Solved

internet access from windows servers

Posted on 2016-10-17
4
54 Views
Last Modified: 2016-10-18
do you implement any controls on windows server, especially those which house sensitive and security related info (i.e. domain controllers), to prevent users from accessing the internet from a web browser installed on the servers. And if so how do you achieve this? I understand the risks but you would hope administrators are sensible enough not to do this kind of activity, but I presume implementing a control rather than trusting admins would be better.

likewise even on workstations - do you implement controls to check if a local admin on that machine - restrict internet access. and how do you achieve this?
0
Comment
Question by:pma111
  • 2
4 Comments
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 125 total points
ID: 41846628
We don't allow internet traffic from any machine but one. That one is a RD server and users use a RemoteApp browser. Works very well and it is very secure (we run applocker at the RD server to only allow browser processes).
0
 
LVL 61

Accepted Solution

by:
btan earned 250 total points
ID: 41846838
Avoid having internet traffic to have direct access to your Domain Controller, not even to have DC in the DMZ too as it is going to inadvertently expose your internal network and critical unnecessary. There should be minimal exposure to the DC and even if required, it is a measured approach to have a proxy (e.g. F5 APM) to expose only certain resources or appl access e.g. ADFS gateway or in the past uses ADAM. All online asset esp web eService need DDoS protection and WAF in place in case that is your intent for internet access

Any remote access should be
- granted only via VPN (with 2FA authentication),
- enforce restricted range of IP access via perimeter FW to allow VPN user to access certain resource
- enforce remote access machine to undergo the NAC check (machine and user cert)
- quarantine any host machine that failed the baseline NAC machine checks
- employed all admin access to only a small pool of IP address binded to authorised host
- enable audit trail for such access and alert on anomalous activities e..g surge traffic, odd hours
- Proxy lock down for browser such that internet is accessible only via VPN and go thru a common internet content filter web gateway
0
 
LVL 24

Assisted Solution

by:Mohammed Khawaja
Mohammed Khawaja earned 125 total points
ID: 41848038
On our Remote Desktop servers where users can logon to, we are restricting Internet access by GPO where it hardcodes a proxy server which is non-existant (i.e. my servers are in 192.168.88.x subnet so I enter 192.168.88.252 where no host is using that IP).  We also change security on iexplorer.exe where normal users do not have execute privileges and ditto for CMD.EXE to ensure users can't run a command prompt.  On some RD servers, we restrict access to start menu options, browsing boot drive, etc.
0
 
LVL 61

Expert Comment

by:btan
ID: 41848065
for any internet HTTP accessible site, you should also verify the SSL connection and likely you still need TLS1.0 which in the SSL test will surface as a sighting of weak cipher in the SSL/TLS certificate https://www.ssllabs.com/ssltest/

there are other security but more likely without VPN, you will need SSL. better to go with VPN and then adopt the layer below as required. Avoid self-signed SSL certificate and check with your CA issued or third party CA for the actual SSL server certificate.
• SSL (TLS 1.0) SSL (TLS 1.0) will be used for server authentication and for encrypting all data transferred between the server and the client.

• Negotiate The most secure layer that is supported by the client will be used. If supported, SSL (TLS 1.0) will be used. If the client does not support SSL (TLS 1.0), the RDP Security Layer will be used. This is the default setting.
• RDP Security Layer Communication between the server and the client will use native RDP encryption. If you select RDP Security Layer, you cannot use Network Level Authentication.
https://technet.microsoft.com/en-us/library/ff458357.aspx
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now