One of our auditors have recommended that IT Security teams should block ALL outbound internet traffic on our Windows AD domain controllers?
is this practical? a best practice? According to IT Security, it is not practical to block everything. There has to be some outbound traffic allowed
"Block All" is just as naïve as "Allow All". You probably want to allow things like Windows update, Azure sync NTP, and DNS forwarding.
This is not a path to follow alone. I would either ask the auditors to provide a reference guide that has been battle-tested by their other customers who have implemented this recommendation, or I would leverage a web-filtering service that allows you to pick-and-chose categories, such as "system updates", "malware sites", "news", etc. And, from there, be restrictive for all servers, not just DCs.
And while you are at it, you might consider web-filtering for end-user machines too. There really is no reason to allow anyone to access sites tagged "known malicious" or "newly registered domains" and the corporate lawyers probably would recommend blocking a few other categories, such as NSFW.
"Block All" is just as naïve as "Allow All".
There is both wisdom and simplicity in this observation, kind of like the person who burns a book is probably more dangerous than the person who wrote it.
I believe the block all outbound connections comes from Microsoft's own documentation. But they do note there are exceptions. Depending on the auditors, they may not have much more nuanced direction or knowledge. Assuming the auditors made this as part of their comments to management (not part of their final audit document) you/management may want to follow up with the auditors. One of the problems on management's side is the group working with the auditors (e.g, your audit committee) is focused on the financials. There should be some technology/security representation on that group if you don't have it already.
What type of audit are you going through?
Most compliance frameworks provide the same thing that, for example, PCI DSS requires -- all inbound and outbound traffic be blocked, except for that which is necessary, and has a documented business justification.
Additionally, most frameworks provide that network security device rulesets have a default "deny all" rule, so that if there is not a rule explicitly allowing the communication, it will not be allowed.
For Active Directory domain controllers, there aren't a lot of necessary outbound connections that I can think of, but there are some that apply in the general case, and the definition of "necessary" is up to the organization -- as long as it's justified (and the justification is reasonable 🙂 ), the connection can be allowed.