Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Group policy to control web access

Posted on 2011-04-19
5
Medium Priority
?
405 Views
Last Modified: 2012-05-11
Hi Experts

I am running Windows SBS 2003 server with mainly XP desktop.  

Is there anyway I can control access to the internet through group policy?   On some machines I would like to restrict access to internet explorer completely - is it safe to do this by adding iexplore to list of programs which cannot be started.

On some other machines I would like to create a list of websites which are allowed to be accessed.   Other than these 3 sites there should be no access.

I can do this already through my Draytek 5510 router but it can only be configured to control PC by IP addresses and I need to be able to do it at user level, so that when a user with elevated access rights logs in they can access all web sites.

thanks
Jon
0
Comment
Question by:JonYen
  • 2
  • 2
5 Comments
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35428630
Configure a group policy to point to a non-existent proxy(127.0.0.1 for example) for the users that you want to deny all access to.


For the users that you want to allow a few sites to, create another GPO the same way except that you can add the 3 sites you want to allow in the exception list.
0
 
LVL 47

Accepted Solution

by:
Donald Stewart earned 2000 total points
ID: 35428669
similar as below
proxy.png
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 35428732
You cannot *reliably* use group policy to control internet access. The reason is that anything you do via group policy is easily bypassed. The only real way to control access to the internet is *at* the internet connection...aka a proxy server or firewall. You should look at either replacing the Draytek or adding another proxy between the Draytek and your network. There are proxy servers and firewalls that are Active-Directory aware and can filter by user. Microsoft's TMG 2010 is clearly the easiest to integrate as an MS technology, but SonicWall, Watchguard, and other UTM device manufacturers offer AD integration at verious levels. Or you could look at building a proxy box and running something like Untangle (an open-source linux proxy setup) that has a paid add-on for AD.

-Cliff
0
 

Author Comment

by:JonYen
ID: 35430866
Hi Cliff

The suggestion from dstewart seems like quite an elegant workaround to me - why do you think this wouldnt be reliable?   What methods could users employ to get bypass this?

thanks
Jon
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 35431504
Not all programs pay attention to proxy settings, and bypassing them is trivial...and could even be unintentional.

Example: sandisk sells a thumb drive that comes with several portable apos pre-installed. Quite handy.  Portable firefox, with flash, will happily ignore your proxy settings, access whatever site it wants, and with new flash vulnerabilities surfacing on a near daily basis, your network is at just as much risk ass if you did nothing at all.

That is merely an example, and by no means the only way. A business network NEEDS business class protection, and most SMB firewalls worth theirnsalt offer AD integration, so if you can't accomplish this with your firewall already, that is a good sign that you have bigger concerns.

-Cliff

-Cliff
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question