Solved

internet access from windows servers

Posted on 2016-10-17
4
89 Views
Last Modified: 2016-10-18
do you implement any controls on windows server, especially those which house sensitive and security related info (i.e. domain controllers), to prevent users from accessing the internet from a web browser installed on the servers. And if so how do you achieve this? I understand the risks but you would hope administrators are sensible enough not to do this kind of activity, but I presume implementing a control rather than trusting admins would be better.

likewise even on workstations - do you implement controls to check if a local admin on that machine - restrict internet access. and how do you achieve this?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 125 total points
ID: 41846628
We don't allow internet traffic from any machine but one. That one is a RD server and users use a RemoteApp browser. Works very well and it is very secure (we run applocker at the RD server to only allow browser processes).
0
 
LVL 63

Accepted Solution

by:
btan earned 250 total points
ID: 41846838
Avoid having internet traffic to have direct access to your Domain Controller, not even to have DC in the DMZ too as it is going to inadvertently expose your internal network and critical unnecessary. There should be minimal exposure to the DC and even if required, it is a measured approach to have a proxy (e.g. F5 APM) to expose only certain resources or appl access e.g. ADFS gateway or in the past uses ADAM. All online asset esp web eService need DDoS protection and WAF in place in case that is your intent for internet access

Any remote access should be
- granted only via VPN (with 2FA authentication),
- enforce restricted range of IP access via perimeter FW to allow VPN user to access certain resource
- enforce remote access machine to undergo the NAC check (machine and user cert)
- quarantine any host machine that failed the baseline NAC machine checks
- employed all admin access to only a small pool of IP address binded to authorised host
- enable audit trail for such access and alert on anomalous activities e..g surge traffic, odd hours
- Proxy lock down for browser such that internet is accessible only via VPN and go thru a common internet content filter web gateway
0
 
LVL 25

Assisted Solution

by:Mohammed Khawaja
Mohammed Khawaja earned 125 total points
ID: 41848038
On our Remote Desktop servers where users can logon to, we are restricting Internet access by GPO where it hardcodes a proxy server which is non-existant (i.e. my servers are in 192.168.88.x subnet so I enter 192.168.88.252 where no host is using that IP).  We also change security on iexplorer.exe where normal users do not have execute privileges and ditto for CMD.EXE to ensure users can't run a command prompt.  On some RD servers, we restrict access to start menu options, browsing boot drive, etc.
0
 
LVL 63

Expert Comment

by:btan
ID: 41848065
for any internet HTTP accessible site, you should also verify the SSL connection and likely you still need TLS1.0 which in the SSL test will surface as a sighting of weak cipher in the SSL/TLS certificate https://www.ssllabs.com/ssltest/

there are other security but more likely without VPN, you will need SSL. better to go with VPN and then adopt the layer below as required. Avoid self-signed SSL certificate and check with your CA issued or third party CA for the actual SSL server certificate.
• SSL (TLS 1.0) SSL (TLS 1.0) will be used for server authentication and for encrypting all data transferred between the server and the client.

• Negotiate The most secure layer that is supported by the client will be used. If supported, SSL (TLS 1.0) will be used. If the client does not support SSL (TLS 1.0), the RDP Security Layer will be used. This is the default setting.
• RDP Security Layer Communication between the server and the client will use native RDP encryption. If you select RDP Security Layer, you cannot use Network Level Authentication.
https://technet.microsoft.com/en-us/library/ff458357.aspx
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Configuring Remote Assistance for use with SCCM
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question