[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

DNS - Proxy question

Posted on 2010-09-14
8
Medium Priority
?
360 Views
Last Modified: 2012-05-10
I have a simple network with a domain controller that also does DHCP and DNS.
I am going to implement a SaaS application for web filtering.
Basically I set the DSL modem DNS settings to the filtering service DNS box.

What about users manually setting their DNS settings to an open DNS box.

My thought is this
1.  Users have to be local admins on their machine or this would be a moot point
2.  Group policy can be set to prevent access to the properties of the lan connection
Downside to this option is I would have to kill it for admins on the box, which includes me.  I guess I would exclude the policy from hitting my user account or domain admins.


Possible quick solution - create a firewall rule that only allows DNS requests from the internal DNS server.  Would this work?
DNS is set up to use forwarders that points to the DSL modem.
0
Comment
Question by:ryansoto
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 7

Accepted Solution

by:
tlovie earned 1000 total points
ID: 33677490
That's what I would do, I would block at the firewall all the traffic outbound to DNS except from the machine you want to allow.  Then force everybody inside to use the DNS forwarders.
0
 
LVL 5

Assisted Solution

by:Ioannis_Avgeros
Ioannis_Avgeros earned 500 total points
ID: 33677496
Possible quick solution - create a firewall rule that only allows DNS requests from the internal DNS server.  Would this work?

Yes it would, that's what i would do without having to touch any policies on windows. This will also do the trick for non-domain computers as laptops or handheld devices that may use the network via wifi.

0
 
LVL 24

Author Comment

by:ryansoto
ID: 33677662
OK so the DNS answer appears to be solved but what about in the event a user sets his proxy address in the browser, to some outside proxy.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 7

Assisted Solution

by:tlovie
tlovie earned 1000 total points
ID: 33677754
You could block all outbound traffic to the common proxy ports (3128, 8080, 1080) and force them to go through an internal proxy, but this gets difficult unless you block all requests, since people in control of their own machines on the outside could run proxy services on arbitrary ports (443, 22, 80) that might fool your rules.
0
 
LVL 24

Author Comment

by:ryansoto
ID: 33677802
Im not so much worried about internal users setting up their own proxies outside.  More like the users trying to use internet explorer and putting in a proxy already existing on the internet.

Maybe a group policy to not allow access to the proxy settings?  What about for other browsers?
Man not easy :)
0
 
LVL 5

Expert Comment

by:Ioannis_Avgeros
ID: 33678013
tlovie could be right, you could block all requests from inside apart from the machine that hosts the proxy server, then everyone would have to go throught that, and those who dont simply wont get access to the any web pages.
0
 
LVL 8

Assisted Solution

by:lancecurwensville
lancecurwensville earned 500 total points
ID: 33682494
Make OU's for your users;  Boss's, Network, Employees', etc.

GPO to disallow changes in setting to Local Area Connection Settings.  GPO to disallow changes to Internet Connection settings.  

Link those GPO's to the appropriate OU's.  Then you can set the people who are allowed to make changes on their own.
GPO's are found here:
LAN Settings:  User Config->Policies->Admin Templates->Network->Network Connections->Prohibit access to properties of LAN  <enable>
IE Proxy:  User Config->Policies->Admin Templates->Windows Components->Internet Control Panel->Disable the Connections Page  <enable>

Make your changes to your internal DNS/DHCP server.  As soon as users reboot, changes take place.

In reality, from a security standpoint, this is how it should be setup anyhow.  AD Group Policy is a powerful tool that most smaller networks don't utilize.  

hope this helps...
0
 
LVL 8

Expert Comment

by:lancecurwensville
ID: 33682590
Addendum to earlier post...

RE:  other browsers..

If you are utilizing GPO's to restrict access, they should not have permissions/rights to install software, including other browsers; unless they are setup as administrators of local machines.  

If they are required to be local admins, short version, you are going to need to create an Acceptable Use Policy, and within this, have it stated that employees are not permitted to install software and/or browse inappropriate sites.  On your new webfilter, you should have the ability to browse logs to see who is going where, at that point, your company should have all the ammo it needs to either terminate or formally discipline that employee.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question