Solved

Block Proxy GPO for Servers

Posted on 2011-03-22
14
666 Views
Last Modified: 2012-05-11
Within our organization we use a Cymphonix Network Composer to filter http, https, and ftp traffic by acting as a proxy device.

We have a Cymphonix Security Group within Active Directory that most users are members of. We have a GPO linked to the Cymphonix Security Group that enables Proxy Settings in Internet Options.

The problem I am having is that some of our IT Staff are part of the Cymphonix Security Group and those IT users can login to servers which then enables Proxy settings on our servers. This is a bad thing for us because some of our internal communications are http and ftp.

Our servers are in a "Servers" OU that has "Block Inheritance" checked already. The Cymphonix GPO is listed at the Domain Level and when I look at the Domain (abc.net) in Group Policy Management on the Group Policy Inheritance tab the Cymphonix GPO is listed last as Precedence 5.

How can I block this Cymphonix GPO from enabling proxy settings on our servers?
0
Comment
Question by:AIC-Admin
14 Comments
 
LVL 7

Expert Comment

by:chris_martin62
Comment Utility
Have you tried going into that policy and creating deny for those computers on the delegation tab. Or you can create a security group of users and computers and do a deny on delegation tab also. You can do this by going into Group Policy and clicking on the policy then the delegations tab from that select the advance button then do a deny.
0
 
LVL 21

Accepted Solution

by:
Joseph Moody earned 500 total points
Comment Utility
The reason you are having this problem is the proxy settings are deployed on the user side. Even though you have blocked inher. enabled, that only applies to computer side policies.

In your GPO that sets the proxy settings, you need to deny your IT group (by doing what Chris said). You only need to deny your IT group the apply group policy permission.

You can also link the policy to your computer OUs and change the filtering to authenicated users (if it is not). Then enable loopback policy processing (merge mode) within the policy. Afterwards, unlink from your user side OUs.
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
Firstly I would ask WHY IT USERS are logging onto servers.

Your IT USERS should ALL have 2 accounts. One that they log into their workstations and do general work with, a DOMAIN USER account and one that has administrator privs.  The ones with admin privs you create in a seperate OU that does NOT have your normal domain policies applied to it.

Having IT Users who log in with domain admin privs ALL day for EVERYTHING they do is a huge security hole.
0
 
LVL 3

Author Comment

by:AIC-Admin
Comment Utility
When I go to the Cymphonix GPO (that enforces the Proxy Setting) and then to the Delegation Tab I can add individual servers from here but I do not have an option to Deny. The only options at "Read; Edit settings; and Edit settings, Delete, modify security".

The Servers OU that I want to block from inheriting this GPO is already set to Block Inheritance so I dont know why it is even picking up the Cymphonix GPO.
0
 
LVL 21

Expert Comment

by:Joseph Moody
Comment Utility
It is being applied to the users. Denying it to the servers will have no effect.

Go to delegation - then advanced. Then add in a security group that has your admins. Then select Deny for Apply Group Policy.
0
 
LVL 3

Author Comment

by:AIC-Admin
Comment Utility
@JMoody10
Our CIO want our IT staff using the proxy since it also provide antivirus scanning of traffic so I can't exclude our IT OU from the GPO.

I will likely try link it to the Computers OU and then Authenticated users like you suggested.

@Neilsr
Thank you for the input. We are revamping many things around our domain as far as security goes so I will take that into serious consideration. We are a smaller company so security have been somewhat lax in the past.
0
 
LVL 21

Expert Comment

by:Joseph Moody
Comment Utility
Ok. That is how we do it in our environment. Just make sure that you have loopback policy processing enabled and that you unlink it from user OUs.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 3

Author Comment

by:AIC-Admin
Comment Utility
@Jmoody10
Forgive me if I sound like an idiot but in our AD all of our users computers are contained within a "Computers" container i.e. its not an OU.

In the Group Policy Management console the Computers container does not show so I cannot link my Cymphonix proxy GPO to it. Am I missing something?

I did not originally configure our AD so I'm catching up a little on the layout.
0
 
LVL 21

Expert Comment

by:Joseph Moody
Comment Utility
Yep. You can not link a policy to any containers. I would just create a new OU (named something like DOMAINNAME Computers) and drag all of the computers in that OU.
0
 
LVL 3

Author Comment

by:AIC-Admin
Comment Utility
If I create a "Domain Computers" OU and drag the workstations to the OU can I expect anything to change as far as inheritance or will it inherit all the same as long as I do not block?

I will test this with a few workstations before a mass deployment of course.
0
 
LVL 21

Expert Comment

by:Joseph Moody
Comment Utility
It will have the exact same inheritance.
0
 
LVL 21

Expert Comment

by:Joseph Moody
Comment Utility
I always say test!
0
 
LVL 3

Author Comment

by:AIC-Admin
Comment Utility
Thank you for all of your Help everyone especialy Jmoody!

I will post back after I have set this up and confirmed it is working!
0
 
LVL 21

Expert Comment

by:Joseph Moody
Comment Utility
No problem at all!
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now