Block Internet access for some users

TontonsamTontonsam Member Posts: 90 ■■□□□□□□□□
in Server 70-290
Dear all,
I am wondering if I can prevent some users from going to internet with windows server 2003. So, I assume that I don't want to do it with router managed but with the AD. I'm thinking maybe I can create a GPO to block the ports 80 for those computers. Does anyone has an idea of that? And what solution could you provide if you don't want manage that in a router.
MCP 70-270 / 70-290
· Share on FacebookShare on Twitter

Comments

  • undomielundomiel Member Posts: 2,818
    Use a GPO to apply an IPSEC policy that will filter out port 80 or all ports for that matter if you want. You could also create a rule that will allow internal traffic only, just make sure that you place it before the deny rule.
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
    · Share on FacebookShare on Twitter
  • SlowhandSlowhand Mod Posts: 5,161 Mod
    Is there a particular reason you don't want to do it through a router or firewall ACL, or is it more out of curiosity that you want to know how it's done in AD?
    Twitter | LinkIn
    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
    · Share on FacebookShare on Twitter
  • TontonsamTontonsam Member Posts: 90 ■■□□□□□□□□
    Thanks. I try to do it but it is unsuccesful. Could you give me the steps to acheive this goad or to provide me a link containing detailed explanations?
    MCP 70-270 / 70-290
    · Share on FacebookShare on Twitter
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Put the users in a separate OU, then set IE to use a proxy for those users. Set the proxy to 0.0.0.0. This will prevent them form using IE to surf the web, but wont stop them from using Firefox on a thumb drive. Still pretty effective for the common user though.
    All things are possible, only believe.
    · Share on FacebookShare on Twitter
  • shednikshednik Member Posts: 2,005
    sprkymrk wrote:
    Put the users in a separate OU, then set IE to use a proxy for those users. Set the proxy to 0.0.0.0. This will prevent them form using IE to surf the web, but wont stop them from using Firefox on a thumb drive. Still pretty effective for the common user though.

    Probably the easiest way to accomplish what you're looking for IMO...
    · Share on FacebookShare on Twitter
  • undomielundomiel Member Posts: 2,818
    Ipsec will block those pesky smart Firefox users. ;)

    Here's a step-by-step.

    Create your ipsec policy and edit it. Add a rule. No tunnel. All network connections. All IP traffic. Block.

    That's created a policy to block all traffic to that computer. But we don't want to block local traffic otherwise the computer might as well have that network cable disconnected from it for all the good it is doing. So we create another rule.

    Add a rule. No tunnel. Local area network (LAN). All IP traffic. Permit. That will allow all of the local traffic so the computer will still be a member of the domain, will still talk to the WSUS server, and so forth.

    If you only want to block port 80 and nothing else then it gets slightly more complicated. Create an ipsec policy and add a rule. No tunnel. All network connections. But this time click Add to create a new filter. Click add on the IP Filter List window now. Make sure there is a check box in mirrored. Source: My IP Address. Destination: Any. Protocol type: TCP. From port: 80. To port: 80. Ok back to our Security Rule Wizard and select your newly created filter. Block. Now you've finished creating your block HTTP traffic only rule. Don't forget to set one up for port 443 (HTTPS) as well just to be thorough.

    Also don't forget this very important step. After you've created your policy right click on it and assign it. If it isn't assigned then it won't be effective even with the group policy linked. Also don't forget that this policy is assigned to computers and not users.

    Hope that helps!
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
    · Share on FacebookShare on Twitter
  • TontonsamTontonsam Member Posts: 90 ■■□□□□□□□□
    Thank for all. It works great. I had problems for applying this GPO cause I don't check Block Inheritance for this GPO. Will work also great if you enabled also the "Disable the connections in the page" so the user cannot manually uncheck the settings in the connections if he is a clever guy. :)
    Thanks!! I prefer apply that in AD and not at the router level cause I have a router/firewall linux. And I am not involved in Linux.
    MCP 70-270 / 70-290
    · Share on FacebookShare on Twitter
  • KGhaleonKGhaleon Member Posts: 1,346 ■■■■□□□□□□
    Sure you don't want to use the "screwdriver-to-NIC" method?
    Present goals: MCAS, MCSA, 70-680
    · Share on FacebookShare on Twitter
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Tontonsam wrote:
    Thank for all. It works great. .

