Block all network shares and internal websites to a specific domain user

I have to set up a domain account to be used by visitors to site. This account is to be allowed access to ONE website only - an external website. This account should not be able to access any internal websites or shared network resources.

Using the hardware firewall, I've been able to block access to all but this one external websites, but using group policies, how do I deny all internal websites and network resources to this account (so that shares aren't even seen on the network)?

Thanks
LVL 17
Chris MillardAsked:
Who is Participating?
 
tigermattCommented:
Ah - sorry, for some reason I got the impression this was a single account on a single PC (my bad, apologies).

The VLAN approach could still work there, but it would require you to deploy a RADIUS server and dynamic VLAN control on your switches, such that each machine flips into the "restricted" VLAN when that particular user authenticates and RADIUS returns the restricted VLAN to the switch -- not ideal and certainly an over complication for this use case (if you even have the networking hardware capable of doing this).

Shares are still managed by user privilege, not the computer used to access them, so the ACLs on shares is certainly still the proper way to go in that regard.

GPO is not the ideal way to control the internal website issue, due to the workarounds I described in my previous post such as the user using a different browser.
What are the nature of the internal websites? If they don't require authentication, there is little you can do. machine-wise which is 100% bulletproof. Using GP, you could force all traffic from the user through a proxy server, including traffic to local sites (and lock the proxy settings down), and have the proxy filter traffic such that only accesses to that one external site are permitted; the free Squid proxy would serve you well here. It doesn't account for a user who can bypass proxy settings with their own application, but that's always going to be an inevitability if the local websites require no authentication and there are no controls in-the-network-itself to prevent this.
0
 
tigermattCommented:
using group policies, how do I deny all internal websites and network resources to this account (so that shares aren't even seen on the network)?
This isn't really the domain of Group Policy to achieve, but security permissions via Access Control Lists (ACLs).

Security permissions on the shares should be configured to prevent the user account gaining access. This is easy if you follow the principle of least privilege, since you simply don't grant the user membership of the groups which grant access to each share.

The internal websites are harder. If they use authentication, configure that authentication such that the user is denied access. However, if they do not use authentication, you could use Group Policy to lock down e.g. Internet Explorer to make such sites restricted, but this is not without flaws, because the user could easily bring their browser (such as on a USB stick) and bypass the restrictions.

A better approach would be to avoid using the machine to provide any security, and instead configure this in the network. Since no internal resources are required at all, I would jail the machine into a VLAN with no other machines and from which you can firewall the traffic such that no access to internal machines is permitted. If the machine must be domain joined, you can open minimal firewall ports for communication with the DCs, and no more.
0
 
Chris MillardAuthor Commented:
The problem here is that the user cannot be restricted to any particular PC. This "generic" account that I have to create is for use by any contractors and visitors, and needs to be able to access an external health and safety reporting website from any PC connected to the domain.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Chris MillardAuthor Commented:
I'm still in discussions with the customer about the best way forward with this.
0
 
tigermattCommented:
Thanks for the update. What are your current thoughts?
0
 
Chris MillardAuthor Commented:
The customer has decided to live with the situation as it is. I have given him an idea of the amount of time and work involved in locking everything down for one specific user, and he does not want to go ahead!
0
 
Chris MillardAuthor Commented:
Not really a workable solution in my case, but gave me enough information to pass back to my customer.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.