?
Solved

Blocking Internet Access

Posted on 2011-04-26
26
Medium Priority
?
928 Views
Last Modified: 2012-05-11
I have a pc connected to an sbs 2008 domain. Is it possible to block all internet access except to one site for only this pc?
0
Comment
Question by:Daniel Bertolone
  • 9
  • 7
  • 5
  • +3
26 Comments
 
LVL 60

Accepted Solution

by:
Cliff Galiher earned 1000 total points
ID: 35465740
Not through SBS. this duty belongs to your edge router/firewall.

-Cliff
0
 
LVL 7

Expert Comment

by:XLITS
ID: 35465767
Something along the lines of an untangle server would do the job.  The Lite package is free and very easy to setup.  It's a good package to add to your network anyway with all the other packages it offers besides the web filtering.

http://www.untangle.com

0
 

Author Comment

by:Daniel Bertolone
ID: 35465938
Using a dratek 2020n router/firewall.

May take a look @ untangle, take it this can be installed on my sbs server?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 3

Expert Comment

by:Ravakl
ID: 35466819
If your users are not advanced, you can create policy for IE to activate proxy settings, point proxy to wrong addres, add you site as exeptions, disable access to connections tab. I've done it for a group users. But if anybody has rights  and can install Firefox this solution is not working .
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 35470381
Untangle cannot be installed on SBS. it must be installed on a machine with 2 NICs and the machine must sit between your I ternal network and the Internet (like your router/cable-modem/etc does) so ALL traffic passes through it. That is how access can be granted or blocked, and why SBS cannot do this natively.

-Cliff
0
 
LVL 5

Assisted Solution

by:AJS2011NZ
AJS2011NZ earned 1000 total points
ID: 35473059
You can use Group Policy to set the firewall on this machine to block http and https traffic except the desired site. You can also set policy to force the firewall on and restrict the users access to it.
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 35474305
@AJS: the windows firewall does not support URL filtering. It is an all-or-nothing affair, thus not accomplishing the poster's goal.

-Cliff
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35480363
This is super easy...Use group policy to set a proxy to point to 127.0.0.1


Then add to your proxy exceptions the site you want to allow.

Then you might want to configure "Dont allow changing of proxy settings"
fakeproxy.JPG
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 35480650
I would strongly recommend against using proxy settings in this way. Proxy settings are designed to allow proxy-aware programs to find and use a proxy/caching server. It was not designed to be a security or URL filter, and often times this does not work as expected. Best case, it is easily bypassed. Worst case, I've seen it lock down all network traffic (including AD!) so that nobody can log back into the machine and a full reformat is required.

Best avoided.

-Cliff
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35480673
That's your opinion, where's your documentation to back up these statements?

1000's of administrators use this method of a fake proxy to lock down internet explorer.

Instead of flaming every EE members comments, stick to helping the OP.
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 35480711
Wasn't a flame. I am sharing real world experience on what setting proxy settings *can* do, which *is* directly relevant to the OP.

As far as documentation, you need look no further than where the group policy settings exist. They don't exist in the computer network settings, nor do they exist in any of the system settings. They exist in the INTERNET EXPLORER settings. This, more than any other indicator, shows how proxy settings work. IE will listen to them. Firefox *can* listen to them, or ignore them. Chrome, similar. Theser programs now come on many USB drives, so it doesn't require an advanced user to completely bypass the proxy settings with their own browser. But various windows components *do* pay attention to proxy settings, and if you forget to check the "ignore proxy settings for local connections" and if your network is configured in a way that the AD server is not detected as local, some of the components that do obey the proxy settings will try to access via proxy, fail, and thus logins also fail.

This isn't some bizarre edge case or convoluted bug. This is basic networking principles, understanding how the OS works, and understanding why the group policy settings are located where they are. A very methodical application of logic can extrapolate why using proxy settings this way is bad.

As far as 1000's of administrators using this method, that holds little water with me. In this SBS group alone, you can see what thousands of administrators do that is wrong, and then theycome here asking for help afterwards. As an example, a common thing seen with SBS 2008 was an administrator choosing to manually install Exchange after an SBS install only completes partially...and then 90 days later Exchange is complaining about not being activated. We are starting to see the same thing with 2011. In all installation and migratoin docs, Microsoft clearly states that a failed install should be restarted; pushing through leads to bad things, yet "1000's" of administrators do exactly that anyways.

So yes, I'm sure many administrators misuse proxy settings, and many probably achieve some level of success. It does not validate the practice or mean that I'd give it as advice. I can only do what I think is best for the OP (as you suggest I do) and that means saying to actively avoid practices I consider harmful This is one of those. As you say, "that is your opinion" and as I am entitled to mine, you are entitled to yours. I've provided an argument and a series of thought processes to back it up and now the OP can choose.

