Network Segmentation in Domain Environment

I just aquired a new healthcare client running on a flat network. I am wanting to get their network segmented to help prevent lateral movement and my thoughts are to segment and isolate the network based on dept. and to segment their servers. The question I have is how do I allow the workstations to authenticate to the DC but still keeping the server segement secure and isolated?

There are many ways to achieve this depending on your environment, Router, Switches and Servers the short answer is yes this is very possible but you will have to design build and test this yourself a good start would be Pfsense.

1 Like

You can put the domain servers on their own VLAN and create a firewall rule to only allow connections FROM wanted VLANS to the Domain VLAN to authenticate. Then put each dept on their own VLAN and create a firewall rule preventing access to/from each of those Dept VLAN’s. This way all VLANs can Authenticate to the Domain VLAN where the DC is but the individual VLANs cannot communicate between each other. Do the same thing for printer network, they should be on their own VLAN with no Internet access.

As Arron and Michael have already stated, managed switches (VLANs) and routers are your friends for this.

Thanks for the info Arron. Would it be best to only all the specific protocols and/or ports to allow workstations and users to authenticate to the DC and prevent everything else? I am still researching this to find the best way or should I say the most secure way of getting this setup. (I could be over thinking this)

Thanks for your input Michael and TDCLGrant

Yes, only allow the bare necessities to your domain servers.