Networks·41,393 discussions

disabling internet except a few sites thru gpo 2008 server

Locked

i would like to control a container of users from accessing the internet,except a few sites thru gpo in internet 2008 standard. Is this possible.
Thanks

Topic

Clarifications

In reply to disabling internet except a few sites thru gpo 2008 server

Clarifications

Trusted Sites

In reply to disabling internet except a few sites thru gpo 2008 server

I’ve never done this myself, but I imagine if you can set a policy similar to allow internet browsing only trusted sites, and then set up your hard coded whitelist under trusted sites section. Lock it down.

This can help you get started:
http://technet.microsoft.com/en-us/library/bb457144.aspx

This should only work with IE, if someone uses/installs Firefox/Chrome/etc, that may circumvent security.

Get MAC’s of the PC’s and modify DHCP Gateway parameters..

In reply to disabling internet except a few sites thru gpo 2008 server

..so the gateway they get will be an easy-peasy proxy-filter.. (the other post was correct, there’s may ways to circumvent)

To some here, limiting access sounds cruel (but hey, if they won’t get back to work.. what can ya do?)

Take your pick they’re all free, IPcop, Smoothwall, Endian, Untangle Gateway, etc..

There’s a list of 20 here (I’m partial to Smoothwall with URLfilter):
http://distrowatch.com/search.php?category=Firewall

A URL filter based on PC/user is correct

In reply to Get MAC’s of the PC’s and modify DHCP Gateway parameters..

I was being too narrow, using a sole GPO solution like he requested.

Limiting access is cruel but during times like March Madness here in the US, it’s sometimes necessary. Wouldn’t be so bad if my department could host web sites, ftp traffic AND streaming video on more than 1.5 mbps…

1.5 megs? That’s a squeeze..

In reply to A URL filter based on PC/user is correct

You might like to know URL filter has a cousin called ADVproxy. I haven’t used the feature, but it’s called “content based throttling”

I guess it recognizes mime types for binary files, cd images and multimedia.

thanks

In reply to 1.5 megs? That’s a squeeze..

thanks for the replies. I will try all of the suggestions. The CEO doesn’t want some of the people to have access, I tried to use a software called browse control. The only problem is it doesn’t work on a terminal server because the policy is set by the policy of whoever logs in first. It won’t do individual policies. Thank God for my job. Locked by default office, can watch the games 🙂 While I am working on this of coarse LOL

netwrk_admn,cmatthews@…

In reply to thanks

netwrk_admn. What do you mean by set up a hard coded white list. I am assuming the actual websites? Thanks for the website. Awesome, i have always wanteded an explination on how those worked.

cmatthews@… Will the software that you referred me to work on a terminal server?

hard coded white-list

In reply to netwrk_admn,cmatthews@…

Yes, this would be a static list, of all ‘good’ URLs. I would stick to cmatthews solution, and just use a custom white-list.

Conversely, for this application, a blacklist is a list which bans certain websites.

Great info

In reply to hard coded white-list

Thanks for the help!! quick reply!!!

Will the software that you referred me to work on a terminal server?

In reply to netwrk_admn,cmatthews@…

I have to ask some questions first:

1) Are the users you want to limit browsing from within the TSC sessions? (If so, no proxy required! You are in the drivers seat, and can policy/zone limit what they can do). If not..

2) Are you wanting to use TS as a “box” to run the proxy service? If so, you would have add another IP to the NIC (as the limited gateway) and run the proxy inside a virtual machine running on the server. (really has nothing to do with TS). But before you load down your TS with a CPU hogging VM, there is a better way..

3) Since the browsing these folks do is somewhat trivial (as opposed to mission critical), dust out an old PC with 256m RAM, a 4.3g HD, stuff in a second NIC, boot from the Smoothwall CD and PRESTO insta-proxy.

A caveat when installing an internal Proxy:
This would operate as a 2-interface NAT router which runs correctly when both NIC’s are assigned IP’s on 2 distinct subnets. Obviously, NIC#1 will have to be directly accessible by the clients and NIC#2 will need to be on another subnet. If you get stuck, provide some detail and I’ll try to help..

