Solved

Restrict Internet Access by User in a SBS 2011 Domain

Posted on 2014-04-12
12
2,352 Views
Last Modified: 2014-04-14
I have a SBS 2011 Domain that the boss wants to restrict internet access by username. My first thought was to move users he didn't want to have internet to a new OU like "No Internet" and then linking a GPO to that OU and doing something like setting a bogus proxy server in the Internet Explorer settings.

Then thinking about it the proxy settings are just for IE aren't they? So wouldn't they be able to use Chrome or Firefox? Anyway... is there a way to keep users from having internet based on username?
0
Comment
Question by:LockDown32
  • 4
  • 4
  • 2
  • +2
12 Comments
 
LVL 14

Accepted Solution

by:
Michael Dyer earned 125 total points
ID: 39996311
You are correct, the simplest way is to create a group policy with a bogus proxy server and assign these users to this group.  You are also correct that they may be able to get around this with a different browser program.  The simplest solution for that is to remove the users as local admins.  This will prevent the users from installing new software without going through you and that will keep them from installing Chrome or Firefox.  

If your boss is so controlling that he wants to restrict internet access, then he will probably love the idea of restricting the installation of new software too!
0
 
LVL 7

Assisted Solution

by:peea
peea earned 125 total points
ID: 39996323
> You are also correct that they may be able to get around this with a different browser program.

Another approach is to control via DNS. DNS settings are covered by GPO, hence DNS settings can be changed for normal users managed by GPO.

How it works via DNS? Pointing the DNS to an internal DNS host can restrict the Internet access to limited sites as the internal DNS is controlled by you and can be customised.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 39996379
Well... this whole thing started because a couple users got infected and caused major problems. I suggested to them removing the users as administrators of their computers which would 1) Keep them from installing freebies from the internet and 2) Keeping the damage done by malware to a minimum because it should be able to do anything to their computers. That idea didn't fly.

The server is a DNS and all workstations DNSs point to the server. The server in turn and forwards to Comcast's DNSs so I don't see how using DNSs would help unless we use forwarders to some kind of third part DNS like (ah I forget the name but they do web filtering).

It looks like we might be limited to using an appliance or a third party something. Any ideas along that line?
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 10

Assisted Solution

by:Korbus
Korbus earned 125 total points
ID: 39996401
You must INSIST again that users not be made administrators of their computers.  Even if you block internet browser, you cannot block all communication-  what about zero-day email threats for example.
You simply CANNOT keep the network secure when users have admin rights on their day to day accounts.
A possible solution is to create an INSTALLER admin account, and (shudder) giving out the UN/PW to all users.

Microsoft ISA server, now called FOREFRONT (I think), has the ability to give granular control to the internet and content.  Personally, I thought it was awful software when I used it (a few version ago), but it DID provide that functionality when nothing else did.
Appliance:  I cannot recommend anything in particular, but make sure the appliance can use LDAP, which lets it connect to AD, and uses that for authentication.
0
 
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 125 total points
ID: 39996494
You cannot muck with DNS - in an AD domain, ALL systems must point to the SBS server/AD server so this idea is not good.

The right way to do this is with a BUSINESS CLASS firewall/unified threat management device that can link to AD and block based on user name.  Block them at the edge of the network, not with a half-baked approach of breaking things.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 39996497
And I do agree - NO ONE should be running as an administrator.  That's FOOLISH.  The problem is, even theoretically GOOD web sites can get infected and simply VISITING those sites can infect a machine - the end user may be COMPLETELY INNOCENT so punishing them is childish in itself, in my opinion.  (If memory serves, a few years back the Kaspersky Antivirus company's web site was hacked... AN ANTIVIRUS COMPANY!
0
 
LVL 15

Author Comment

by:LockDown32
ID: 39996527
Well... I am not coming to a strong defense of this but a defense none the less. I administer several small networks and on a majority of them I let the users be administrators simply from the standpoint that I am not there 24/7 and they have several third party software apps that are maintained by other vendors. From a cost standpoint is it cheaper to let them be administrators so third party vendors can support their software. I am not a fan of it by any means but it does have its place. The REAL problem is that, as is always the case, there are a few rotten apples in every barrel. One or two users who just don't get it. One or two users who abuse the internet. It is always the same people. Anyway...

