John Gates, CISSP, CDPSE
asked on
Looking for a gpo that can prevent Internet access by port and not through IE restriction
Looking for a good way to prevent some users from having internet access through group policy.
Thanks in advance!
-D-
Thanks in advance!
-D-
ASKER
Hmm.. I don't care about bloking port 80 even internally... My other thought is giving the client an incorrect gateway.... However that gateway would need to revert when other people logged into the machine... I will wait to see what ideas others come up with... A proxy would only help if there was no alternate gateway I am going to need to figure out a "Proxyless" way to accomplish this..
ASKER
That solution is Internet explorer centric. The problem I have is people using other browsers and proxy programs to bypass it.
What firewall are you using? This will be problematic and troublesome to manage doing it at the desktop. Much better if your firewall has some type of user or group membership rules....? Would need to find out what kind of firewall your using first.
You could use group policies to create a block on port 80 but that would get troublesome overtime also....much better to manage at on point ->firewall
You could use group policies to create a block on port 80 but that would get troublesome overtime also....much better to manage at on point ->firewall
ASKER
The firewall is not going to work in this case. It is a SonicWALL and it is a POS. Has to be done with GPO and has to be done at the machine.
Well given that criteria to work with, you could use the windows xp firewall w/group policies-
Create an OU, move users into the OU that you want to block the port, link a group policy with the following:
computer configuration//admin templates//network//networ k connections//windows firewall//define port exceptions
configure port 80 to only receive traffic from your intranet - 10.0.0.1 (or a bogus entry)
80:TCP:10.0.0.1:enabled:We b service
443:TCP:10.0.0.1:enabled:W eb service
In order for this to work you would also have to *disable* these:
Windows Firewall: Allow local port exceptions
Windows Firewall: Allow local program exceptions
And *enable* these:
Windows Firewall: Protect all network connections
This can have some undesired affects, so be very careful about where you link this GPO...
Create an OU, move users into the OU that you want to block the port, link a group policy with the following:
computer configuration//admin templates//network//networ
configure port 80 to only receive traffic from your intranet - 10.0.0.1 (or a bogus entry)
80:TCP:10.0.0.1:enabled:We
443:TCP:10.0.0.1:enabled:W
In order for this to work you would also have to *disable* these:
Windows Firewall: Allow local port exceptions
Windows Firewall: Allow local program exceptions
And *enable* these:
Windows Firewall: Protect all network connections
This can have some undesired affects, so be very careful about where you link this GPO...
ASKER
FIrewall is disabled domain wide. I was thinking maybe this can be done with an IPsec policy.. Still looking into it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can try to create a GPO to govern the client Windows firewall. Block port 80 both ways...
You can try to create an IPSEC rule using GPO to require IPSEC when using port 80.
Although, I don't think these are good solutions... better off using a proxy.. Most firewalls now have built in proxies...