration, choose Policies, choose Security Settings, choose Windows Firewall with Advanced Security.

    2. On Windows Firewall with Advance Settings, choose Inbound Rules, right click and choose New Rule

    3. On Rule Type, select Predefined and choose Network Discovery, choose Next

    4. Choose only the following rules:

    a. Network Discovery (LLMNR-UDP-In)

    b. Network Discovery (NP-Name-In)

    c. Network Discovery (Pub-WSD-In)

    d. Network Discovery (SSDP-In)

    5. On Action choose Block the connection

    6. Press Finish

    7. On Inbound Rules, right click and choose New Rule, select Next

    8. Choose only the following Rule:

    a. Network Discovery (NB-Datagram-In)

    9. On Action choose Allow the connection

    10. Press Finish

    11. On Windows Firewall with Advance Settings, choose Outbound Rules, right click and choose New Rule

    12. On Rule Type, select Predefined and choose Network Discovery, choose Next

    13. Choose only the following rules:

    a. Network Discovery (LLMNR-UDP Out)

    b. Network Discovery (NB-Name Out)

    c. Network Discovery (Pub-WSD Out)

    d. Network Discovery (SSDP Out)

    14. On Action choose Block the connection

    15. Press Finish

    16. On Outbound Rules, right click and choose New Rule, select Next

    17. Choose only the following Rule:

    a. Network Discovery (NB-Datagram Out

    18. On Action choose Allow the connection

    19. Press Finish

    20. On Computer configuration, choose Policies, choose Security Settings, choose System Services

    21. Choose Computer Browser Service

    22. Select Define this policy setting

    23. Choose Disabled, choose Apply and Ok.

    24. Repeat steps (21-23) for the following services:

    a. SSDP Discovery

    b. UPnP Device Host

    c. Function Discovery Resource Publication

    d. Function Discovery Provider host

    e. Link-Layer Topology Discovery Mapper

    After configuring the GPO, link this GPO to our target OU, and we can run gpupdate/force to immediately update group policy.

    Best regards,

    Frank Shen

                                                                                                                       


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.




    Tuesday, March 24, 2015 2:46 AM
    Moderator

All replies

  • Hi,

    >>How to prevent users see computers on network, how disable network discovery completely?

    We can try the following solution to see if it helps. 

    In a new or existing GPO:

    1. On Computer configuration, choose Policies, choose Security Settings, choose Windows Firewall with Advanced Security.

    2. On Windows Firewall with Advance Settings, choose Inbound Rules, right click and choose New Rule

    3. On Rule Type, select Predefined and choose Network Discovery, choose Next

    4. Choose only the following rules:

    a. Network Discovery (LLMNR-UDP-In)

    b. Network Discovery (NP-Name-In)

    c. Network Discovery (Pub-WSD-In)

    d. Network Discovery (SSDP-In)

    5. On Action choose Block the connection

    6. Press Finish

    7. On Inbound Rules, right click and choose New Rule, select Next

    8. Choose only the following Rule:

    a. Network Discovery (NB-Datagram-In)

    9. On Action choose Allow the connection

    10. Press Finish

    11. On Windows Firewall with Advance Settings, choose Outbound Rules, right click and choose New Rule

    12. On Rule Type, select Predefined and choose Network Discovery, choose Next

    13. Choose only the following rules:

    a. Network Discovery (LLMNR-UDP Out)

    b. Network Discovery (NB-Name Out)

    c. Network Discovery (Pub-WSD Out)

    d. Network Discovery (SSDP Out)

    14. On Action choose Block the connection

    15. Press Finish

    16. On Outbound Rules, right click and choose New Rule, select Next

    17. Choose only the following Rule:

    a. Network Discovery (NB-Datagram Out

    18. On Action choose Allow the connection

    19. Press Finish

    20. On Computer configuration, choose Policies, choose Security Settings, choose System Services

    21. Choose Computer Browser Service

    22. Select Define this policy setting

    23. Choose Disabled, choose Apply and Ok.

    24. Repeat steps (21-23) for the following services:

    a. SSDP Discovery

    b. UPnP Device Host

    c. Function Discovery Resource Publication

    d. Function Discovery Provider host

    e. Link-Layer Topology Discovery Mapper

    After configuring the GPO, link this GPO to our target OU, and we can run gpupdate/force to immediately update group policy.

    Best regards,

    Frank Shen

                                                                                                                       


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.




    Tuesday, March 24, 2015 2:46 AM
    Moderator

  • Thanks Frank, It is working properly!!
    Monday, May 4, 2015 3:23 PM