Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Restrict Internet Access by User in a SBS 2011 Domain

Posted on 2014-04-12
12
Medium Priority
?
2,587 Views
Last Modified: 2014-04-14
I have a SBS 2011 Domain that the boss wants to restrict internet access by username. My first thought was to move users he didn't want to have internet to a new OU like "No Internet" and then linking a GPO to that OU and doing something like setting a bogus proxy server in the Internet Explorer settings.

Then thinking about it the proxy settings are just for IE aren't they? So wouldn't they be able to use Chrome or Firefox? Anyway... is there a way to keep users from having internet based on username?
0
Comment
Question by:LockDown32
  • 4
  • 4
  • 2
  • +2
12 Comments
 
LVL 14

Accepted Solution

by:
Michael Dyer earned 500 total points
ID: 39996311
You are correct, the simplest way is to create a group policy with a bogus proxy server and assign these users to this group.  You are also correct that they may be able to get around this with a different browser program.  The simplest solution for that is to remove the users as local admins.  This will prevent the users from installing new software without going through you and that will keep them from installing Chrome or Firefox.  

If your boss is so controlling that he wants to restrict internet access, then he will probably love the idea of restricting the installation of new software too!
0
 
LVL 7

Assisted Solution

by:peea
peea earned 500 total points
ID: 39996323
> You are also correct that they may be able to get around this with a different browser program.

Another approach is to control via DNS. DNS settings are covered by GPO, hence DNS settings can be changed for normal users managed by GPO.

How it works via DNS? Pointing the DNS to an internal DNS host can restrict the Internet access to limited sites as the internal DNS is controlled by you and can be customised.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 39996379
Well... this whole thing started because a couple users got infected and caused major problems. I suggested to them removing the users as administrators of their computers which would 1) Keep them from installing freebies from the internet and 2) Keeping the damage done by malware to a minimum because it should be able to do anything to their computers. That idea didn't fly.

The server is a DNS and all workstations DNSs point to the server. The server in turn and forwards to Comcast's DNSs so I don't see how using DNSs would help unless we use forwarders to some kind of third part DNS like (ah I forget the name but they do web filtering).

It looks like we might be limited to using an appliance or a third party something. Any ideas along that line?
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 10

Assisted Solution

by:Korbus
Korbus earned 500 total points
ID: 39996401
You must INSIST again that users not be made administrators of their computers.  Even if you block internet browser, you cannot block all communication-  what about zero-day email threats for example.
You simply CANNOT keep the network secure when users have admin rights on their day to day accounts.
A possible solution is to create an INSTALLER admin account, and (shudder) giving out the UN/PW to all users.

Microsoft ISA server, now called FOREFRONT (I think), has the ability to give granular control to the internet and content.  Personally, I thought it was awful software when I used it (a few version ago), but it DID provide that functionality when nothing else did.
Appliance:  I cannot recommend anything in particular, but make sure the appliance can use LDAP, which lets it connect to AD, and uses that for authentication.
0
 
LVL 96

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 500 total points
ID: 39996494
You cannot muck with DNS - in an AD domain, ALL systems must point to the SBS server/AD server so this idea is not good.

The right way to do this is with a BUSINESS CLASS firewall/unified threat management device that can link to AD and block based on user name.  Block them at the edge of the network, not with a half-baked approach of breaking things.
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 39996497
And I do agree - NO ONE should be running as an administrator.  That's FOOLISH.  The problem is, even theoretically GOOD web sites can get infected and simply VISITING those sites can infect a machine - the end user may be COMPLETELY INNOCENT so punishing them is childish in itself, in my opinion.  (If memory serves, a few years back the Kaspersky Antivirus company's web site was hacked... AN ANTIVIRUS COMPANY!
0
 
LVL 15

Author Comment

by:LockDown32
ID: 39996527
Well... I am not coming to a strong defense of this but a defense none the less. I administer several small networks and on a majority of them I let the users be administrators simply from the standpoint that I am not there 24/7 and they have several third party software apps that are maintained by other vendors. From a cost standpoint is it cheaper to let them be administrators so third party vendors can support their software. I am not a fan of it by any means but it does have its place. The REAL problem is that, as is always the case, there are a few rotten apples in every barrel. One or two users who just don't get it. One or two users who abuse the internet. It is always the same people. Anyway...

