Question

Locked

restricting internet access using Win 2000 Server as the DHCP?

By erickdrny ·
I'm having a little trouble finding out how to restrict the TPC access to certain computers in the network and also if it is possible to block specific websites from gainin access, what's the best way to do it.

This conversation is currently closed to new comments.

11 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Resticting access.

by pthompson In reply to restricting internet acce ...

Hello, to block users using win 2000 server, you have to have it also function as a proxy server between the internet and your users and iniciate internet sharing (this will slowdown the server because all internet traffic will go through the server). To be honest, if you have a firewall at your location, you can block users and websites through certain firewalls. I have used Watchguard FireBox and Sonic, these hardware walls are great and have the ability to block users, limit the time user can access the internet, block incoming request, block access to websites, and so forth. I would let your server just to that, severing (either file server, exchange, dhcp, or what ever) and have a separate appliance/node handle the internet. You can purchase these firewalls from CDW or Dell, or other places. Please keep in mind that these firewall have additional features that require a yearly subscription, but that does not hinder the firewall's basic functions. This to me would be the best approach and in the long run will make your job easier.

Collapse -

Possible!

Options provided by Thompson would really work !

Simple firewall on the 2000 server would be good to restrict the individual/group of computers ( based on their IP's ) accessing .

For website restrictions , you can consider gateway's / firewalls with web / content filtering options !

Collapse -

thank you

by erickdrny In reply to Possible!

thank you guys for your help I will look into getting a firewall, I'm currently using the one that came with the router (belkin Pre-N) which is pretty good, but it has only limited features.

Collapse -

Good!

by rajagopalan.durairajan In reply to Possible!

Hey forgot to mention , Simple firewall on the 2000 server ( this would be a software based firewall , free version of Sygate would be good ) ;

Just wanted to make it clear!

Have good one!

Collapse -

Thats good to know

by pthompson In reply to Good!

Hey thats good to know about that Sygate software firewall. I'll take a look at that too!

Collapse -

There are

by Dumphrey In reply to restricting internet acce ...

some good linux freeBSD based software firewalls that install on pretty much any old hardware you have laying arround. A 486 with 128 MB ram and 2 nics will be more then enough to run a SOHO network.
http://www.pfsense.com/
http://www.ipcop.org/
http://smoothwall.org/
http://m0n0.ch/wall/
Are the biggies I know about. Any of the 3 will provide all you need at the cost of some old hardware.

Another solution is to dig around for a pre-built embedded platform and install one of the above on it (Sokris or WRAP are the 2 that pop to mind).

Collapse -

A few options

by Greybeard770 In reply to restricting internet acce ...

Since you only want to block certain computers you need to start with something like
IPCONFIG /SETCLASSID=NOINTERNET
that corresponds to DHCP settings for everyone using that computer. After that, if all nodes are on the same subnet, you can leave the Default Gateway value blank. You might also direct them to a DNS server that only knows local addresses and does not forward.
There is also a registry entry to set the TTL to a value that would not be enough hops to get out of your building.
If there is a domain you want to keep everybody out of, you can claim to be the SOA in your own DNS for that domain.

Obviously, none of these options are perfect and the hackers will figure a way around them if given time. Some options even make the statement to employees that "We don't trust you." And if you can't trust people, maybe they should not be working with equipment that can be misused.

Collapse -

Not bad Grey

by Dumphrey In reply to A few options

I was unaware of the /setclassid=nointernet command. I had a thought though after reading your post. If you "poison" your own dns server so that the "offending" page is redirected to the loopback, that may work. The question is how to make it "fixed" and not cleared out on each cache clean up. Maybe edit the hosts file on the machines you wish to limit...or redirect all bad pages to a "violation of company usage" page.

Collapse -

We pretend to be the SOA

by Greybeard770 In reply to Not bad Grey

We have SOA (Standard Primary) DNS entries in addition to the normal Active Directory domain for things like spywarebuddy.com and adbuddy.com that have no entries. That way when email or web pages would direct people to those sites it gets a Page Not Found error which we prefer to loading more spyware. You could of course add badgirlspretendingtobegoodgirls.com or whatever you are trying to protect your people from.

We also use the /SETCLASSID option to grant longer leases for desktops and shorter ones for laptops. http://support.microsoft.com/kb/240247 is a good place to start for more on that subject.

Collapse -

Try Netlogon Scripts ...

by jose.gouveia In reply to We pretend to be the SOA

Erick .. if you have the users login on to your Domain .. you can deploy some customize scripts with IPCONFIG /SETCLASSID=NOINTERNET
in it! Still, I would use a Firewall to keep my mind in peace!

Back to Networks Forum
11 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums