When a client is non-compliant there's still an infrastructure tunnel running making it possible to access the management servers and domain controllers. But there's one thing that got me worried, i can still RDP to a domain controller, can view the SYSVOL folder and other folders. I know the DA creates an exception for the management servers and domain controllers so that they can access resources for validation but i don't like the fact that the client can still RDP to one of the domain controllers.
Is it possible to block certain protocols with limited access such as RDP and SMB? One of the solutions is to create a firewall rule that blocks almost all traffic. But perhaps there's a different method?