Solved

Group Policy (in IE) to ONLY ALLOW trusted site browsing

Posted on 2011-03-03
21
2,127 Views
Last Modified: 2012-05-11
Hello, I have a Windows 2003 domain controller that I need to enable a GPO for my Windows 2003 terminal server that remote users log into.

I want to make sure that the remote users are ONLY able to browse to the sites I designate as allowed in Internet Explorer (i.e. webmail https). What is the best group policy setting to enable this? how do I make sure that they are not able to disable or modify the IE changes?

Currently I have an IE GPO that doesn't allow them to click certain menu items and other limitations utilizing Loopback so I am familiar with GPO however I do not know how to restrict browsing habits. Any help would be appreciated!
0
Comment
Question by:XAnalyzer
  • 9
  • 6
  • 4
  • +1
21 Comments
 

Author Comment

by:XAnalyzer
ID: 35039971
Anyone?
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 167 total points
ID: 35041829
Working with trusted sites will not really give you the results you wish. This is why you are not seeing much response to this thread.  

The trusted sites tells the computer if you want to allow potentially operating system intrusive files to be run from the trusted site, (as in this case).
 http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23351830.html

Group policies can content filter, but it is combersome to control web filtering.
http://support.microsoft.com/kb/556044
______________________________________________________
With that said, you really should evaluate what you want to filter and maybe consider using the router as a filtering agent.

Routers can use ACLs (access control lists), on a specific port on the router. So, let's say you have a VPN connection on the router. You can permit what you want, and then deny everything thereafter on that port that services the VPN connection. This ensures local traffic is OK and the VPN port will not forward any requests to inside the network you do not want.

An alternative is web proxy, that Group policy can control, (as you can see in the microsoft article).

A problem with group policies is, you need to have the ADM templates for the correct versions of their internet explorer. BUT, this group policy does NOT provide a policy for a different web browser, like opera and firefox. So, even with the policy in place, remote users may still bypass your GPO's real easily.

This is the reason why I suggest ACLs on the router.


NOW, if you want to control all users (remote and local) in the same way, a WEB PROXY server is probably the best way to go.
0
 

Author Comment

by:XAnalyzer
ID: 35044394
Hmm I am not sure ChiefIT if ACLs can be setup for this scheme;
I have a 4-port VPN router (RV042) first of all but I'm sure ACLs can be configured. The terminal server is running off regular port 3389 and web browsing is port 80. I do not want any users on Terminal Server (3389) to browse the web (80) except for 2-3 allowed sites. How would I setup an ACL to achieve this?
0
 

Author Comment

by:XAnalyzer
ID: 35044398
"A problem with group policies is, you need to have the ADM templates for the correct versions of their internet explorer. BUT, this group policy does NOT provide a policy for a different web browser, like opera and firefox. So, even with the policy in place, remote users may still bypass your GPO's real easily. "

This isn't an issue because my terminal server is heavily locked down and no installations are possible (although downloads are). So we are using the latest Internet Explorer and no other browsers are permitted for install.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 35044591
Well group policies includes an OU that seek the server to determine a list of web sites. The policy itself acts as a proxy to that OU. So, Maybe this will work. The microsoft article explains how to set up the server as a proxy using GP.

http://support.microsoft.com/kb/556044
0
 

Author Comment

by:XAnalyzer
ID: 35052632
Does not seem to work. Followed the instructions as per KB 556044 but all I see is "Detecting proxy settings..." and the websites load anyway.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 35065528
What IP did you list as your proxy server.

Remember, the article stated if you don't have a proxy, then use 0.0.0.0.
0
 

Author Comment

by:XAnalyzer
ID: 35069809
I tried 0.0.0.0 and 192.1681.200 (fake IP) and still no go. Even found a registry edit (http://support.microsoft.com/kb/306915) and still nothing.
0
 

Author Comment

by:XAnalyzer
ID: 35069859
As you can see all the settings for GPO appear normal (loopback replace, fake proxy IP, etc.)
Capture.JPG
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 35079366
The clients are getting the policy?

