We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Blocking Internet Access

Daniel Bertolone
on
Medium Priority
951 Views
Last Modified: 2012-05-11
I have a pc connected to an sbs 2008 domain. Is it possible to block all internet access except to one site for only this pc?
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2018
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Commented:
Something along the lines of an untangle server would do the job.  The Lite package is free and very easy to setup.  It's a good package to add to your network anyway with all the other packages it offers besides the web filtering.

http://www.untangle.com

Author

Commented:
Using a dratek 2020n router/firewall.

May take a look @ untangle, take it this can be installed on my sbs server?
CERTIFIED EXPERT

Commented:
If your users are not advanced, you can create policy for IE to activate proxy settings, point proxy to wrong addres, add you site as exeptions, disable access to connections tab. I've done it for a group users. But if anybody has rights  and can install Firefox this solution is not working .
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Untangle cannot be installed on SBS. it must be installed on a machine with 2 NICs and the machine must sit between your I ternal network and the Internet (like your router/cable-modem/etc does) so ALL traffic passes through it. That is how access can be granted or blocked, and why SBS cannot do this natively.

-Cliff
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
@AJS: the windows firewall does not support URL filtering. It is an all-or-nothing affair, thus not accomplishing the poster's goal.

-Cliff
DonNetwork Administrator
CERTIFIED EXPERT

Commented:
This is super easy...Use group policy to set a proxy to point to 127.0.0.1


Then add to your proxy exceptions the site you want to allow.

Then you might want to configure "Dont allow changing of proxy settings"
fakeproxy.JPG
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
I would strongly recommend against using proxy settings in this way. Proxy settings are designed to allow proxy-aware programs to find and use a proxy/caching server. It was not designed to be a security or URL filter, and often times this does not work as expected. Best case, it is easily bypassed. Worst case, I've seen it lock down all network traffic (including AD!) so that nobody can log back into the machine and a full reformat is required.

Best avoided.

-Cliff
DonNetwork Administrator
CERTIFIED EXPERT

Commented:
That's your opinion, where's your documentation to back up these statements?

1000's of administrators use this method of a fake proxy to lock down internet explorer.

Instead of flaming every EE members comments, stick to helping the OP.
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Wasn't a flame. I am sharing real world experience on what setting proxy settings *can* do, which *is* directly relevant to the OP.

As far as documentation, you need look no further than where the group policy settings exist. They don't exist in the computer network settings, nor do they exist in any of the system settings. They exist in the INTERNET EXPLORER settings. This, more than any other indicator, shows how proxy settings work. IE will listen to them. Firefox *can* listen to them, or ignore them. Chrome, similar. Theser programs now come on many USB drives, so it doesn't require an advanced user to completely bypass the proxy settings with their own browser. But various windows components *do* pay attention to proxy settings, and if you forget to check the "ignore proxy settings for local connections" and if your network is configured in a way that the AD server is not detected as local, some of the components that do obey the proxy settings will try to access via proxy, fail, and thus logins also fail.

This isn't some bizarre edge case or convoluted bug. This is basic networking principles, understanding how the OS works, and understanding why the group policy settings are located where they are. A very methodical application of logic can extrapolate why using proxy settings this way is bad.

As far as 1000's of administrators using this method, that holds little water with me. In this SBS group alone, you can see what thousands of administrators do that is wrong, and then theycome here asking for help afterwards. As an example, a common thing seen with SBS 2008 was an administrator choosing to manually install Exchange after an SBS install only completes partially...and then 90 days later Exchange is complaining about not being activated. We are starting to see the same thing with 2011. In all installation and migratoin docs, Microsoft clearly states that a failed install should be restarted; pushing through leads to bad things, yet "1000's" of administrators do exactly that anyways.

So yes, I'm sure many administrators misuse proxy settings, and many probably achieve some level of success. It does not validate the practice or mean that I'd give it as advice. I can only do what I think is best for the OP (as you suggest I do) and that means saying to actively avoid practices I consider harmful This is one of those. As you say, "that is your opinion" and as I am entitled to mine, you are entitled to yours. I've provided an argument and a series of thought processes to back it up and now the OP can choose.

