Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 236
  • Last Modified:

Restrict Internet Access to members of a Security Group?

Under NT we administrated who had internet access by allowing access only to machines with static IPs.  Now we are configuring a new Server 2003 network with all users DHCP with an "Internet Users" security group.  How do we restrict internet access to only be available to the members of this group?
0
bgarrabrant
Asked:
bgarrabrant
  • 5
  • 5
  • 4
  • +1
3 Solutions
 
scampgbCommented:
Hi bgarrabrant,
You would need to use an Internet proxy server that understands NT permissions and groups.

Microsoft's ISA server would be the obvious choice - look at http://www.microsoft.com/isaserver/default.mspx for more information on this.

Does that help?
0
 
vtsincCommented:
Assuming you run Internet Explorer, you could use group policy and configure Internet Explorer to use a proxy server that is invalid (for example 127.0.0.1).  In this case the ploicy would prevent browsing from IE and you could lock the setting so the user could not modify it.   Not terribly elegant (and I can't say for sure that it will work), but effective if it does.

Alternatively:  You can restrict which sites a person can browse to by enabling Content Ratings, and then specifying only approved sites for them to access.

Using Group Policy with IE
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/ierk/appxa_d.asp

Group Policy IE chat (technet)
http://www.microsoft.com/technet/community/chats/trans/ie/ie0521.mspx

IE 6 - Setting Policies and Restrictions
http://www.microsoft.com/resources/documentation/ie/6/all/reskit/en-us/part7/z05ie6rk.mspx

0
 
LazarusCommented:
The easiest way to do this is simple redirect all of your NON-SECURITY group users to a false Proxy server. I do this for the exact reason you want. you can access the GP here:
USER CONFIGURATION > Windows Settings > Internet explorer Maintenence > Connection Proxy Settings: Just set it to 127.0.0.1 port 80, that will keep the kiddies out of the net.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LazarusCommented:
Sorry vtsinc for stepping on your answer, I just expounded on it a tad to give him a direct path, you should get the points should he accept that as his answer. I'm just helping out.
0
 
vtsincCommented:
No problem lazarus - you certainly improved upon the answer.  I have no objection if scampgb were to split points.
0
 
scampgbCommented:
vtsinc:  I quite liked the false proxy server idea myself :-)  Still, it's up to the questioner as to what they need!
0
 
vtsincCommented:
Sorry - I meant to say bgarrabrant
0
 
bgarrabrantAuthor Commented:
I have Firefox deployed as well.
0
 
vtsincCommented:
Then group poicies won't work, so in this case you're back to the firewall and static IPs.
0
 
scampgbCommented:
bgarrabrant:
As vtsinc says, you can't use Group Policy to do this - but you can still use the proxy server route.
0
 
bgarrabrantAuthor Commented:
Sorry about the delay here.  We implemented the false proxy server idea but it didn't seem to do squat, however I haven't yet had time to revisit the issue.  I'll be getting back to it at some point, however, and will redress this thread at that time.
0
 
LazarusCommented:
If it's not doing SQUAT, it will be because the Policy is not getting to the client. Or your not using IE. Use te Group Policy Results Wizard to get a resultant policy on the computers/users in question.
0
 
bgarrabrantAuthor Commented:
We are considering ISA Server since we need a solution that will work for Firefox, FTP apps, sharing programs etc.  Is this the final solution?  Are you serious that Server 2003 does not in any way provide any Active Directory based limitations on internet access?  Is there any good reason for this other than to force us to buy ISA Server?
0
 
vtsincCommented:
Personally, I'd probably just get a decent firewall that can restrict Internet access based upon user ID.  It is a lot easier to manage in the long run (IMHO) that ISA server is, and doesn't place any additional load on a server.

For what you're after the Sonicwall is a good cost-effective bet.
0
 
LazarusCommented:
AD to my knowledge was designed to mantain MS products of which FireFox is not one. You can't very well ask AD to cover all aspects of other software as well, unless they are willing to design the software to comply with the AD capabilities. The only other option in your circumatance is a Proxy. That does not maintain that you have to go with ISA server though. Althought it is pretty good.
0
 
LazarusCommented:
I do concur with VTSINC on his solution. But ISA is still a good product that will give you alot of capabilities, and alot more to do. SonicWall is probably simpiler and chaeper in the long run.
0
 
bgarrabrantAuthor Commented:
Thanks folks.  We're going with ISA as it's the only answer that covered all the bases.  Therefore scampqb get 200 pts for the accepted answer and tyou other two folks 150 each for all your help.  Hope you feel that's fair.  Thanks again for the advice.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 5
  • 5
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now