• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Blocking Internet Access on Windows 2000 computers per user

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Windows

View previous topic :: View next topic  
Author Message
packerman
Just Arrived
Just Arrived


Joined: 11 Sep 2004
Posts: 0


Offline

PostPosted: Sat Sep 11, 2004 4:59 pm    Post subject: Blocking Internet Access on Windows 2000 computers per user Reply with quote

I am the network engineer for a 100% W2K domain. I have several users that I would like to put in a group and block Internet Access. I have created a group policy to block iexplore.exe via "run only windows allowed applications" but the users figured out they can browse the web using Outlook. I can't block outlook as it is required. I thought about using an IPSec filter but I seems to be able to apply it only to a computer. The users move around so I need to apply it to the user object, not a specific computer. Any ideas?
Back to top
View user's profile Send private message
ajw
Just Arrived
Just Arrived


Joined: 26 Jul 2004
Posts: 0
Location: Brisbane, Australia

Offline

PostPosted: Sun Sep 12, 2004 2:50 pm    Post subject: Reply with quote

sounds like you need a proxy server on your gateway .. users authenticate, you stop it there. it's the tried and true way.
Back to top
View user's profile Send private message MSN Messenger
packerman
Just Arrived
Just Arrived


Joined: 11 Sep 2004
Posts: 0


Offline

PostPosted: Sun Sep 12, 2004 2:56 pm    Post subject: Reply with quote

I am in the process of getting MIMESweeper to perform content filtering, url blocking, etc. It has the capability of setting policies by group/user. That's cool but I just can't believe that Microsoft is doing that on their network to block IE. It seems like it should be a simply change of a couple keys via GP... I have to wait till next budget year to get MIMESweeper so, although a good answer, do you have any other ideas I can implement now? Tks
Back to top
View user's profile Send private message
MattA
Trusted SF Member
Trusted SF Member


Joined: 13 Jun 2003
Posts: 16777193
Location: Eastbourne + London

Offline

PostPosted: Sun Sep 12, 2004 8:04 pm    Post subject: Reply with quote

squid is an open source proxy ,you'd only need hardware then http://www.squid-cache.org/

again a dirty way might be to assign certain people static IP's then block outbound access on the firewall to all the other IP's.
Back to top
View user's profile Send private message
zeedo
SF Reviewer
SF Reviewer


Joined: 01 Sep 2004
Posts: 24
Location: Scotland

Offline

PostPosted: Sun Sep 12, 2004 8:11 pm    Post subject: Reply with quote

MattA wrote:
again a dirty way might be to assign certain people static IP's then block outbound access on the firewall to all the other IP's.


Yep similarly if you are on a single subnet network then its quite simple to not assign a default gateway to specific machines, although both of these options only work on a machine basis, not user basis.

Squid is a good workable option to pull off what you want although if you want to integrate it with Active Directory (and why not if it's already available Smile ) look at ISA Server

This an excellent option for controlling network resources, you can filter by user/computer/groups and a pile of other options.
Back to top
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger
muni
Just Arrived
Just Arrived


Joined: 16 Sep 2004
Posts: 0


Offline

PostPosted: Thu Sep 16, 2004 2:09 am    Post subject: Reply with quote

i know it might seem like over simplifying but could you not use active directory to block port 80 and 443 for certain users ????

i'm pretty sure that it can be done in 2003 not toooo sure bout w2k
Back to top
View user's profile Send private message
packerman
Just Arrived
Just Arrived


Joined: 11 Sep 2004
Posts: 0


Offline

PostPosted: Thu Sep 16, 2004 10:57 pm    Post subject: Reply with quote

I would love to block port 80 via AD. That's basically what I'm asking in the forum. I need to know how to do it.
Back to top
View user's profile Send private message
Greyhawk
Just Arrived
Just Arrived


Joined: 02 Sep 2004
Posts: 0
Location: Eden Prairie

Offline

PostPosted: Fri Sep 17, 2004 12:10 am    Post subject: Reply with quote

packerman wrote:
Quote:
I thought about using an IPSec filter but I seems to be able to apply it only to a computer. The users move around so I need to apply it to the user object, not a specific computer. Any ideas?


