Link to home
Start Free TrialLog in
Avatar of John Gates, CISSP, CDPSE
John Gates, CISSP, CDPSEFlag for United States of America

asked on

Looking for a gpo that can prevent Internet access by port and not through IE restriction

Looking for a good way to prevent some users from having internet access through group policy.  


Thanks in advance!
-D-
Avatar of NJComputerNetworks
NJComputerNetworks
Flag of United States of America image

This is tough because a lot of internal resources may use port 80 as well as internet web sites...

You can try to create a GPO to govern the client Windows firewall.  Block port 80 both ways...

You can try to create an IPSEC rule using GPO to require IPSEC when using port 80.

Although, I don't think these are good solutions...  better off using a proxy..  Most firewalls now have built in proxies...
Avatar of John Gates, CISSP, CDPSE

ASKER

Hmm..  I don't care about bloking port 80 even internally...  My other thought is giving the client an incorrect gateway....  However that gateway would need to revert when other people logged into the machine...  I will wait to see what ideas others come up with...  A proxy would only help if there was no alternate gateway I am going to need to figure out a "Proxyless" way to accomplish this..  

found this link. yet didnt test it :

http://www.chrisse.se/MAQB.asp?ID=17


That solution is Internet explorer centric.  The problem I have is people using other browsers and proxy programs to bypass it.
What firewall are you using?  This will be problematic and troublesome to manage doing it at the desktop.  Much better if your firewall has some type of user or group membership rules....?  Would need to find out what kind of firewall your using first.

You could use group policies to create a block on port 80 but that would get troublesome overtime also....much better to manage at on point ->firewall
The firewall is not going to work in this case.  It is a SonicWALL and it is a POS.  Has to be done with GPO and has to be done at the machine.
Well given that criteria to work with, you could use the windows xp firewall w/group policies-

Create an OU, move users into the OU that you want to block the port, link a group policy with the following:

computer configuration//admin templates//network//network connections//windows firewall//define port exceptions

configure port 80 to only receive traffic from your intranet - 10.0.0.1 (or a bogus entry)

80:TCP:10.0.0.1:enabled:Web service
443:TCP:10.0.0.1:enabled:Web service

In order for this to work you would also have to *disable* these:

Windows Firewall: Allow local port exceptions
Windows Firewall: Allow local program exceptions


And *enable* these:
Windows Firewall: Protect all network connections

This can have some undesired affects, so be very careful about where you link this GPO...
FIrewall is disabled domain wide.  I was thinking maybe this can be done with an IPsec policy..  Still looking into it.
ASKER CERTIFIED SOLUTION
Avatar of Mazaraat
Mazaraat
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial