Solved

Restrict Internet Access by User in a SBS 2011 Domain

Posted on 2014-04-12
12
2,472 Views
Last Modified: 2014-04-14
I have a SBS 2011 Domain that the boss wants to restrict internet access by username. My first thought was to move users he didn't want to have internet to a new OU like "No Internet" and then linking a GPO to that OU and doing something like setting a bogus proxy server in the Internet Explorer settings.

Then thinking about it the proxy settings are just for IE aren't they? So wouldn't they be able to use Chrome or Firefox? Anyway... is there a way to keep users from having internet based on username?
0
Comment
Question by:LockDown32
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +2
12 Comments
 
LVL 14

Accepted Solution

by:
Michael Dyer earned 125 total points
ID: 39996311
You are correct, the simplest way is to create a group policy with a bogus proxy server and assign these users to this group.  You are also correct that they may be able to get around this with a different browser program.  The simplest solution for that is to remove the users as local admins.  This will prevent the users from installing new software without going through you and that will keep them from installing Chrome or Firefox.  

If your boss is so controlling that he wants to restrict internet access, then he will probably love the idea of restricting the installation of new software too!
0
 
LVL 7

Assisted Solution

by:peea
peea earned 125 total points
ID: 39996323
> You are also correct that they may be able to get around this with a different browser program.

Another approach is to control via DNS. DNS settings are covered by GPO, hence DNS settings can be changed for normal users managed by GPO.

How it works via DNS? Pointing the DNS to an internal DNS host can restrict the Internet access to limited sites as the internal DNS is controlled by you and can be customised.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 39996379
Well... this whole thing started because a couple users got infected and caused major problems. I suggested to them removing the users as administrators of their computers which would 1) Keep them from installing freebies from the internet and 2) Keeping the damage done by malware to a minimum because it should be able to do anything to their computers. That idea didn't fly.

The server is a DNS and all workstations DNSs point to the server. The server in turn and forwards to Comcast's DNSs so I don't see how using DNSs would help unless we use forwarders to some kind of third part DNS like (ah I forget the name but they do web filtering).

It looks like we might be limited to using an appliance or a third party something. Any ideas along that line?
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 10

Assisted Solution

by:Korbus
Korbus earned 125 total points
ID: 39996401
You must INSIST again that users not be made administrators of their computers.  Even if you block internet browser, you cannot block all communication-  what about zero-day email threats for example.
You simply CANNOT keep the network secure when users have admin rights on their day to day accounts.
A possible solution is to create an INSTALLER admin account, and (shudder) giving out the UN/PW to all users.

Microsoft ISA server, now called FOREFRONT (I think), has the ability to give granular control to the internet and content.  Personally, I thought it was awful software when I used it (a few version ago), but it DID provide that functionality when nothing else did.
Appliance:  I cannot recommend anything in particular, but make sure the appliance can use LDAP, which lets it connect to AD, and uses that for authentication.
0
 
LVL 96

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 125 total points
ID: 39996494
You cannot muck with DNS - in an AD domain, ALL systems must point to the SBS server/AD server so this idea is not good.

The right way to do this is with a BUSINESS CLASS firewall/unified threat management device that can link to AD and block based on user name.  Block them at the edge of the network, not with a half-baked approach of breaking things.
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 39996497
And I do agree - NO ONE should be running as an administrator.  That's FOOLISH.  The problem is, even theoretically GOOD web sites can get infected and simply VISITING those sites can infect a machine - the end user may be COMPLETELY INNOCENT so punishing them is childish in itself, in my opinion.  (If memory serves, a few years back the Kaspersky Antivirus company's web site was hacked... AN ANTIVIRUS COMPANY!
0
 
LVL 15

Author Comment

by:LockDown32
ID: 39996527
Well... I am not coming to a strong defense of this but a defense none the less. I administer several small networks and on a majority of them I let the users be administrators simply from the standpoint that I am not there 24/7 and they have several third party software apps that are maintained by other vendors. From a cost standpoint is it cheaper to let them be administrators so third party vendors can support their software. I am not a fan of it by any means but it does have its place. The REAL problem is that, as is always the case, there are a few rotten apples in every barrel. One or two users who just don't get it. One or two users who abuse the internet. It is always the same people. Anyway...

