Solved

Locking Down IE for a terminal server

Posted on 2013-06-04
13
1,167 Views
Last Modified: 2013-06-06
Hi Experts,

We have a terminal server accessible to clients. Presently internet explorer is not enabled for users. However one user requires access for an application they run

I can restrict access so that she can run IE but i wanted to lock down IE as much as possible for both security and so as to detour her from abusing this access

What gpos would you consider best practice in this matter?
0
Comment
Question by:FSIFM
  • 5
  • 4
  • 2
  • +2
13 Comments
 
LVL 17

Expert Comment

by:Viral Rathod
ID: 39218261
Hi FSIFM,

you create GPO policy for IE to use Proxy server 1.1.1.1

Do not give option for users to change the proxy server.

This way user will able to see the internal website but cant go ouside network..
0
 
LVL 4

Author Comment

by:FSIFM
ID: 39218280
Hi viralrathod,

Unfortunately its an external site they need access to for this application
0
 
LVL 17

Expert Comment

by:Viral Rathod
ID: 39218313
Hi FSIFM,

You can use Content Advisor

Content Advisor is a tool for controlling the types of content that your computer can access on the Internet. After you turn on Content Advisor, only rated content that meets or exceeds your criteria can be viewed. You can adjust the settings to suit your preferences.

http://windows.microsoft.com/en-in/windows7/internet-explorer-content-advisor-frequently-asked-questions
0
 
LVL 8

Expert Comment

by:barrykfl
ID: 39218335
I used policy + Registry hard coded the IE , then no change and no bar, cannot edit the address
0
 
LVL 4

Author Comment

by:FSIFM
ID: 39218470
hi Barry,

what policies did you use?
0
 
LVL 4

Author Comment

by:FSIFM
ID: 39218560
pretty much i need to allow ie access to all sites, but lock it down to be as secure as possible and prevent the user from doing anything that could be malicious
0
Will my email signature work in Office 365?

You've built an email signature using raw HTML code in Office 365, but you can't review how it looks with Transport Rules. So you have to test it over and over again before it can be used. Isn't this a bit of a waste of your time? Wouldn't a WYSIWYG editor make it a lot easier?

 
LVL 3

Expert Comment

by:Hir0
ID: 39219836
I usually use a whitelist approach.  Just lock down the Internet Zone and add the sites or sites you wish to allow unrestricted access to your Trusted Sites list.  See attached group policy reports for some ideas.

You can add sites to your "whitelist" by adding domains to User Configuration > Policies > Admin Templates > Windows Components > Internet Explorer > Internet Control Panel > Site to zone assignment list

for instance to add the google domain to the Trusted sites zone you would use http://*.google.com as the domain and 2 as the zone number.

Hope this gets you in the right direction.
User-Policy---Employee---IE---Tr.htm
User-Policy---Employee---IE---In.htm
0
 
LVL 3

Accepted Solution

by:
Hir0 earned 500 total points
ID: 39219872
Here is the policies I use to lock down IE and Control Panel applets as well.
User-Policy---Standard-User---Co.htm
User-Policy---Standard-User---In.htm
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39219952
Aside from policies and content advisor, how about providing this terminal user with a shortcut that launches Internet Explorer in KIOSK mode. Make a shortcut to run iexplorer.exe -k

That removes the toolbar at the top completely.
0
 
LVL 3

Expert Comment

by:Hir0
ID: 39219996
What stops the user from creating a hyperlink in any application and launching desired website from there..?
0
 
LVL 4

Author Comment

by:FSIFM
ID: 39221328
Kiosk mode sounds good, but unfortunately the user wont be launching ie from a shortcut. The reason for allowing ie access is the client has an application that automatically wild card searches companies that are entered into it (its a sales type program) and then ties their websites as links against their files

As a result the sites they may visit could be anything, so im not so much concerned with restricting the sites available to them, more locking ie down to limit any damage they could do and detour them from using it outside of the application
0
 
LVL 4

Author Comment

by:FSIFM
ID: 39221331
Hiro,

Cheers for the policies mate, i'll definitely take a look at them and use them as a template
0
 
LVL 3

Expert Comment

by:Hir0
ID: 39221749
They are pretty tight so you may have to loosen up a bit or you'll find yourself adding sites to the whitelist all the time but it should be a great place to star.  Glad to help :)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now