Have you checked to see if the proxy is passed down to your clients?
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 333 total points
ID: 35083111
What somebody should have said from the begining is:,.....there is no such thing,...you cannot do what you are trying to do.  That is the only true honest answer to what you are specifically asking in the original question.

The Security Zones in the browser can not, and will not, block browsing to sites.  All the Security Zones do is determine what browser features are allowed to operate in conjunction with the Zone the Site is in.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35083136
Ok,...looks like ChiefIT pretty much said the same thing,..sorry I didn't notice that at first.
0
 
LVL 13

Expert Comment

by:upalakshitha
ID: 35089914
this adm template has more settings.see is there somthing that you are waiting for.
remove .zip and import it
Windows-SteadyState.adm.zip
0
 

Author Comment

by:XAnalyzer
ID: 35122653
Not sure why, in theory, what I'm asking for cannot be done? It seems reasonable to assume that setting up a machine specific proxy gpo would block every site except the ones listed in the gpo whitelist settings? It's just not happening on the machine and not sure why hence the reluctance to award any PTS just yet.
0
 

Author Comment

by:XAnalyzer
ID: 35122657
Thank you all for your contributions though. Let's make this work!
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35139706
A "Proxy  GPO" is worthless without a proxy,...you don't have a proxy,...you said so yourself.

Security Zones do not block anything.  Security Zones enable or disable certain browser features,..and nothing more,...you can't block sites with Zones.  You are wasting your time trying to do it this way.
0
 

Author Comment

by:XAnalyzer
ID: 35166019
@pwindell: do you have a better idea?

And in regards to your comments, even though I do not have a proxy, I'm setting one up albeit a fake one, so why can't it work? I want all sites EXCEPT one to redirect through a (fake) proxy meaning that it shouldn't take users anywhere. This is like setting a (fake) proxy server on a local workstation and having it go nowhere because proxy does not exist thus user goes nowhere (fyi- how malware works).
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 333 total points
ID: 35166179
I can think of two things,...one is free.  I actually use both of these in combination.

1. Use a Firewall or Proxy Server that is cable of sophisticated Access Control Rules.  Any business grade product should be able to do this.

2. Use OpenDNS (www.opendns.com).  This is a free Service.  You create an account with them and then in your account settings you specifiy things you want blocked based on the Catagory of the site.  They also have WhiteLists and BlackLists that you can add specific Sites to.  You then set the DNS Forwarder in your AD/DNS to be the IP#s of the OpenDNS's DNS Server and you're done.

Keep in mind that filtering with the OpenDNS Service is Global,...it is not possible to have different settings for different users.  But with a Firewall or Proxy you can get more granular.  However it is humanly impossible for you to maintain catagory lists of sites that are good, bad, evil, or indifferent,....so you simply cannot get "carried away" with trying to do all that yourself on a Firewall or Proxy.   That is why I combine both methods together at our place,...I run MS's ISA2006 as our firewall and combine that with with OpenDNS.

I tried using GPO with the IE Zones once in the past for different reason than you,..but it was a total waste of time,...plus it removed the ability to add/remove Zone items locally manually,...meaning I had to be responsible for everyone's zone from then on and try to keep everyone "happy".  So that ended pretty fast
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35166204
You can't have a "fake" proxy.  You have to have a real proxy.  I tried to drive to work one day in my fake car but it would not start with the fake key  :-)    So I had to go buy a real car.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35183970
This is like setting a (fake) proxy server on a local workstation and having it go nowhere because proxy does not exist thus user goes nowhere (fyi- how malware works).

I didn't really address that very well.  the normal behavor of IE when it has "proxy settings" is to first try the proxy,...if the proxy is not reachable then it tries to go direct,...hence you cannot "black-hole" sites like that.

The method you are probably thinking of is when you black-hole a Domain Name by putting the Domain in the local Hosts file with an address of 127.0.0.1

0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
Scenario: Your operations manager has discovered an anomaly in your security system. The business will start to suffer within 15 minutes if it is a major IT incident. What should she do? We have 6 recommendations for managing major incidents (https:…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

939 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now