General discussion

Locked

Allow/Deny Internet access

By chuckETN ·
I support/maintain an NT4 Domain for 1800 Students/Teachers/staff in a high school.Network also has Novell servers. Need an easy way to deny internet access on a user basis via logon script, reg setting, policy. I want to be able to deny internet access to students who abuse it by downloading junk, spreading viruses, unauthorized email, etc. All lab and classroom computers are connected to the School System network.
I have just setup an NT4 server and can use scripting tools to create individual student accounts based on registration database.
How can I control interrnet access? If logon is canceled, only network resources are disabled. The internet connection is still available.

This conversation is currently closed to new comments.

14 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Allow/Deny Internet access

by dmiles In reply to Allow/Deny Internet acces ...

There is some ref to using a proxy server to deny access,I would suggest to use the box in the upper right corner of this page and read some of the previous post on this subject
Type restrict internet access in the box and click GO

Collapse -

Allow/Deny Internet access

by chuckETN In reply to Allow/Deny Internet acces ...

Poster rated this answer

Collapse -

Allow/Deny Internet access

by TimTheToolMan In reply to Allow/Deny Internet acces ...

Hi,

Although it is possible to set up the clients to deny internet access through the use of specific group policies and IE settings, there are many, many problems trying to do this.

For instance, forcing the use of a bogus proxy server through forced, unchangable IE configuration scripts wont necessarily stop someone using Netscape...or using the windows explorer as a browser?

In fact you CANT guarantee internet disabling at the client as the students can always hack in to the PC at admin level. There are plenty of ways to do this documented on the net.

...unless no PCs have floppy drives or CD drives, their cases are locked and the security on the OS is perfectly tied down...

...and even then, someone can always plug theirown laptop into the port...

Schools are a very hostile environments for PCs. If it CAN be done by a student, then it WILL be done...

The only way to guarantee no-one gets to the internet (unless authorised) is to do it at the gateway to the internet.

This usually means using a proxy server with access policies based on domain usernames.

Also, you should probably install a virus checker on all the PCs - get a site license. For education purposes, they can be quite cheap.

There is lots of documentation available on proxy servers, around the net and as soulrider pointed out, on this site.

Cheers,
Tim.

Collapse -

Allow/Deny Internet access

by chuckETN In reply to Allow/Deny Internet acces ...

Poster rated this answer

Collapse -

Allow/Deny Internet access

by eBob In reply to Allow/Deny Internet acces ...

Rather than trying to do it through user policies in NT, you will be much further ahead to use a Proxy Server inside your Firewall.

The basics are this:
1 - Install an NT Server with MS Proxy on the LAN just inside your Firewall.
1b - It is preferrable to have 2 NICs, one "inbound", one "outbound". Many people have these NICs on 2 different subnets, and actually "route" through the Proxy. In this way all of your users are "inside" the Proxy, and your Firewall is "outside". I have always done it by putting the 2 NICs on the same segment/subnet. It allows me to create "administrative exceptions".
1c - You will also need to setup IIS on this server. Go into the config of IIS, and look for "authentication method". You have 3 choices: anonymous authentication (i.e., anybody can use the service), clear text authentication, Microsoft secure authentication. In general, by default, the first and third are checked. I prefer to clear them and check "clear text". This way, each user is FORCED to enter their domain\userID and password, which reminds them "the Proxy is watching". It also is needed for the odd user not using that darn IE as their browser.

2 - Setup your Proxy server to allow/deny specific users, or groups of users, based on their NT Domain credentials.

3 - Setup your Firewall to accept connections only from your Proxy server.
3b - You can setup "administrative exceptions" by allowing specific systems other than your Proxy to make connections through your Firewall. E.G., your email server, yourself, the big suits, etc.

4 - Configure all the browsers (except those "administrative exceptions") to "use the proxy server at address: xxx.xxx.xxx.xxx".

Collapse -

Allow/Deny Internet access

by eBob In reply to Allow/Deny Internet acces ...

(continued...)

Now when a user needs to connect, if their browser is configured correctly, they connect to the Proxy. The Proxy checks their credentials and allows (or denies), and logs their activity to the system logs. If they try to get aroundthe Proxy by unchecking "use the proxy", the Firewall denies them (unless they're at a system which is one of the "administrative exceptions"). Also, since it's user ID based, they can be at any system, and get logged properly.

5 - (Optional) Geta reporting tool, like WebTrends, and run it on your Proxy Server. It will show who is doing what, where, when. I always set it up to create web reports for the suits and admins to review.

======================

Yes, it "sounds" like a lot of work, but really it's only a day to get the basics running (the first time), and a couple of days of tweaking and fine-tuning. Add another couple of days to get WebTrends running nicely (less if you're familiar with this tool) and you'll be set.

Collapse -

Allow/Deny Internet access

by chuckETN In reply to Allow/Deny Internet acces ...

Poster rated this answer

Collapse -

Allow/Deny Internet access

by Joseph Moore In reply to Allow/Deny Internet acces ...

I have to agree with the consensus here, and set up a Proxy server. This is just the kind of thing they are really good at. You can set up the ACL on the PRoxy based on NT login name. This way, wherever user BOB logs in, he is able to get outside tothe Internet; plus when user KEN tries to hit his favorite porn site, he will be denied any access.
You can filter out individual ports per user name also. Maybe you don't want KEN to get to web sites (typically on port 80) but you want KEN to be able to get his POP3 e-mail from his home account (port 110). The filtering is up to you.
Plus, it will be easier to maintain a single table of access on the Proxy then it would be trying to manage login scripts for all of your users.
Now, my own personal proxy server software preference is WinProxy.

My 2 cents worth.

Collapse -

Allow/Deny Internet access

by chuckETN In reply to Allow/Deny Internet acces ...

Poster rated this answer

Collapse -

Allow/Deny Internet access

by Uch In reply to Allow/Deny Internet acces ...

I suggest you Install a Proxy Server & configure the various conncetions based on IP addressing & NT4 User Manager preferences.

GoodLuck!

Back to Windows Forum
14 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums