ryansoto
asked on
DNS - Proxy question
I have a simple network with a domain controller that also does DHCP and DNS.
I am going to implement a SaaS application for web filtering.
Basically I set the DSL modem DNS settings to the filtering service DNS box.
What about users manually setting their DNS settings to an open DNS box.
My thought is this
1. Users have to be local admins on their machine or this would be a moot point
2. Group policy can be set to prevent access to the properties of the lan connection
Downside to this option is I would have to kill it for admins on the box, which includes me. I guess I would exclude the policy from hitting my user account or domain admins.
Possible quick solution - create a firewall rule that only allows DNS requests from the internal DNS server. Would this work?
DNS is set up to use forwarders that points to the DSL modem.
I am going to implement a SaaS application for web filtering.
Basically I set the DSL modem DNS settings to the filtering service DNS box.
What about users manually setting their DNS settings to an open DNS box.
My thought is this
1. Users have to be local admins on their machine or this would be a moot point
2. Group policy can be set to prevent access to the properties of the lan connection
Downside to this option is I would have to kill it for admins on the box, which includes me. I guess I would exclude the policy from hitting my user account or domain admins.
Possible quick solution - create a firewall rule that only allows DNS requests from the internal DNS server. Would this work?
DNS is set up to use forwarders that points to the DSL modem.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Im not so much worried about internal users setting up their own proxies outside. More like the users trying to use internet explorer and putting in a proxy already existing on the internet.
Maybe a group policy to not allow access to the proxy settings? What about for other browsers?
Man not easy :)
Maybe a group policy to not allow access to the proxy settings? What about for other browsers?
Man not easy :)
tlovie could be right, you could block all requests from inside apart from the machine that hosts the proxy server, then everyone would have to go throught that, and those who dont simply wont get access to the any web pages.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Addendum to earlier post...
RE: other browsers..
If you are utilizing GPO's to restrict access, they should not have permissions/rights to install software, including other browsers; unless they are setup as administrators of local machines.
If they are required to be local admins, short version, you are going to need to create an Acceptable Use Policy, and within this, have it stated that employees are not permitted to install software and/or browse inappropriate sites. On your new webfilter, you should have the ability to browse logs to see who is going where, at that point, your company should have all the ammo it needs to either terminate or formally discipline that employee.
RE: other browsers..
If you are utilizing GPO's to restrict access, they should not have permissions/rights to install software, including other browsers; unless they are setup as administrators of local machines.
If they are required to be local admins, short version, you are going to need to create an Acceptable Use Policy, and within this, have it stated that employees are not permitted to install software and/or browse inappropriate sites. On your new webfilter, you should have the ability to browse logs to see who is going where, at that point, your company should have all the ammo it needs to either terminate or formally discipline that employee.
ASKER