Block Internet access for some users

Dear all,
I am wondering if I can prevent some users from going to internet with windows server 2003. So, I assume that I don't want to do it with router managed but with the AD. I'm thinking maybe I can create a GPO to block the ports 80 for those computers. Does anyone has an idea of that? And what solution could you provide if you don't want manage that in a router.

Find more posts tagged with

Comments

undomiel

Use a GPO to apply an IPSEC policy that will filter out port 80 or all ports for that matter if you want. You could also create a rule that will allow internal traffic only, just make sure that you place it before the deny rule.

Slowhand

Is there a particular reason you don't want to do it through a router or firewall ACL, or is it more out of curiosity that you want to know how it's done in AD?

Tontonsam

Thanks. I try to do it but it is unsuccesful. Could you give me the steps to acheive this goad or to provide me a link containing detailed explanations?

sprkymrk

Put the users in a separate OU, then set IE to use a proxy for those users. Set the proxy to 0.0.0.0. This will prevent them form using IE to surf the web, but wont stop them from using Firefox on a thumb drive. Still pretty effective for the common user though.

shednik

sprkymrk wrote:

Put the users in a separate OU, then set IE to use a proxy for those users. Set the proxy to 0.0.0.0. This will prevent them form using IE to surf the web, but wont stop them from using Firefox on a thumb drive. Still pretty effective for the common user though.

Probably the easiest way to accomplish what you're looking for IMO...

undomiel

Ipsec will block those pesky smart Firefox users.

Here's a step-by-step.

Create your ipsec policy and edit it. Add a rule. No tunnel. All network connections. All IP traffic. Block.

That's created a policy to block all traffic to that computer. But we don't want to block local traffic otherwise the computer might as well have that network cable disconnected from it for all the good it is doing. So we create another rule.

Add a rule. No tunnel. Local area network (LAN). All IP traffic. Permit. That will allow all of the local traffic so the computer will still be a member of the domain, will still talk to the WSUS server, and so forth.

If you only want to block port 80 and nothing else then it gets slightly more complicated. Create an ipsec policy and add a rule. No tunnel. All network connections. But this time click Add to create a new filter. Click add on the IP Filter List window now. Make sure there is a check box in mirrored. Source: My IP Address. Destination: Any. Protocol type: TCP. From port: 80. To port: 80. Ok back to our Security Rule Wizard and select your newly created filter. Block. Now you've finished creating your block HTTP traffic only rule. Don't forget to set one up for port 443 (HTTPS) as well just to be thorough.

Also don't forget this very important step. After you've created your policy right click on it and assign it. If it isn't assigned then it won't be effective even with the group policy linked. Also don't forget that this policy is assigned to computers and not users.

Hope that helps!

Tontonsam

Thank for all. It works great. I had problems for applying this GPO cause I don't check Block Inheritance for this GPO. Will work also great if you enabled also the "Disable the connections in the page" so the user cannot manually uncheck the settings in the connections if he is a clever guy.

Thanks!! I prefer apply that in AD and not at the router level cause I have a router/firewall linux. And I am not involved in Linux.

KGhaleon

Sure you don't want to use the "screwdriver-to-NIC" method?

royal

Tontonsam wrote:

Thank for all. It works great. .

What is "it"? Multiple methods were provided as suggestions...

undomiel

Sounds like he went with sprkymrk's suggestion.

shednik

KGhaleon wrote:

Sure you don't want to use the "screwdriver-to-NIC" method?

Probably the easiest way

undomiel

shednik wrote:

KGhaleon wrote:

Sure you don't want to use the "screwdriver-to-NIC" method?

Probably the easiest way

I still have yet to figure ou thow to deploy that one with group policy though!

sprkymrk

undomiel wrote:

If you only want to block port 80 and nothing else then it gets slightly more complicated. Create an ipsec policy and add a rule. No tunnel. All network connections. But this time click Add to create a new filter. Click add on the IP Filter List window now. Make sure there is a check box in mirrored. Source: My IP Address. Destination: Any. Protocol type: TCP. From port: 80. To port: 80. Ok back to our Security Rule Wizard and select your newly created filter. Block. Now you've finished creating your block HTTP traffic only rule. Don't forget to set one up for port 443 (HTTPS) as well just to be thorough.

I've seen IPSec policies bring down entire networks (if I may borrow a quote from my friend keatron) when improperly configured and so a step-by-step without realizing how it all works is a bad idea for someone who hasn't got a strong handle on IPSec. Also, I believe your rule for http would be a bit off since the client opens a high level (1025+) port to initiate an http connection with a server on port 80, same for 443.

IPSec is a great tool for security but it's a bit overkill for this situation IMO.

undomiel

I figure the best way to get it is to learn by doing. When I was first starting using ipsec policies I approached it fully realizing that if I wasn't extremely careful I could hose the entire network. Perhaps a better approach would have been to create the allow policy first and then create the deny so as to safe guard against accidentally activating the deny all policy first. I use ipsec here to lock some of the servers to local traffic only. I did test the http blocking policy before and I could've sworn it worked but I could be wrong! Over here for blocking internet access I use the trick you mentioned as well, black holing the proxy into nothingness. I just didn't recall it at the beginning here.

Tontonsam

When I posted my reply, I never saw the reply of Undomiel. I test the GPO applying to setting proxy and it works great. I have not tested the IPsec yet. Will do a little research on that for a better understanding and I will test it. What I realize, I have a Sybex book on 70-290 and IPsec is not covered in this book (maybe in this exam). I think IPsec is very useful, it gives resolution to situation that router cisco can do and I will try to master it. But don't you have a link that explain IPsec policy?

undomiel

Here's technet for you: http://technet.microsoft.com/en-us/network/bb531150.aspx
A page full of pretty pictures: http://www.unixwiz.net/techtips/iguide-ipsec.html
That one was actually really useful for me to understand how ipsec works for the Security+.
Some more implementation basics oriented one: http://www.petri.co.il/configuring_ipsec_policies_through_gpo.htm
More implementation: http://technet2.microsoft.com/windowsserver/en/library/e3f13b59-33e7-421b-8cf7-6915e61b31e01033.mspx?mfr=true