You are quite right, IPSec policies can only be assigned at the Computer level of the GPO, The same goes for Windows firewall. These are the only methods to block ports in a windows environment without purchasing / downloading extra software / hardware. There is nothing in the User level of a Windows 2k or 2k3 GPO that will let you block ports. I would say that your best bet is to download a shareware proxy and use it until you can buy one. ISA server from Microsoft is $1500 per processor, not including the OS cost. A good product, especially with ISA 2004 on the way and its AD integration, but not cheap.
Back to top
View user's profile Send private message
Duckie37
Just Arrived
Just Arrived


Joined: 17 Sep 2004
Posts: 0


Offline

PostPosted: Fri Sep 17, 2004 9:27 pm    Post subject: Reply with quote

If you have Active Directory just make a Policy that prevents those workstations from internet access.

Duck
Back to top
View user's profile Send private message
Bog
Just Arrived
Just Arrived


Joined: 23 Aug 2003
Posts: 2
Location: Toronto, Ontario Canada

Offline

PostPosted: Fri Sep 17, 2004 10:00 pm    Post subject: Reply with quote

Duckie.. duckie.. duckie! The questions is about controlling network access by users... not by workstation.

There are a few approaches that have been discussed:
1. Using software restriction policies via AD
2. Using IPSEC policies via AD

I suppose you could also NTFS file permissions on iexplore.exe. However, this may have other impacts and also does not address the fact that Outlook can be used to browse. Regardless, it's identical to #1.

#2 doesn't provide for user based IPSEC policies, only system based.

The basis of what you're asking for is network access control with user authentication. What's another generic term for a "network access control" device? A firewall. The most common way to control HTTP traffic (or so I'm assuming since you dind't explictly state this) would be a proxy server.

I'm not sure if any other OS can authenticate and control outbound network access without third party tools. This may not be unique to Microsoft Windows.

Getting real creative and kludgy you can work with personal firewalls to control host network access. Again, this would be similar to IPSEC above. HOWEVER!! I have experience with ZoneLab's Integrity, an enterprise personal firewall product. This means, the product is centrally managed and you can apply firewall policies (i.e. allow and deny rules) on a user or group level. Tada! McAfee's VirusScan Enterprise 8.0 has similar capabilities (but policies are only applied at the system level). Check other personal firewall products.

Another idea could be leveraging your existing firewalls. I'm assuming all outbound web traffic is allowed unless explictly denied. Do a 180! Deny all traffic except what is explicitly allowed. Create your rule allowing web traffic. With most enterprise class firewalls you can actually authenticate users prior to granting access and apply rules based on user as opposed to by source IP. What is your Internet firewall?
Back to top
View user's profile Send private message
Duckie37
Just Arrived
Just Arrived


Joined: 17 Sep 2004
Posts: 0


Offline

PostPosted: Fri Sep 17, 2004 10:03 pm    Post subject: Reply with quote

Bog wrote:
Duckie.. duckie.. duckie! The questions is about controlling network access by users... not by workstation.


Then block it by the users logon account.


Duck
Back to top
View user's profile Send private message
packerman
Just Arrived
Just Arrived


Joined: 11 Sep 2004
Posts: 0


Offline

PostPosted: Sat Sep 18, 2004 4:06 pm    Post subject: Reply with quote

I have dual Symantec Velociraptor firewalls clustered. I have not looked into configin users on the firewall to block it as I was hoping to be able to do it with AD since there will be the possibility of many users, I didn't want to have to set all that up in the firewall. I will investigate it though and see what the capabilities of the raptor are. Currently, I have created a group policy to block iexplore.exe as well as changed the proxy settings to 10.10.10.10 and disabled the user changing the proxy. This effectively prevents the user from browsing using explorer, iexplore or outlook since they all use the proxy settings in IE's config. Thanks
Back to top
View user's profile Send private message
topless
Just Arrived
Just Arrived


Joined: 11 Oct 2004
Posts: 0


Offline

PostPosted: Mon Oct 11, 2004 3:52 am    Post subject: Reply with quote

A cheap (albeit not free) solution could be to install PortsLock
http://www.protect-me.com/pl/

From the homepage:

"PortsLock® is a firewall with user-level access controls for Windows NT/2000/XP. Once PortsLock® is installed, administrators can assign permissions to TCP/IP connections, just as they would in managing permissions on an NTFS partition of a hard disk."
Back to top
View user's profile Send private message
tony2004
Just Arrived
Just Arrived


Joined: 29 Oct 2004
Posts: 0


Offline

PostPosted: Fri Oct 29, 2004 5:56 am    Post subject: Reply with quote

what if we write a small script and place it in a batch file... probably part of a login script for certain users who are not be given internet access. when the user logs on the script will execute mapping his/her home drives, other mapped drives etc... this can include the script do disable port 80 or any HTTP traffic. Rolling Eyes
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Windows All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register