Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

url blocking through group policy in windows server 2003 domain

Posted on 2011-04-27
13
Medium Priority
?
1,869 Views
Last Modified: 2012-05-11
hi
in my office we are using domain. windows server 2003 r3. we have windows 2000 professional, windows xp, windows vista clients.
we dont have any proxy server.
i am implementing group policies for restriction. i want to implement a policy like,

1. i want to block some sites to some users, remaining users should access those sites.
2. i want to allow only specified sites for some users according to their department.

i created OU according to the departments. only the thing i need to apply group policies through domain.

in my office, we are using IE6, IE7, IE8, OPERA, Firefox, Crome. i need a policy that should applicable to all the browsers.

please help me to solve this.


Thanks
0
Comment
Question by:ramachandraraju
  • 4
  • 4
  • 3
  • +2
13 Comments
 
LVL 15

Assisted Solution

by:JBond2010
JBond2010 earned 100 total points
ID: 35474047
Refer to the link below and this will provide you with a step by step guide on how to allow and block URLs using Group Policy.

http://www.grouppolicy.biz/2010/07/how-to-use-group-policy-to-allow-or-block-urls/
0
 
LVL 6

Expert Comment

by:Azhrei1
ID: 35474247
JBond's solution will help, BUT, only for Internet Explorer.

The other browsers will ignore the group policy and will work fine. Your only alternatives are (pick one):

-3rd party software on the clients
-DNS redirection (make fake DNS entries, no user filtering possible though)
-Microsoft ISA server (firewall and proxy that will allow this and more in detail)

Some other 3rd party firewall/proxy appliances (some hardware some are software) will also do the job.
0
 
LVL 1

Expert Comment

by:Rehman_itends
ID: 35474297
what are network resources you have? can you explain your present infrastructure?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 4

Accepted Solution

by:
eli_cook earned 400 total points
ID: 35474858
The best way to implement what you are looking to do is to create a proxy server and filter internet traffic. The basics of what you would need to do.
1. Install a proxy server (I use SquidNT it integrates with Active Directory very well and is free).
2. Configure the proxy server to your security policies, for example log retention etc.
3. Create groups in AD that you want to restrict access to and add your users as members to these groups. Diagram your policy it will make it easier to implement.
4. Configure the groups in the proxy server and add your restrictions.
5. Test - with a few workstations and / or users.
6. If testing goes well, Using a GPO apply the proxy settings to all the computers in your organization.
7. Once you are comfortable with how things are running, configure your firewall to block access for any of the workstations to your common ports used for browsing like 80 (HTTP) and 443 (HTTPS) - this prevents someone from removing the proxy settings from their computer and getting to the internet effectively bypassing the restrictions.

Here are some resources for you:
SquidNT Download
http://squid.acmeconsulting.it/

SquidNT Installation Instructions
http://how-to-solutions.com/installing-and-configuring-squidnt-27-on-a-windows-domain.html
0
 

Author Comment

by:ramachandraraju
ID: 35474898
actually here we are using some customized applications. so i cant use proxy. the only way i have through group policies in the domain.
0
 
LVL 4

Assisted Solution

by:eli_cook
eli_cook earned 400 total points
ID: 35475182
Through the use of proper configuration on a proxy server and firewall rules to allow your customized applications (not through the proxy) it should be possible. You can define proxy settings at the client to bypass internet addresses that your customized application uses and allow that traffic unfiltered through the firewall.

In order to configure OPERA, Firefox or Chrome through Group Policy you need administrative templates (this would be the ideal way to configure these applications) that can be imported to your group policy objects. Doing a quick search only yields a template for Firefox - but I don't know if it will allow you to filter traffic. Also I have never heard of or used this template before so please take caution before implementing it.
http://www.frontmotion.com/Firefox/fmfirefox.htm
If you can't find administrative templates to configure the browsers another way  to configure the applications is by modifying the registry entries that hold their settings (this is what the GPO admin templates do), but this is time consuming and it can become a very large project to implement and maintain.

As I suggested before a proxy server / filtering appliance is really what you are looking for here. You would need to have policies for every browser available (http://en.wikipedia.org/wiki/List_of_web_browsers) -- one of the popular browsers you left off the list is Safari. Do you really want to maintain and build new GPO's every time a browser becomes popular?

The only other option you would have is to find an application that can be installed and configured via GPO or integrated into AD that would be installed on EVERY workstation and apply the rules that you defined for your Active Directory Groups.
This application would fall into the last option (it can be integrated into AD)
http://www.vistaspysoftware.com/web-filter-x/
0
 

Author Comment

by:ramachandraraju
ID: 35481200
Hi Azhrei1,

DNS redirection (make fake DNS entries, no user filtering possible though)

how to do this DNS redirection?

i cant use proxy servers in my organization. i have to do with the group policies only.
is there any relation with the browser's version (IE) and group policies. i mean in our organization we have 2000, xp. vista clients. in 2000 i can use only IE6 and in remaining clients i am using IE7 and in server i am using IE8.

please help me.
0
 
LVL 6

Expert Comment

by:Azhrei1
ID: 35481253
Hi Ramacha,

If you use a group policy and specify browser settings, they will apply to all versions of Internet Explorer, for all clients. There are some minor settings that older browser might not use, but they don't apply to url blocking.

As for your DNS, you can add websites you don't want users to visit to your DNS server, and specify an internal IP, for example of the DNS server itself, and then put a small html page in it's IIS webroot (or any other webserver you have/make), saying something like 'blocked by administrator'. Even better would be '404 Page unavailable' so they don't know you're blocking them.

Make sure you specify in your firewall that your users are not allowed to use other ports than 80 and 443 or they could circumvent your security by using a proxy server outside your network. Secondly you want to block DNS traffic from the outside to your local workstations as well, as they could circumvent by using another DNS server. This of course depends on the knowledge and skill of your users...the average user has no clue how to circumvent a fake dns entry.
0
 

Author Comment

by:ramachandraraju
ID: 35481606
hi azhrei1,
can you tell me how to apply these settings and where i have to apply in DNS server.
0
 
LVL 4

Assisted Solution

by:eli_cook
eli_cook earned 400 total points
ID: 35488400
If you want to use DNS redirection a service like OpenDNS works well. You would need to forward all of your external DNS requests to the OpenDNS servers. This can be done in the DNS management snap-in.

http://www.opendns.com/

Here is a setup guide for Windows Server 2003 - please note this applies to the entire organization (it's based on external IP address) and like Azhrei1 mentions you cannot apply any per user settings.

https://store.opendns.com/setup/operatingsystem/windows-server-2003
0
 
LVL 6

Expert Comment

by:Azhrei1
ID: 35489482
I don't know Ramachan, what kind of DNS server do you have? Windows 2003/2008?
0
 

Author Comment

by:ramachandraraju
ID: 35490130
windows server 2003 r2
0
 
LVL 4

Assisted Solution

by:eli_cook
eli_cook earned 400 total points
ID: 35490752
Here are the steps from Microsoft detailing the creation of new zones you will need to create a zone for each domain that you would like to internally redirect.
http://support.microsoft.com/kb/323445
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question