    What is "it"? Multiple methods were provided as suggestions...
    “For success, attitude is equally as important as ability.” - Harry F. Banks
    · Share on FacebookShare on Twitter
  • undomielundomiel Member Posts: 2,818
    Sounds like he went with sprkymrk's suggestion.
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
    · Share on FacebookShare on Twitter
  • shednikshednik Member Posts: 2,005
    KGhaleon wrote:
    Sure you don't want to use the "screwdriver-to-NIC" method?

    Probably the easiest way icon_lol.gif
    · Share on FacebookShare on Twitter
  • undomielundomiel Member Posts: 2,818
    shednik wrote:
    KGhaleon wrote:
    Sure you don't want to use the "screwdriver-to-NIC" method?

    Probably the easiest way icon_lol.gif

    I still have yet to figure ou thow to deploy that one with group policy though! :D
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
    · Share on FacebookShare on Twitter
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    undomiel wrote:
    If you only want to block port 80 and nothing else then it gets slightly more complicated. Create an ipsec policy and add a rule. No tunnel. All network connections. But this time click Add to create a new filter. Click add on the IP Filter List window now. Make sure there is a check box in mirrored. Source: My IP Address. Destination: Any. Protocol type: TCP. From port: 80. To port: 80. Ok back to our Security Rule Wizard and select your newly created filter. Block. Now you've finished creating your block HTTP traffic only rule. Don't forget to set one up for port 443 (HTTPS) as well just to be thorough.

    I've seen IPSec policies bring down entire networks (if I may borrow a quote from my friend keatron) when improperly configured and so a step-by-step without realizing how it all works is a bad idea for someone who hasn't got a strong handle on IPSec. Also, I believe your rule for http would be a bit off since the client opens a high level (1025+) port to initiate an http connection with a server on port 80, same for 443.

    IPSec is a great tool for security but it's a bit overkill for this situation IMO. icon_cool.gif
    All things are possible, only believe.
    · Share on FacebookShare on Twitter
  • undomielundomiel Member Posts: 2,818
    I figure the best way to get it is to learn by doing. When I was first starting using ipsec policies I approached it fully realizing that if I wasn't extremely careful I could hose the entire network. Perhaps a better approach would have been to create the allow policy first and then create the deny so as to safe guard against accidentally activating the deny all policy first. I use ipsec here to lock some of the servers to local traffic only. I did test the http blocking policy before and I could've sworn it worked but I could be wrong! Over here for blocking internet access I use the trick you mentioned as well, black holing the proxy into nothingness. I just didn't recall it at the beginning here. :D
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
    · Share on FacebookShare on Twitter
  • TontonsamTontonsam Member Posts: 90 ■■□□□□□□□□
    When I posted my reply, I never saw the reply of Undomiel. I test the GPO applying to setting proxy and it works great. I have not tested the IPsec yet. Will do a little research on that for a better understanding and I will test it. What I realize, I have a Sybex book on 70-290 and IPsec is not covered in this book (maybe in this exam). I think IPsec is very useful, it gives resolution to situation that router cisco can do and I will try to master it. But don't you have a link that explain IPsec policy?
    MCP 70-270 / 70-290
    · Share on FacebookShare on Twitter
  • undomielundomiel Member Posts: 2,818
    Here's technet for you: http://technet.microsoft.com/en-us/network/bb531150.aspx
    A page full of pretty pictures: http://www.unixwiz.net/techtips/iguide-ipsec.html
    That one was actually really useful for me to understand how ipsec works for the Security+.
    Some more implementation basics oriented one: http://www.petri.co.il/configuring_ipsec_policies_through_gpo.htm
    More implementation: http://technet2.microsoft.com/windowsserver/en/library/e3f13b59-33e7-421b-8cf7-6915e61b31e01033.mspx?mfr=true
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
    · Share on FacebookShare on Twitter
Sign In or Register to comment.