[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 676
  • Last Modified:

Block Proxy GPO for Servers

Within our organization we use a Cymphonix Network Composer to filter http, https, and ftp traffic by acting as a proxy device.

We have a Cymphonix Security Group within Active Directory that most users are members of. We have a GPO linked to the Cymphonix Security Group that enables Proxy Settings in Internet Options.

The problem I am having is that some of our IT Staff are part of the Cymphonix Security Group and those IT users can login to servers which then enables Proxy settings on our servers. This is a bad thing for us because some of our internal communications are http and ftp.

Our servers are in a "Servers" OU that has "Block Inheritance" checked already. The Cymphonix GPO is listed at the Domain Level and when I look at the Domain (abc.net) in Group Policy Management on the Group Policy Inheritance tab the Cymphonix GPO is listed last as Precedence 5.

How can I block this Cymphonix GPO from enabling proxy settings on our servers?
0
AIC-Admin
Asked:
AIC-Admin
1 Solution
 
chris_martin62Commented:
Have you tried going into that policy and creating deny for those computers on the delegation tab. Or you can create a security group of users and computers and do a deny on delegation tab also. You can do this by going into Group Policy and clicking on the policy then the delegations tab from that select the advance button then do a deny.
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
The reason you are having this problem is the proxy settings are deployed on the user side. Even though you have blocked inher. enabled, that only applies to computer side policies.

In your GPO that sets the proxy settings, you need to deny your IT group (by doing what Chris said). You only need to deny your IT group the apply group policy permission.

You can also link the policy to your computer OUs and change the filtering to authenicated users (if it is not). Then enable loopback policy processing (merge mode) within the policy. Afterwards, unlink from your user side OUs.
0
 
Neil RussellTechnical Development LeadCommented:
Firstly I would ask WHY IT USERS are logging onto servers.

Your IT USERS should ALL have 2 accounts. One that they log into their workstations and do general work with, a DOMAIN USER account and one that has administrator privs.  The ones with admin privs you create in a seperate OU that does NOT have your normal domain policies applied to it.

Having IT Users who log in with domain admin privs ALL day for EVERYTHING they do is a huge security hole.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
AIC-AdminAuthor Commented:
When I go to the Cymphonix GPO (that enforces the Proxy Setting) and then to the Delegation Tab I can add individual servers from here but I do not have an option to Deny. The only options at "Read; Edit settings; and Edit settings, Delete, modify security".

The Servers OU that I want to block from inheriting this GPO is already set to Block Inheritance so I dont know why it is even picking up the Cymphonix GPO.
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
It is being applied to the users. Denying it to the servers will have no effect.

Go to delegation - then advanced. Then add in a security group that has your admins. Then select Deny for Apply Group Policy.
0
 
AIC-AdminAuthor Commented:
@JMoody10
Our CIO want our IT staff using the proxy since it also provide antivirus scanning of traffic so I can't exclude our IT OU from the GPO.

I will likely try link it to the Computers OU and then Authenticated users like you suggested.

@Neilsr
Thank you for the input. We are revamping many things around our domain as far as security goes so I will take that into serious consideration. We are a smaller company so security have been somewhat lax in the past.
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
Ok. That is how we do it in our environment. Just make sure that you have loopback policy processing enabled and that you unlink it from user OUs.
0
 
AIC-AdminAuthor Commented:
@Jmoody10
Forgive me if I sound like an idiot but in our AD all of our users computers are contained within a "Computers" container i.e. its not an OU.

In the Group Policy Management console the Computers container does not show so I cannot link my Cymphonix proxy GPO to it. Am I missing something?

I did not originally configure our AD so I'm catching up a little on the layout.
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
Yep. You can not link a policy to any containers. I would just create a new OU (named something like DOMAINNAME Computers) and drag all of the computers in that OU.
0
 
AIC-AdminAuthor Commented:
If I create a "Domain Computers" OU and drag the workstations to the OU can I expect anything to change as far as inheritance or will it inherit all the same as long as I do not block?

I will test this with a few workstations before a mass deployment of course.
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
It will have the exact same inheritance.
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
I always say test!
0
 
AIC-AdminAuthor Commented:
Thank you for all of your Help everyone especialy Jmoody!

I will post back after I have set this up and confirmed it is working!
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
No problem at all!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now