—
If you still want to run something from a win-box, Scott Lemmon wrote Proxomitron, but passed away before perfecting it. Others have made variants listed here at Wikipedia:
http://en.wikipedia.org/wiki/Proxomitron

Sorry

In reply to Will the software that you referred me to work on a terminal server?

CMatt, sorry dude, i got a message saying “You have reached your maximum message level”,on the last thread, so i thought the tread was done, didn’t pay attention to this, glad i did. I have always wanted to know how to set up a proxy, so i will do that with a spare computer. i appreciated the help offer if i get stuck, i’m sure i will, i will kepp you updated to where i am at. In the mean time, i’m sure this is a stupid questin, but it doesn’t matter what os i run for the proxy, is xp pro cool?

Internet Browsing

In reply to Will the software that you referred me to work on a terminal server?

See post 14

Sorry (cont’d..) These canned proxies don’t need an OS..

In reply to disabling internet except a few sites thru gpo 2008 server

..they have one. After you install a second NIC, boot from the CD and follow instructions. (in the case of Smoothwall, there is PDF manuals on the CD – you can read it from Windows).

Think of this as a router with a bigger case.. After the install, it needs no kbd, no monitor or mouse. The WAN side is one NIC and the LAN side (toward clients) is the other. You manage it from a browser on the LAN side IP on port 81 (eg: http://10.1.1.10:81)

Since you will later install URL-filter, I would run the clients through the box (with the proxy turned on in transparent mode) for a few days. Then you can watch the access logs to see what to block, whilst getting familiar with some tools that’ll likely help your tech career:

1) PuTTY installer (Lets you to talk with linux from Windows: like telnet, but ssh compatible)
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

2) WinSCP (FTP Windows file transfer, but uses ssh for security):
http://www.filehippo.com/download_winscp/

3) URL-filter (a web-based ACL applet that controls Squid proxy):
http://www.urlfilter.net/screenshots-swe30.html

4) Adv-Proxy (optional in your case – a web-based control applet that fine-tunes Squid allowing you to control more):
http://www.advproxy.net/screenshots-swe30.html

5) Search and get more answers from support groups that create add-ins:
http://community.smoothwall.org/forum/viewforum.php?f=26

6) Check YouTube an easy how-to:
http://www.youtube.com/watch?v=fEkO_mQOGGQ
and

(move pointer to 34:00 minute marker)

Last point: You will not be using the DHCP so leave it off before connecting the green to the LAN. The workstations likely now get DHCP settings from a Windows server. You will have to create a new scope for them and add IP reservations for their MAC addresses. The DNS and WINS settings stay the same, only the gateway will change.

You can play with this in your spare time by statically setting your own PC’s gateway setting till your ready to present it to your boss.. above all have fun and keep learning 🙂

Unique

In reply to Sorry (cont’d..) These canned proxies don’t need an OS..

Cmatt,

Kind of have a unique position. I have 7 buildings, 1A. has 40 employees, 2A. has 15, 3A. has 2 employees, 4A. has 1, 5A. has 3, 6A. has 2, and 7A. has 5. 4 of these buildings are on my block, 1 is 15, minutes away the other 2 an hour. Some of the buildings use a website that is(sorry don’t know the name for this)a hyper link to a server, it is a contracted medical software company, located in anoter state.

My office is 1A. All of the buildings share files through a terastation right now, till i move it to the server. I have a TS and a DC. All IT is located in 1A in my office. Nobody in 1A. uses TS’s. Some of the TS users i do not want to have access to the internet. Also, the users in 1A, are not part of the domain. i also don’t want some of those people to have access to the internet, except for that hyper link. I hope i explained this well, thanks for answering all of my questiions, you probably can tell i never went to school, I LOVE to learn. Picked up most of my experiance working for an it company before, just basic stuff though, routers, network, etc. I really want to expand!!!!! I do have a Cisco 1811 if that helps?

