1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Restricting Internet Access

Discussion in 'Networks' started by datarunner, May 19, 2007.

  1. datarunner

    datarunner Byte Poster

    245
    1
    24
    Hi All

    I posted a while ago on here regarding my college project. So far all is ok but here is the question.

    The office has 12 PCs and only 6 should have internet access and the other 6 email only.

    Which is the best way to go about this? I have setup server 2003 standard edition with RRAS and 2 NICs. 1 public and 1 private.

    A possible solution I was thinking of was assigning 6 static private IP (DHCP reservations?) and 6 via DHCP and then 1 lot of 6 can have access. Am I going about this the right way? Bit clueless here.

    All info appreciated
     
    Certifications: A+, N+, MCP 210, 270, HNC Networking
    WIP: MCSA
  2. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    I take the PCs log onto a domain?

    If so you can configure Group Policy to assign proxy server settings in IE. You configure the settings for a proxy server that doesnt exist and therefore the users cant access the internet through IE. Also you can hide the settings tab from the user in IE (through group policy) therefore the user cant change the proxy server config.

    If you block by IP that wont stop a blocked user moving onto another PC that has internet access.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  3. supag33k

    supag33k Kilobyte Poster

    461
    19
    49
    I shall have to try this at some stage!

    I will have two or three OU's - such as CAN US, CANNOT US, and SIN Binned :biggrin :twisted:

    What we do to restrict internet access, but not block if totally is the following:

    1. Have a decent HR document in place that spells out how the rules and consequences.
    2. Use a combination web and spam filter - we use CA's eSCM product...it is quite common in small gov agencies and colleges etc....though there are others out there to consider.

    - a decent web filter is so valuable to an IT dept, the first things to block is adult content, gambling, violence and web mail. {For various sound technical and business reasons}

    supa
     
    Certifications: MCSE (NT4/2000/2003/Messaging), MCDBA
    WIP: CCNA, MCTS SQL, Exchange & Security stuff
  4. datarunner

    datarunner Byte Poster

    245
    1
    24
    Thanks buddy

    Can you advance on that? I have opened a group policy editor mmc on my server. Am i in the right place? And if so what next?

    Much appreciated
     
    Certifications: A+, N+, MCP 210, 270, HNC Networking
    WIP: MCSA
  5. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    To set proxy settings you need to go to:

    User Configuration\Windows Settings\Internet Explorer Maintenance\Connection and set the proxy URL/IP & port in the 'Proxy Settings' entry

    To remove a user's ability to alter (or even look at) their proxy settings, the easiest method is to disable access to the 'Connections' tab in IE:

    User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\ and set 'Disable the Connections Page' to 'Enabled'

    Of course, this won't work without a proxy server to point the settings at, and it won't prevent users accessin the net through a different browser...
     
    Certifications: A few
    WIP: None - f*** 'em
  6. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    Ok, in Active Directory create organisational unit (OU) and the place the users in the OU that you want to restrict internet access to.

    Open up group policy management and create a new group policy object (GPO) (right click on group policy objects and select ‘new’), call it ‘internet lockdown’ or something like that.

    In the new policy right click on the GPO and select ‘edit’. Then select user configuration\windows settings\connection\proxy server settings. Check ‘enable proxy settings’ and the put in a random IP and a random port number. Also in the connection settings uncheck ‘automatically detect connection settings’.
    After that go to ‘Administrative Templates’ then Internet Explorer\Internet Control Panel. In there enable ‘disable the connections page’

    To finish right click on the OU you created (in the group policy management console) and select ‘link an existing GPO here’ Select the GPO you have just created.

    Log on as a locked down user and test. 8)

    Edit: Zeb beat me to it! :)
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  7. datarunner

    datarunner Byte Poster

    245
    1
    24
    Brilliant but just one thing. The users i want to restrict are already in different OUs. Can I add them to a new one.

    Also could i do a policy that restricts them installing other browsers? Probably an apps install restriction eh?

    Cheers
     
    Certifications: A+, N+, MCP 210, 270, HNC Networking
    WIP: MCSA
  8. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    The users can only be in one OU but there is probably some way that you can arrange OUs to get this to work.

