Solved

internet access from windows servers

Posted on 2016-10-17
4
64 Views
Last Modified: 2016-10-18
do you implement any controls on windows server, especially those which house sensitive and security related info (i.e. domain controllers), to prevent users from accessing the internet from a web browser installed on the servers. And if so how do you achieve this? I understand the risks but you would hope administrators are sensible enough not to do this kind of activity, but I presume implementing a control rather than trusting admins would be better.

likewise even on workstations - do you implement controls to check if a local admin on that machine - restrict internet access. and how do you achieve this?
0
Comment
Question by:pma111
  • 2
4 Comments
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 125 total points
ID: 41846628
We don't allow internet traffic from any machine but one. That one is a RD server and users use a RemoteApp browser. Works very well and it is very secure (we run applocker at the RD server to only allow browser processes).
0
 
LVL 61

Accepted Solution

by:
btan earned 250 total points
ID: 41846838
Avoid having internet traffic to have direct access to your Domain Controller, not even to have DC in the DMZ too as it is going to inadvertently expose your internal network and critical unnecessary. There should be minimal exposure to the DC and even if required, it is a measured approach to have a proxy (e.g. F5 APM) to expose only certain resources or appl access e.g. ADFS gateway or in the past uses ADAM. All online asset esp web eService need DDoS protection and WAF in place in case that is your intent for internet access

Any remote access should be
- granted only via VPN (with 2FA authentication),
- enforce restricted range of IP access via perimeter FW to allow VPN user to access certain resource
- enforce remote access machine to undergo the NAC check (machine and user cert)
- quarantine any host machine that failed the baseline NAC machine checks
- employed all admin access to only a small pool of IP address binded to authorised host
- enable audit trail for such access and alert on anomalous activities e..g surge traffic, odd hours
- Proxy lock down for browser such that internet is accessible only via VPN and go thru a common internet content filter web gateway
0
 
LVL 25

Assisted Solution

by:Mohammed Khawaja
Mohammed Khawaja earned 125 total points
ID: 41848038
On our Remote Desktop servers where users can logon to, we are restricting Internet access by GPO where it hardcodes a proxy server which is non-existant (i.e. my servers are in 192.168.88.x subnet so I enter 192.168.88.252 where no host is using that IP).  We also change security on iexplorer.exe where normal users do not have execute privileges and ditto for CMD.EXE to ensure users can't run a command prompt.  On some RD servers, we restrict access to start menu options, browsing boot drive, etc.
0
 
LVL 61

Expert Comment

by:btan
ID: 41848065
for any internet HTTP accessible site, you should also verify the SSL connection and likely you still need TLS1.0 which in the SSL test will surface as a sighting of weak cipher in the SSL/TLS certificate https://www.ssllabs.com/ssltest/

there are other security but more likely without VPN, you will need SSL. better to go with VPN and then adopt the layer below as required. Avoid self-signed SSL certificate and check with your CA issued or third party CA for the actual SSL server certificate.
• SSL (TLS 1.0) SSL (TLS 1.0) will be used for server authentication and for encrypting all data transferred between the server and the client.

• Negotiate The most secure layer that is supported by the client will be used. If supported, SSL (TLS 1.0) will be used. If the client does not support SSL (TLS 1.0), the RDP Security Layer will be used. This is the default setting.
• RDP Security Layer Communication between the server and the client will use native RDP encryption. If you select RDP Security Layer, you cannot use Network Level Authentication.
https://technet.microsoft.com/en-us/library/ff458357.aspx
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
An overview of HIPAA and guidance on this topic that Experts Exchange members can offer.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

947 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now