Forum Discussion
Block all internet traffic except some sites
Hi,
i've a subset of machines that need only access to some sites, like internal websites, office365 and av updates but i'm being asked to block all other sites.
Can i use office365 defender (https://security.microsoft.com/securitysettings/endpoints) to do this?
what is the best option?
Thx
4 Replies
Your best option is ZTNA SWG, such as Entra Internet Access. There, you can do blocks and allows more conveniently through your organisation. This is standard best practice of controlling your Internet Access org wide. You can stick to the block or allow rules as required. Defender for Endpoint does half of that, capability wise there are differences.
Yes, you can partially achieve this with Microsoft Defender for Endpoint (through the security.microsoft.com portal), but it’s not designed as a full outbound web filtering solution on its own.
The recommended approach is to use Microsoft Defender for Endpoint Web Content Filtering, combined with Network Protection:
Web Content Filtering: Allows you to control which websites can be accessed based on categories. You can block all categories except the ones you specifically allow (for example, categories covering Office 365, security updates, internal sites).
Network Protection: Blocks outbound connections to known malicious domains and can help restrict traffic that doesn’t match your allow rules.
Defender for Endpoint web filtering relies on Microsoft Defender SmartScreen and may not offer strict “only allow specific sites” functionality like a firewall.
For strict “allow only these URLs, block everything else” scenarios, it’s best to implement this at the firewall level or with a proxy solution.
Let me know if you’d like help with a technical implementation guide for either option.
Best Regards,
Ali Koc
Defender for Endpoint is not the right tool for this. Instead, you will want to use Windows Firewall to block outbound by default and allow only what you want to access by FQDN. Be sure to read the article here to understand the limitations, requirements, and how to configure the FW rules (can also be configured using auto-resolve in Intune):
https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/dynamic-keywords
An alternative is to configure a dedicated DNS server (or DNS policies) for these machines that only responds to the requests you want. You may need to do a FW rule or something to prevent DNS requests to anything except these DNS servers to avoid local DNS changes.
I know you can block categories of sites and specific sites, so you would need a combination of blocks and exclusions. But thinking about it, the local Windows firewall sounds like to more feasible option.