    You can configure a software restriction policy to lock down software installs. Happy days! :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  9. datarunner

    datarunner Byte Poster

    245
    1
    24
    Cheers for that. But i cannot get the previous advice to work. Everytime i logon to a client with a user from the restricted ie ou the connections tab is still there. Am testing this is virtual pc if that helps.
     
    Certifications: A+, N+, MCP 210, 270, HNC Networking
    WIP: MCSA
  10. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    Have you tried a "gpupdate /force"?

    Microsoft recommend logging on and logging off for a user policy and restarting the machine for a computer policy. Sometimes, you have to do both!

    Boyce
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  11. nicolinux

    nicolinux Byte Poster

    149
    1
    20
    Have you never think about squid and squidguard.
    You just need a old pc with one or two nic.
    I use that in the schools.
    The user has to prompt username and password for surf internet
    and you can filter by site or by content or by user.
    I can give you the ".conf" file if uou need.
     
    Certifications: mcse win2k3, mcts x4. mcitp enterprise admin
    WIP: 70-680
  12. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    Try what Boyce has suggested, failing that gpresult at the command line and you should get a list of the GPOs applied to the PC\user.

    If nothing happens then I would guess that DNS is playing up, make sure the DNS of your virtual PC is pointing at the domain controller.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  13. supag33k

    supag33k Kilobyte Poster

    461
    19
    49
    The missing piece with a spam/web filter is to use a linux gateway/firewall that only accepts port 80 [http] requests from the spam/web filter.

    Also there was an interesting thread, of all places at Novell, relating to this issue...

    http://www.novell.com/coolsolutions/trench/14544.html
     
    Certifications: MCSE (NT4/2000/2003/Messaging), MCDBA
    WIP: CCNA, MCTS SQL, Exchange & Security stuff
  14. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Tru dat, although there's no reason it has to be Linux-based. There's a lot of BSD-based O/Ses that are designed specifically for this, and, contrary to popular belief, you CAN lock windows down so that it has a tiny attack surface. Anyone who doesn't believe me should know that I've had an unfirewalled windows box sitting outside my LAN hanging off of a hub sniffing traffic for about six months...

    Besides, so long as your Firewall admin knows what they're doing its not too hard to make sure that all outbound access is routed through a single point. Just stick a proxy behind the firewall (Squid would do fine for a small environment - though it can be a pain to manage until you get used to it) and configure the proxy only to be permitted access outbound on port 80, 443 and 8080 (the usual WWW suite)

    I've got Squid running on a Windows box at home - don't do anything fancy with it like authentication because its just me and the wife, but its simple to set up and can integrate with AD through Samba if you want to provide integrated proxy authentication
     
    Certifications: A few
    WIP: None - f*** 'em
  15. datarunner

    datarunner Byte Poster

    245
    1
    24
    OK I get the following GPOs were not applied because they were filtered out. Applied GPOs N/A

    Any ideas?
     
    Certifications: A+, N+, MCP 210, 270, HNC Networking
    WIP: MCSA
  16. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    Just as a test link the GPO to the root of the domain (this is a lab envronment right?) and reboot the PC and log on, any joy?
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  17. datarunner

    datarunner Byte Poster

    245
    1
    24
    Not really sure i know wot u mean there. Sorry im not really up on GPOs.

    Cheers
     
    Certifications: A+, N+, MCP 210, 270, HNC Networking
    WIP: MCSA
  18. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    Right click on the domain in Group Policy Management (it should be domain.local or something like that) and then select 'Link existing GPO'. Select your GPO for internet lockdown and then reboot your client PC and logon.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  19. datarunner

    datarunner Byte Poster

    245
    1
    24
    Aye buddy that worked. Thanks. Is that it? Or is that applied domain wide?
     
    Certifications: A+, N+, MCP 210, 270, HNC Networking
    WIP: MCSA
  20. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    Yeah, that is now applied to whole domain unless you block the GPO in certian OUs.

    If you unlink the GPO from the domain and apply to it a OU which has the users in it then it *should* work ok.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010

Share This Page

Loading...