An appliance that uses ldap sounds like the solution. Not warm and fuzzy about UTM just from the standpoint that users can bring in infected flash drives, usb hard drives, floppy drives, etc that a UTM appliance (as a rule) can't prevent. That in turn requires software on the computers so why mess with UTM too?

All the above are good idea and the feedback has been great but is anyone actually blocking users from the internet based on username?
0
 
LVL 10

Expert Comment

by:Korbus
ID: 39999627
Hi Lockdown,

Important enough that I'll post again, even though you closed the question:

Your comments regarding getting the flaws with a UTM device, are a perfect example of why you MUST not come to the defense of granting users admin access.

I understand the people-problems & cost/support-problems you face with this;  been through it many many times.  The best compromise solution I've found for users AND me is to use a second "Installer" account that has local admin rights.  Users have these credentials and can give them to vendors during support calls.   With windows 7, they don't even need to log off, they just enter in those credentials during install security popup.
Does this actually grant any more security, in windows 7 than the regular windows 7 "approve install" popup?  The answer is YES;  Asking for credentials definitely makes users pause and think, and maybe even call me if unsure why it popped up.  If they ARE confident, they can simply enter the credentials and proceed.

Assuming security (rather than productivity) is the main reason your client is asking for this: I suspect that if you give your client a proposal for an expensive UTM/LDAP device or MS Forefront, AND a proposal to create an "Installer account" and remove user admin access-  along with a comparison of the security benefits from each, you will be able to get the client to make the right choice for you.

P.S.  thanx for the points
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 39999755
From your closing comment it sounds like you believe there is a single solution to this problem.  THERE IS NOT.

And I don't mean that you can pick one - I mean that for you/your clients to have an effective defense, they MUST use a LAYERED approach.  That means - AMONGST OTHER THINGS - YOU DO ALL OF THE BELOW:
1. UTM device at the edge of the network.
2. Antivirus software on the clients
3. NO Admin accounts for users (if your users MUST be given admin accounts, do as Korbus suggests and give them a LOCAL account with admin rights and allow the UAC prompt to appear forcing them to enter the admin account user name and password.
4. Implement policies that restrict users from doing things they shouldn't be able to do/aren't part of their job description.  This includes accessing files.  It's great it's a family business but Bookkeeper mom doesn't need access to Salesperson Dads files - CryptoLocker would love it if she had access, but if you do this appropriately, it won't.
5. This is MOST IMPORTANT - TRAIN THE USER.  Most hacks that specifically target your network are not gaining access through brute force attempts to crack the password.  They're calling up PRETENDING to be support and or otherwise PHISING for passwords and accounts they can use to access the network.  (And training is no guarantee - I have a client who posted their certificate that they completed a security awareness program on their bulletin board - and then tacked up print outs of passwords all around it... clearly she didn't get the point - but that's why it's a MULTI-LAYERED approach!)
0
 
LVL 15

Author Comment

by:LockDown32
ID: 39999776
Well.... based on the original question there is a single, simple solution. An appliance. I knew the Barracuda Web Filter would do it. As has come to pass they have a SonicWall TZ 205. Their content filtering services are supposed to block internet based on username too. I don't really like appliances but in this case it is short, sweet and simple.
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 40000261
Yes, based on the original question, WITH NO CONTEXT, that is the solution - speaking as a professional, with the added context provided, it is NOT A COMPLETE solution.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 40000285
"I have a SBS 2011 Domain that the boss wants to restrict internet access by username" is pretty straight forward. I didn't care how it was done. Software, hardware, GPO was not specified.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description: Actually I found the below issue with some customers after migration from SMS 2003 to SCCM 2007 and epically if they change site code, some clients may appear in the console with old site code, plus old sites still appearing …
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip is around source server preparation. No migration is an easy migration, there is a…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question