An appliance that uses ldap sounds like the solution. Not warm and fuzzy about UTM just from the standpoint that users can bring in infected flash drives, usb hard drives, floppy drives, etc that a UTM appliance (as a rule) can't prevent. That in turn requires software on the computers so why mess with UTM too?

All the above are good idea and the feedback has been great but is anyone actually blocking users from the internet based on username?
0
 
LVL 10

Expert Comment

by:Korbus
ID: 39999627
Hi Lockdown,

Important enough that I'll post again, even though you closed the question:

Your comments regarding getting the flaws with a UTM device, are a perfect example of why you MUST not come to the defense of granting users admin access.

I understand the people-problems & cost/support-problems you face with this;  been through it many many times.  The best compromise solution I've found for users AND me is to use a second "Installer" account that has local admin rights.  Users have these credentials and can give them to vendors during support calls.   With windows 7, they don't even need to log off, they just enter in those credentials during install security popup.
Does this actually grant any more security, in windows 7 than the regular windows 7 "approve install" popup?  The answer is YES;  Asking for credentials definitely makes users pause and think, and maybe even call me if unsure why it popped up.  If they ARE confident, they can simply enter the credentials and proceed.

Assuming security (rather than productivity) is the main reason your client is asking for this: I suspect that if you give your client a proposal for an expensive UTM/LDAP device or MS Forefront, AND a proposal to create an "Installer account" and remove user admin access-  along with a comparison of the security benefits from each, you will be able to get the client to make the right choice for you.

P.S.  thanx for the points
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 39999755
From your closing comment it sounds like you believe there is a single solution to this problem.  THERE IS NOT.

And I don't mean that you can pick one - I mean that for you/your clients to have an effective defense, they MUST use a LAYERED approach.  That means - AMONGST OTHER THINGS - YOU DO ALL OF THE BELOW:
1. UTM device at the edge of the network.
2. Antivirus software on the clients
3. NO Admin accounts for users (if your users MUST be given admin accounts, do as Korbus suggests and give them a LOCAL account with admin rights and allow the UAC prompt to appear forcing them to enter the admin account user name and password.
4. Implement policies that restrict users from doing things they shouldn't be able to do/aren't part of their job description.  This includes accessing files.  It's great it's a family business but Bookkeeper mom doesn't need access to Salesperson Dads files - CryptoLocker would love it if she had access, but if you do this appropriately, it won't.
5. This is MOST IMPORTANT - TRAIN THE USER.  Most hacks that specifically target your network are not gaining access through brute force attempts to crack the password.  They're calling up PRETENDING to be support and or otherwise PHISING for passwords and accounts they can use to access the network.  (And training is no guarantee - I have a client who posted their certificate that they completed a security awareness program on their bulletin board - and then tacked up print outs of passwords all around it... clearly she didn't get the point - but that's why it's a MULTI-LAYERED approach!)
0
 
LVL 15

Author Comment

by:LockDown32
ID: 39999776
Well.... based on the original question there is a single, simple solution. An appliance. I knew the Barracuda Web Filter would do it. As has come to pass they have a SonicWall TZ 205. Their content filtering services are supposed to block internet based on username too. I don't really like appliances but in this case it is short, sweet and simple.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 40000261
Yes, based on the original question, WITH NO CONTEXT, that is the solution - speaking as a professional, with the added context provided, it is NOT A COMPLETE solution.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 40000285
"I have a SBS 2011 Domain that the boss wants to restrict internet access by username" is pretty straight forward. I didn't care how it was done. Software, hardware, GPO was not specified.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is my 3rd article on SCCM in recent weeks, the 1st (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html) dealing with installat…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question