Solved

Block Proxy GPO for Servers

Posted on 2011-03-22
14
667 Views
Last Modified: 2012-05-11
Within our organization we use a Cymphonix Network Composer to filter http, https, and ftp traffic by acting as a proxy device.

We have a Cymphonix Security Group within Active Directory that most users are members of. We have a GPO linked to the Cymphonix Security Group that enables Proxy Settings in Internet Options.

The problem I am having is that some of our IT Staff are part of the Cymphonix Security Group and those IT users can login to servers which then enables Proxy settings on our servers. This is a bad thing for us because some of our internal communications are http and ftp.

Our servers are in a "Servers" OU that has "Block Inheritance" checked already. The Cymphonix GPO is listed at the Domain Level and when I look at the Domain (abc.net) in Group Policy Management on the Group Policy Inheritance tab the Cymphonix GPO is listed last as Precedence 5.

How can I block this Cymphonix GPO from enabling proxy settings on our servers?
0
Comment
Question by:AIC-Admin
14 Comments
 
LVL 7

Expert Comment

by:chris_martin62
ID: 35192865
Have you tried going into that policy and creating deny for those computers on the delegation tab. Or you can create a security group of users and computers and do a deny on delegation tab also. You can do this by going into Group Policy and clicking on the policy then the delegations tab from that select the advance button then do a deny.
0
 
LVL 22

Accepted Solution

by:
Joseph Moody earned 500 total points
ID: 35192909
The reason you are having this problem is the proxy settings are deployed on the user side. Even though you have blocked inher. enabled, that only applies to computer side policies.

In your GPO that sets the proxy settings, you need to deny your IT group (by doing what Chris said). You only need to deny your IT group the apply group policy permission.

You can also link the policy to your computer OUs and change the filtering to authenicated users (if it is not). Then enable loopback policy processing (merge mode) within the policy. Afterwards, unlink from your user side OUs.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 35192971
Firstly I would ask WHY IT USERS are logging onto servers.

Your IT USERS should ALL have 2 accounts. One that they log into their workstations and do general work with, a DOMAIN USER account and one that has administrator privs.  The ones with admin privs you create in a seperate OU that does NOT have your normal domain policies applied to it.

Having IT Users who log in with domain admin privs ALL day for EVERYTHING they do is a huge security hole.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 3

Author Comment

by:AIC-Admin
ID: 35193015
When I go to the Cymphonix GPO (that enforces the Proxy Setting) and then to the Delegation Tab I can add individual servers from here but I do not have an option to Deny. The only options at "Read; Edit settings; and Edit settings, Delete, modify security".

The Servers OU that I want to block from inheriting this GPO is already set to Block Inheritance so I dont know why it is even picking up the Cymphonix GPO.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 35193026
It is being applied to the users. Denying it to the servers will have no effect.

Go to delegation - then advanced. Then add in a security group that has your admins. Then select Deny for Apply Group Policy.
0
 
LVL 3

Author Comment

by:AIC-Admin
ID: 35193059
@JMoody10
Our CIO want our IT staff using the proxy since it also provide antivirus scanning of traffic so I can't exclude our IT OU from the GPO.

I will likely try link it to the Computers OU and then Authenticated users like you suggested.

@Neilsr
Thank you for the input. We are revamping many things around our domain as far as security goes so I will take that into serious consideration. We are a smaller company so security have been somewhat lax in the past.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 35193070
Ok. That is how we do it in our environment. Just make sure that you have loopback policy processing enabled and that you unlink it from user OUs.
0
 
LVL 3

Author Comment

by:AIC-Admin
ID: 35193142
@Jmoody10
Forgive me if I sound like an idiot but in our AD all of our users computers are contained within a "Computers" container i.e. its not an OU.

In the Group Policy Management console the Computers container does not show so I cannot link my Cymphonix proxy GPO to it. Am I missing something?

I did not originally configure our AD so I'm catching up a little on the layout.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 35193148
Yep. You can not link a policy to any containers. I would just create a new OU (named something like DOMAINNAME Computers) and drag all of the computers in that OU.
0
 
LVL 3

Author Comment

by:AIC-Admin
ID: 35193184
If I create a "Domain Computers" OU and drag the workstations to the OU can I expect anything to change as far as inheritance or will it inherit all the same as long as I do not block?

I will test this with a few workstations before a mass deployment of course.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 35193192
It will have the exact same inheritance.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 35193198
I always say test!
0
 
LVL 3

Author Comment

by:AIC-Admin
ID: 35193205
Thank you for all of your Help everyone especialy Jmoody!

I will post back after I have set this up and confirmed it is working!
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 35193209
No problem at all!
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
2 domains controllers running separate domains on same network. 4 28
Creating a Vendor Admin user 23 55
ACTIVE DIRECTORY 18 49
get bulk group members list in CSV 15 25
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question