Block Proxy GPO for Servers
Within our organization we use a Cymphonix Network Composer to filter http, https, and ftp traffic by acting as a proxy device.
We have a Cymphonix Security Group within Active Directory that most users are members of. We have a GPO linked to the Cymphonix Security Group that enables Proxy Settings in Internet Options.
The problem I am having is that some of our IT Staff are part of the Cymphonix Security Group and those IT users can login to servers which then enables Proxy settings on our servers. This is a bad thing for us because some of our internal communications are http and ftp.
Our servers are in a "Servers" OU that has "Block Inheritance" checked already. The Cymphonix GPO is listed at the Domain Level and when I look at the Domain (abc.net) in Group Policy Management on the Group Policy Inheritance tab the Cymphonix GPO is listed last as Precedence 5.
How can I block this Cymphonix GPO from enabling proxy settings on our servers?
We have a Cymphonix Security Group within Active Directory that most users are members of. We have a GPO linked to the Cymphonix Security Group that enables Proxy Settings in Internet Options.
The problem I am having is that some of our IT Staff are part of the Cymphonix Security Group and those IT users can login to servers which then enables Proxy settings on our servers. This is a bad thing for us because some of our internal communications are http and ftp.
Our servers are in a "Servers" OU that has "Block Inheritance" checked already. The Cymphonix GPO is listed at the Domain Level and when I look at the Domain (abc.net) in Group Policy Management on the Group Policy Inheritance tab the Cymphonix GPO is listed last as Precedence 5.
How can I block this Cymphonix GPO from enabling proxy settings on our servers?
chris_martin62
Have you tried going into that policy and creating deny for those computers on the delegation tab. Or you can create a security group of users and computers and do a deny on delegation tab also. You can do this by going into Group Policy and clicking on the policy then the delegations tab from that select the advance button then do a deny.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Firstly I would ask WHY IT USERS are logging onto servers.
Your IT USERS should ALL have 2 accounts. One that they log into their workstations and do general work with, a DOMAIN USER account and one that has administrator privs. The ones with admin privs you create in a seperate OU that does NOT have your normal domain policies applied to it.
Having IT Users who log in with domain admin privs ALL day for EVERYTHING they do is a huge security hole.
Your IT USERS should ALL have 2 accounts. One that they log into their workstations and do general work with, a DOMAIN USER account and one that has administrator privs. The ones with admin privs you create in a seperate OU that does NOT have your normal domain policies applied to it.
Having IT Users who log in with domain admin privs ALL day for EVERYTHING they do is a huge security hole.
ASKER
When I go to the Cymphonix GPO (that enforces the Proxy Setting) and then to the Delegation Tab I can add individual servers from here but I do not have an option to Deny. The only options at "Read; Edit settings; and Edit settings, Delete, modify security".
The Servers OU that I want to block from inheriting this GPO is already set to Block Inheritance so I dont know why it is even picking up the Cymphonix GPO.
The Servers OU that I want to block from inheriting this GPO is already set to Block Inheritance so I dont know why it is even picking up the Cymphonix GPO.
It is being applied to the users. Denying it to the servers will have no effect.
Go to delegation - then advanced. Then add in a security group that has your admins. Then select Deny for Apply Group Policy.
Go to delegation - then advanced. Then add in a security group that has your admins. Then select Deny for Apply Group Policy.
ASKER
@JMoody10
Our CIO want our IT staff using the proxy since it also provide antivirus scanning of traffic so I can't exclude our IT OU from the GPO.
I will likely try link it to the Computers OU and then Authenticated users like you suggested.
@Neilsr
Thank you for the input. We are revamping many things around our domain as far as security goes so I will take that into serious consideration. We are a smaller company so security have been somewhat lax in the past.
Our CIO want our IT staff using the proxy since it also provide antivirus scanning of traffic so I can't exclude our IT OU from the GPO.
I will likely try link it to the Computers OU and then Authenticated users like you suggested.
@Neilsr
Thank you for the input. We are revamping many things around our domain as far as security goes so I will take that into serious consideration. We are a smaller company so security have been somewhat lax in the past.
Ok. That is how we do it in our environment. Just make sure that you have loopback policy processing enabled and that you unlink it from user OUs.
ASKER
@Jmoody10
Forgive me if I sound like an idiot but in our AD all of our users computers are contained within a "Computers" container i.e. its not an OU.
In the Group Policy Management console the Computers container does not show so I cannot link my Cymphonix proxy GPO to it. Am I missing something?
I did not originally configure our AD so I'm catching up a little on the layout.
Forgive me if I sound like an idiot but in our AD all of our users computers are contained within a "Computers" container i.e. its not an OU.
In the Group Policy Management console the Computers container does not show so I cannot link my Cymphonix proxy GPO to it. Am I missing something?
I did not originally configure our AD so I'm catching up a little on the layout.
Yep. You can not link a policy to any containers. I would just create a new OU (named something like DOMAINNAME Computers) and drag all of the computers in that OU.
ASKER
If I create a "Domain Computers" OU and drag the workstations to the OU can I expect anything to change as far as inheritance or will it inherit all the same as long as I do not block?
I will test this with a few workstations before a mass deployment of course.
I will test this with a few workstations before a mass deployment of course.
It will have the exact same inheritance.
I always say test!
ASKER
Thank you for all of your Help everyone especialy Jmoody!
I will post back after I have set this up and confirmed it is working!
I will post back after I have set this up and confirmed it is working!
No problem at all!