[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1006
  • Last Modified:

Looking for a gpo that can prevent Internet access by port and not through IE restriction

Looking for a good way to prevent some users from having internet access through group policy.  


Thanks in advance!
-D-
0
John Gates, CISSP
Asked:
John Gates, CISSP
1 Solution
 
NJComputerNetworksCommented:
This is tough because a lot of internal resources may use port 80 as well as internet web sites...

You can try to create a GPO to govern the client Windows firewall.  Block port 80 both ways...

You can try to create an IPSEC rule using GPO to require IPSEC when using port 80.

Although, I don't think these are good solutions...  better off using a proxy..  Most firewalls now have built in proxies...
0
 
John Gates, CISSPSecurity ProfessionalAuthor Commented:
Hmm..  I don't care about bloking port 80 even internally...  My other thought is giving the client an incorrect gateway....  However that gateway would need to revert when other people logged into the machine...  I will wait to see what ideas others come up with...  A proxy would only help if there was no alternate gateway I am going to need to figure out a "Proxyless" way to accomplish this..  
0
 
stafiCommented:

found this link. yet didnt test it :

http://www.chrisse.se/MAQB.asp?ID=17


0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 
John Gates, CISSPSecurity ProfessionalAuthor Commented:
That solution is Internet explorer centric.  The problem I have is people using other browsers and proxy programs to bypass it.
0
 
MazaraatCommented:
What firewall are you using?  This will be problematic and troublesome to manage doing it at the desktop.  Much better if your firewall has some type of user or group membership rules....?  Would need to find out what kind of firewall your using first.

You could use group policies to create a block on port 80 but that would get troublesome overtime also....much better to manage at on point ->firewall
0
 
John Gates, CISSPSecurity ProfessionalAuthor Commented:
The firewall is not going to work in this case.  It is a SonicWALL and it is a POS.  Has to be done with GPO and has to be done at the machine.
0
 
MazaraatCommented:
Well given that criteria to work with, you could use the windows xp firewall w/group policies-

Create an OU, move users into the OU that you want to block the port, link a group policy with the following:

computer configuration//admin templates//network//network connections//windows firewall//define port exceptions

configure port 80 to only receive traffic from your intranet - 10.0.0.1 (or a bogus entry)

80:TCP:10.0.0.1:enabled:Web service
443:TCP:10.0.0.1:enabled:Web service

In order for this to work you would also have to *disable* these:

Windows Firewall: Allow local port exceptions
Windows Firewall: Allow local program exceptions


And *enable* these:
Windows Firewall: Protect all network connections

This can have some undesired affects, so be very careful about where you link this GPO...
0
 
John Gates, CISSPSecurity ProfessionalAuthor Commented:
FIrewall is disabled domain wide.  I was thinking maybe this can be done with an IPsec policy..  Still looking into it.
0
 
MazaraatCommented:
reply ahhh, then this is what your looking for:

http://support.microsoft.com/kb/813878
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now