-Cliff
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35480752
Original Question:

"I have a pc connected to an sbs 2008 domain. Is it possible to block all internet access except to one site for only this pc? "


I wasnt suggesting proxy settings on the SBS, only to configure GPO to apply to the ONE PC.
Fake proxy would work just fine in this scenario.
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 35480823
I understand that we are not talking about changing settings on SBS. A group policy that changes proxy settings on a PC *will not* block access to the internet. My description of how a PC (XP/Vista/Win7) would apply the group policy settings and how they work does not change. They will prevent IE and *some* other programs from accessing websites, but programs that offer the ability to ignore proxy settings (Firefox, cannot be forced to obey proxy even via group policy) will happily continue to access the internet just fine.

The problem lies in the architecture of the proxy settings. They are not applied at the network level or even the application level, but are instead published settings that a program that knows how to query the OS can choose to use. It is *not* enforced except for programs that offer enforcement (IE) thus in the strictest definition, internet access is NOT blocked. *PROGRAM* access (program dependent!) is blocked, and that is not at all the same thing, and as I've previously explained, is easily bypassed.

-Cliff
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35480880
For one, if users were set as normal users as they should be...then they cant install Firefox,chrome, or any other browser to begin with. This is a must if you want to control users of anything.


BTW firefox proxy can so be controlled by GPO

http://www.frontmotion.com/Firefox/fmfirefoxconfig.htm


I never said it was the best way, I only said it was the easiest. Whether you like it or not.. it still works for the average user.


I'm done arguing with you so dont bother to comment unless directed at the OP.

0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35480884
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 35480892
Regarding installation of firefox, please refer to my previous explanation regarding portable applications on USB keys. Increasingly common, do *not* install thus do not require admin privileges, and do not pay attention to group policy settings because they are not installed. If you'd like to see a ton of internet-capable apps that a user can use to bypass your proxy settings, and that they can use without needing admin privileges, go to www.portableapps.com.  Proxy settings *are not security settings* and using them does not accomplish the requested goal, pure and simple.

-Cliff
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35480914
"please refer to my previous explanation regarding portable applications on USB keys."

??? this was the first mention of it.


Hence the biggest reason to disable USB drives as we do in or environment.

Sure sounds like it would be easy to penetrate your environment
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 35480927
So now, for the OP to accomplish his goal, you want to enable proxy settings, download a firefox ADM file, configure that, and block USB storage (which is not practical in all environments.) That is nowhere listed in your initial suggestion. As I have consistently said, URL filtering should be done at the network edge, otherwise it is easily circumvented.

Re: "Sure sounds like it would be easy to penetrate your environment" ...THAT was a flame, did not address the OP in any way, and is doing what you accused me of. Therefore I will not address it or defend "my environment" as it is not on topic. Thanks for playing.

-Cliff
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35480966
Both Firefox and USB storage were brought up by you. With proper GPO's and Security settings they Cannot be circumvented. Like I said this is only a quick, easy and cheap(free) way to do it....even if it's not the best.
0
 
LVL 5

Expert Comment

by:AJS2011NZ
ID: 35481295
Certainly the Windows firewall doesn't support URL's, but since it's only a single site, and all the solutions so far will require a certain amount of management, I'd still say specifying an IP or range of IP is viable. It's also get's around browser specific's.
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 35481306
AJ: true. I little heavy on tge manual management and maintenance for my tastes, but it would work. Creative. I like it.  :)

-Cliff
0
 

Author Comment

by:Daniel Bertolone
ID: 35738406
"You can use Group Policy to set the firewall on this machine to block http and https traffic except the desired site. You can also set policy to force the firewall on and restrict the users access to it"

In order to apply this which group policy object would i select. Currently i use the Windows SBS Client Policy to make changes that i want to roll out to te entire network.
0
 

Author Comment

by:Daniel Bertolone
ID: 35752947
Any tips guys which group policy object would i select
0
 
LVL 5

Expert Comment

by:AJS2011NZ
ID: 35753311
Personally, I would create a new policy. The risk in changing the SBS policys is that some of the wizards can recreate the policies and wipe you changes.
0
 

Author Comment

by:Daniel Bertolone
ID: 35784609
I have decided to use my router to block the web traffic. I have successfully managed to block all internet activity for this specific pc but am struggling with creating the exception for the BBC website that I would like to enable access too.

I created the necessary rules & the BBC website attempts to load but is extremely slow and the page does not load fully making it unusable. I have spoken with draytek tech support & they advised that this is because the BBC uses multiple ip's & I should use a product such as wireshark to find out all of the ip's that the BBC use. I ran wireshark on my pc & browsed to the BBC website 7 captured what I thought was all of the ip’s but i am still struggling with the same issue.

Is there any other way I can find out the entire ip range that the BBC are using?
0
 

Author Comment

by:Daniel Bertolone
ID: 35830121
Managed to resolve the issue guys via the router

Thanks for all the tips!!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Several part series to implement Internet Explorer 11 Enterprise Mode
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question