Also, i tried to use GP to restrict internet users, but to no avail.

Thanks

if you want users to only go to 1 web site

In reply to Unique

you can try this method which is available using bing search keyword lockdown internet explorer. which I assume is the browser your using.

http://www.boutell.com/newfaq/browser/restrictie.html

if you go to microsoft technet, there are articles there on how to lockdown internet explorer using group policy. also keywords lockdown internet explorer.

If you also look at the Windows server 2003 enhanced security features for IE 8, you’ll read about how browsers can be locked down using group policy.

if you aren’t using internet explorer, then you’ll have to do searcher about how to lockdown those browsers.

but you need to know that browsers are meant to work and you need to know that firewalls are also meant to provide access to the world wide web not block it. That is that the windows fireall always allows outbound traffic and it’s return traffic. That perimeter firewalls on consumer and SMB routers also operate on that principle. outbound requests and its return traffic is always allowed. Inbound requests no originating from the local network is always blocked. That’s why malware viruses tries to get you click a link, open an email, picture or download infected software. Once inside, outbound traffic is always allowed through the firewall so the malware/virus internet traffic is always allowed.

your Cisco device in allowing traffic with the allow any any command allows any traffic from the subnet you list through the ports you list. If you list port 80 from a subnet all port 80 traffic is allowed.

The Cisco PIX firewall device offers a lot of granularity to configure traffic.

But if you want only one specific outbound traffic to one specific IP address over port 80, you can configure your 1811 to allow only traffic to a specific ip address over port 80. you do this with the allow command, specifing the specific IP address on port 80.

Also note, the world wide web operates by ip address and port numbers. DNS simply translates names to addresses. The browser operates on the principle that http = port 80 traffic so you don’t have to type the port number. but you can type in an address and port number in a browser and it’ll work. So you can restrict traffic to a specific ip address and port number with your cisco device because you configure it to only route one specific outbound traffic to one specific address.

But then that’s all that will get out though the gateway [WAN]. If there is other traffic that needs to pass through the WAN, that doesn’t use port 80, you have to allow that as well when you create the config.

But if you need internet access through your 1811 to other sites, you can’t specify a specific address. you have to use the allow any any so that any traffic out is allowed.

IE Lockdown

In reply to if you want users to only go to 1 web site

Yes, i do use IE. I have 2008 server, i made a gpo named internet lockdown, but couldn’t get it to work, only through content advisor. I will try again. i am interested in the proxy theory, just to try it. Seems like fun. Pix is out of my league right now,my old boss is a PIX guy, just too much to take on right now to learn. What if i used another 1811 which i have, could that work? Specify only 1 address in that one. Point the non internet users there?

you don’t want to use your Cisco Routers for this

In reply to IE Lockdown

As much as you would like the experience in creating configs on IOS.

Proxy, I’ll suggest this. Microsoft forefront security is the old ISA server. you can get a trial version from here.

http://technet.microsoft.com/en-us/evalcenter/ee423778.aspx

if you have a workstation laying around that meets the hardware requirments, use that. Forefront is 64 bit and requires 2008 server 64 bit.

I liked ISA server as a proxy server, but you can’t get it as trialware anymore.

For your GPO, if you run windows 2008 server, then run the RSOP [resultant set of policies] to find out how the GPO is applied. Here’s how to install the tools.

http://support.microsoft.com/kb/323276

and here’s a technet article on RSOP and GPO modeling.

http://technet.microsoft.com/en-us/library/cc780305(WS.10).aspx

of the top of my head, I would say the GPO you created isn’t linked to the OU it needs to be linked to to enforce the policy.

If you linked it to the domain and not a specific OU, that could be the problem.

If you want this GPO as a user configuration, then link it to the users OU that contains all the users. default is users OU. Computer config, link the GPO to computers OU. default computers OU.

GPO

In reply to you don’t want to use your Cisco Routers for this

I’ll try it again, thanks for the info!!!

[Author]

Replies