An appliance that uses ldap sounds like the solution. Not warm and fuzzy about UTM just from the standpoint that users can bring in infected flash drives, usb hard drives, floppy drives, etc that a UTM appliance (as a rule) can't prevent. That in turn requires software on the computers so why mess with UTM too?

All the above are good idea and the feedback has been great but is anyone actually blocking users from the internet based on username?
0
 
LVL 10

Expert Comment

by:Korbus
ID: 39999627
Hi Lockdown,

Important enough that I'll post again, even though you closed the question:

Your comments regarding getting the flaws with a UTM device, are a perfect example of why you MUST not come to the defense of granting users admin access.

I understand the people-problems & cost/support-problems you face with this;  been through it many many times.  The best compromise solution I've found for users AND me is to use a second "Installer" account that has local admin rights.  Users have these credentials and can give them to vendors during support calls.   With windows 7, they don't even need to log off, they just enter in those credentials during install security popup.
Does this actually grant any more security, in windows 7 than the regular windows 7 "approve install" popup?  The answer is YES;  Asking for credentials definitely makes users pause and think, and maybe even call me if unsure why it popped up.  If they ARE confident, they can simply enter the credentials and proceed.

Assuming security (rather than productivity) is the main reason your client is asking for this: I suspect that if you give your client a proposal for an expensive UTM/LDAP device or MS Forefront, AND a proposal to create an "Installer account" and remove user admin access-  along with a comparison of the security benefits from each, you will be able to get the client to make the right choice for you.

P.S.  thanx for the points
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 39999755
From your closing comment it sounds like you believe there is a single solution to this problem.  THERE IS NOT.

And I don't mean that you can pick one - I mean that for you/your clients to have an effective defense, they MUST use a LAYERED approach.  That means - AMONGST OTHER THINGS - YOU DO ALL OF THE BELOW:
1. UTM device at the edge of the network.
2. Antivirus software on the clients
3. NO Admin accounts for users (if your users MUST be given admin accounts, do as Korbus suggests and give them a LOCAL account with admin rights and allow the UAC prompt to appear forcing them to enter the admin account user name and password.
4. Implement policies that restrict users from doing things they shouldn't be able to do/aren't part of their job description.  This includes accessing files.  It's great it's a family business but Bookkeeper mom doesn't need access to Salesperson Dads files - CryptoLocker would love it if she had access, but if you do this appropriately, it won't.
5. This is MOST IMPORTANT - TRAIN THE USER.  Most hacks that specifically target your network are not gaining access through brute force attempts to crack the password.  They're calling up PRETENDING to be support and or otherwise PHISING for passwords and accounts they can use to access the network.  (And training is no guarantee - I have a client who posted their certificate that they completed a security awareness program on their bulletin board - and then tacked up print outs of passwords all around it... clearly she didn't get the point - but that's why it's a MULTI-LAYERED approach!)
0
 
LVL 15

Author Comment

by:LockDown32
ID: 39999776
Well.... based on the original question there is a single, simple solution. An appliance. I knew the Barracuda Web Filter would do it. As has come to pass they have a SonicWall TZ 205. Their content filtering services are supposed to block internet based on username too. I don't really like appliances but in this case it is short, sweet and simple.
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 40000261
Yes, based on the original question, WITH NO CONTEXT, that is the solution - speaking as a professional, with the added context provided, it is NOT A COMPLETE solution.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 40000285
"I have a SBS 2011 Domain that the boss wants to restrict internet access by username" is pretty straight forward. I didn't care how it was done. Software, hardware, GPO was not specified.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The environment that this is running in is SCCM 2007 R2 running on a Windows 2008 R2 server. The PXE Distribution point is running on its own Windows 2008 R2 box. This is what Event viewer showed after trying to start the WDS service:  An erro…
The question has been asked on multiple occasions as to how best to do printing in a remote desktop or terminal services environment.   It seems that this particular question has plagued several people and most especially as Terminal Services, as…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Loops Section Overview

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question