-Cliff
DonNetwork Administrator
CERTIFIED EXPERT

Commented:
Original Question:

"I have a pc connected to an sbs 2008 domain. Is it possible to block all internet access except to one site for only this pc? "


I wasnt suggesting proxy settings on the SBS, only to configure GPO to apply to the ONE PC.
Fake proxy would work just fine in this scenario.
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
I understand that we are not talking about changing settings on SBS. A group policy that changes proxy settings on a PC *will not* block access to the internet. My description of how a PC (XP/Vista/Win7) would apply the group policy settings and how they work does not change. They will prevent IE and *some* other programs from accessing websites, but programs that offer the ability to ignore proxy settings (Firefox, cannot be forced to obey proxy even via group policy) will happily continue to access the internet just fine.

The problem lies in the architecture of the proxy settings. They are not applied at the network level or even the application level, but are instead published settings that a program that knows how to query the OS can choose to use. It is *not* enforced except for programs that offer enforcement (IE) thus in the strictest definition, internet access is NOT blocked. *PROGRAM* access (program dependent!) is blocked, and that is not at all the same thing, and as I've previously explained, is easily bypassed.

-Cliff
DonNetwork Administrator
CERTIFIED EXPERT

Commented:
For one, if users were set as normal users as they should be...then they cant install Firefox,chrome, or any other browser to begin with. This is a must if you want to control users of anything.


BTW firefox proxy can so be controlled by GPO

http://www.frontmotion.com/Firefox/fmfirefoxconfig.htm


I never said it was the best way, I only said it was the easiest. Whether you like it or not.. it still works for the average user.


I'm done arguing with you so dont bother to comment unless directed at the OP.

DonNetwork Administrator
CERTIFIED EXPERT

Commented:
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Regarding installation of firefox, please refer to my previous explanation regarding portable applications on USB keys. Increasingly common, do *not* install thus do not require admin privileges, and do not pay attention to group policy settings because they are not installed. If you'd like to see a ton of internet-capable apps that a user can use to bypass your proxy settings, and that they can use without needing admin privileges, go to www.portableapps.com.  Proxy settings *are not security settings* and using them does not accomplish the requested goal, pure and simple.

-Cliff
DonNetwork Administrator
CERTIFIED EXPERT

Commented:
"please refer to my previous explanation regarding portable applications on USB keys."

??? this was the first mention of it.


Hence the biggest reason to disable USB drives as we do in or environment.

Sure sounds like it would be easy to penetrate your environment
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
So now, for the OP to accomplish his goal, you want to enable proxy settings, download a firefox ADM file, configure that, and block USB storage (which is not practical in all environments.) That is nowhere listed in your initial suggestion. As I have consistently said, URL filtering should be done at the network edge, otherwise it is easily circumvented.

Re: "Sure sounds like it would be easy to penetrate your environment" ...THAT was a flame, did not address the OP in any way, and is doing what you accused me of. Therefore I will not address it or defend "my environment" as it is not on topic. Thanks for playing.

-Cliff
DonNetwork Administrator
CERTIFIED EXPERT

Commented:
Both Firefox and USB storage were brought up by you. With proper GPO's and Security settings they Cannot be circumvented. Like I said this is only a quick, easy and cheap(free) way to do it....even if it's not the best.
Certainly the Windows firewall doesn't support URL's, but since it's only a single site, and all the solutions so far will require a certain amount of management, I'd still say specifying an IP or range of IP is viable. It's also get's around browser specific's.
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
AJ: true. I little heavy on tge manual management and maintenance for my tastes, but it would work. Creative. I like it.  :)

-Cliff

Author

Commented:
"You can use Group Policy to set the firewall on this machine to block http and https traffic except the desired site. You can also set policy to force the firewall on and restrict the users access to it"

In order to apply this which group policy object would i select. Currently i use the Windows SBS Client Policy to make changes that i want to roll out to te entire network.

Author

Commented:
Any tips guys which group policy object would i select
Personally, I would create a new policy. The risk in changing the SBS policys is that some of the wizards can recreate the policies and wipe you changes.

Author

Commented:
I have decided to use my router to block the web traffic. I have successfully managed to block all internet activity for this specific pc but am struggling with creating the exception for the BBC website that I would like to enable access too.

I created the necessary rules & the BBC website attempts to load but is extremely slow and the page does not load fully making it unusable. I have spoken with draytek tech support & they advised that this is because the BBC uses multiple ip's & I should use a product such as wireshark to find out all of the ip's that the BBC use. I ran wireshark on my pc & browsed to the BBC website 7 captured what I thought was all of the ip’s but i am still struggling with the same issue.

Is there any other way I can find out the entire ip range that the BBC are using?

Author

Commented:
Managed to resolve the issue guys via the router

Thanks for all the tips!!
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.