Block internet access by user

Cobra25
Cobra25 used Ask the Experts™
on
Hi, i have a server 2016 DC, we want to block internet access for 1 AD user, how can i achieve this?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
Commented:
Neither windows nor AD offer this kind of functionality natively. You could prevent internet access per device or do clunky workarounds with scripts thay change DNS at login, but they are, as I said, clunky and easily worked around by a savvy user.

The best way to do what you want is a good firewall that can do policies per user. Many support AD integration and provide protection in depth.  SonicWall, watchguardx fortigate, sophos are all popular in the SMB space.

Author

Commented:
Yes, it would be , buts a big change to implement going through the firewall.

Any other ideas?
Top Expert 2016

Commented:
Really the only other way I can think of this is to remove the gateway ip from their ipconfig.
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Author

Commented:
Via a login script ?
Distinguished Expert 2018

Commented:
That's what makes it ugly. Since you want it to be for a user, it'd have to be a login script. And you'd have to have another login script to add it back for any other user.  And there will invariably be a race condition that the user may still have access. Or have workarounds (some VPN vendors allow static routes) that could bypass even this attempted block. The gateway is really just a way to generate a bunch of "default" routes based on the network class/subnet/mask.  Static routes have always ignored the gateway.
Distinguished Expert 2018

Commented:
It can be done in a lot of ways, but all will require experience.
Windows alone can already set firewall rules per user, but not unless you are able enable secure rules that work with kerberos authentication.

What does this setup look like, why do you write about your DC? The user will not logon to that DC, will he? So you will have to make it happen on Windows 10. If he is the only user of that win10 machine, this could of course be easier than if other users are using the same machine, too.
Distinguished Expert 2018

Commented:
What kind of firewall do you have? Cliff's suggestions are pretty dead on. So unless you have infrastructure that supports doing things easily, you're going to have a painful experience.

Author

Commented:
Sonicwall
Distinguished Expert 2018

Commented:
There are two approaches:
1) Integrate with AD and block by username (most reliable)
2) Create DHCP reservations that will force the NIC and wireless cards to have a particular IP address.

Once you've done that, then you should be able to create policies blocking that either the IP, MAC address, or username from the internet.
Distinguished Expert 2018
There was no feedback from you, Cobra. I don't understand why you don't care when I told you, there are several ways.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial