Link to home
Start Free TrialLog in
Avatar of LockDown32
LockDown32Flag for United States of America

asked on

Restrict Internet Access by User in a SBS 2011 Domain

I have a SBS 2011 Domain that the boss wants to restrict internet access by username. My first thought was to move users he didn't want to have internet to a new OU like "No Internet" and then linking a GPO to that OU and doing something like setting a bogus proxy server in the Internet Explorer settings.

Then thinking about it the proxy settings are just for IE aren't they? So wouldn't they be able to use Chrome or Firefox? Anyway... is there a way to keep users from having internet based on username?
ASKER CERTIFIED SOLUTION
Avatar of Michael Dyer
Michael Dyer
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of LockDown32

ASKER

Well... this whole thing started because a couple users got infected and caused major problems. I suggested to them removing the users as administrators of their computers which would 1) Keep them from installing freebies from the internet and 2) Keeping the damage done by malware to a minimum because it should be able to do anything to their computers. That idea didn't fly.

The server is a DNS and all workstations DNSs point to the server. The server in turn and forwards to Comcast's DNSs so I don't see how using DNSs would help unless we use forwarders to some kind of third part DNS like (ah I forget the name but they do web filtering).

It looks like we might be limited to using an appliance or a third party something. Any ideas along that line?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
And I do agree - NO ONE should be running as an administrator.  That's FOOLISH.  The problem is, even theoretically GOOD web sites can get infected and simply VISITING those sites can infect a machine - the end user may be COMPLETELY INNOCENT so punishing them is childish in itself, in my opinion.  (If memory serves, a few years back the Kaspersky Antivirus company's web site was hacked... AN ANTIVIRUS COMPANY!
Well... I am not coming to a strong defense of this but a defense none the less. I administer several small networks and on a majority of them I let the users be administrators simply from the standpoint that I am not there 24/7 and they have several third party software apps that are maintained by other vendors. From a cost standpoint is it cheaper to let them be administrators so third party vendors can support their software. I am not a fan of it by any means but it does have its place. The REAL problem is that, as is always the case, there are a few rotten apples in every barrel. One or two users who just don't get it. One or two users who abuse the internet. It is always the same people. Anyway...

An appliance that uses ldap sounds like the solution. Not warm and fuzzy about UTM just from the standpoint that users can bring in infected flash drives, usb hard drives, floppy drives, etc that a UTM appliance (as a rule) can't prevent. That in turn requires software on the computers so why mess with UTM too?

All the above are good idea and the feedback has been great but is anyone actually blocking users from the internet based on username?
Avatar of Korbus
Korbus

Hi Lockdown,

Important enough that I'll post again, even though you closed the question:

Your comments regarding getting the flaws with a UTM device, are a perfect example of why you MUST not come to the defense of granting users admin access.

I understand the people-problems & cost/support-problems you face with this;  been through it many many times.  The best compromise solution I've found for users AND me is to use a second "Installer" account that has local admin rights.  Users have these credentials and can give them to vendors during support calls.   With windows 7, they don't even need to log off, they just enter in those credentials during install security popup.
Does this actually grant any more security, in windows 7 than the regular windows 7 "approve install" popup?  The answer is YES;  Asking for credentials definitely makes users pause and think, and maybe even call me if unsure why it popped up.  If they ARE confident, they can simply enter the credentials and proceed.

Assuming security (rather than productivity) is the main reason your client is asking for this: I suspect that if you give your client a proposal for an expensive UTM/LDAP device or MS Forefront, AND a proposal to create an "Installer account" and remove user admin access-  along with a comparison of the security benefits from each, you will be able to get the client to make the right choice for you.

P.S.  thanx for the points
From your closing comment it sounds like you believe there is a single solution to this problem.  THERE IS NOT.

And I don't mean that you can pick one - I mean that for you/your clients to have an effective defense, they MUST use a LAYERED approach.  That means - AMONGST OTHER THINGS - YOU DO ALL OF THE BELOW:
1. UTM device at the edge of the network.
2. Antivirus software on the clients
3. NO Admin accounts for users (if your users MUST be given admin accounts, do as Korbus suggests and give them a LOCAL account with admin rights and allow the UAC prompt to appear forcing them to enter the admin account user name and password.
4. Implement policies that restrict users from doing things they shouldn't be able to do/aren't part of their job description.  This includes accessing files.  It's great it's a family business but Bookkeeper mom doesn't need access to Salesperson Dads files - CryptoLocker would love it if she had access, but if you do this appropriately, it won't.
5. This is MOST IMPORTANT - TRAIN THE USER.  Most hacks that specifically target your network are not gaining access through brute force attempts to crack the password.  They're calling up PRETENDING to be support and or otherwise PHISING for passwords and accounts they can use to access the network.  (And training is no guarantee - I have a client who posted their certificate that they completed a security awareness program on their bulletin board - and then tacked up print outs of passwords all around it... clearly she didn't get the point - but that's why it's a MULTI-LAYERED approach!)
Well.... based on the original question there is a single, simple solution. An appliance. I knew the Barracuda Web Filter would do it. As has come to pass they have a SonicWall TZ 205. Their content filtering services are supposed to block internet based on username too. I don't really like appliances but in this case it is short, sweet and simple.
Yes, based on the original question, WITH NO CONTEXT, that is the solution - speaking as a professional, with the added context provided, it is NOT A COMPLETE solution.
"I have a SBS 2011 Domain that the boss wants to restrict internet access by username" is pretty straight forward. I didn't care how it was done. Software, hardware, GPO was not specified.