Locking down internet access

[rrfd43]

I have a server 2003 domain running a number of xp pro workstations. I need to exclude all users on one box from internet access. The same machine has to access the local network though.

It gets syamntec firewall updates from the server in a group policy.

It still needs to do windows updates though.

Anyone know of or can help me make up a policy to accomplish this?


Thanks!

[Bruce1807]

so your saying that users can locally log onto the server and use it to surf the web?

[rrfd43]

No, they log onto a workstation, but one particular one we do not want to access the web. No one but the admin log onto the server.

[Bruce1807]

SImplest way is with an ISA server.
You can block the machine except for microsoft.

[rrfd43]

Hmmm, ISA server......(might need a little sugestion on this....)

[Bruce1807]

ISA is the proper way but you could use something like a cyber nanny or cyber patrol.
Basiclly a parentel control where you can put a list of approved web sites. ie microsoft.com
Do users of this machine need to browse the intranet?

Disabling IE will not prevent users from browsing the internet. They could
still use Windows Explorer or even URL links in a Word Doc to access the
internet. You will need to do it at the physical level. One way is to
configure IE to use a bogus proxy server IP which can be configured via
Group Policy. That will work only for Internet Explorer access however.
Other options may include configuring computer with no default gateway,
using a software firewall, ipsec filtering policy, or configuring the
perimiter firewall to block access to "computers" based on their IP address
which will only work well if they use static IP addresses or are in a range
of computers that are all blocked from internet access.

This makes getting updates difficult but there are ways around it to stop peoplke from taking every update.
If you subscribe to technet you can install updates on the server and push them to each computer.
Alternativly you can down load most updates in a form for Network admins and push them from the server.

[alex]

I'd design a specific GPO (Group Policy Object0 and place that individuals account within that object. This will make sure that every computer that he logs in to, will have the same policies. The bogus proxy, and restrictions on the system should keep it tight enough that the user can't go fart around online. You can make it so that they can't install things like firefox, etc. I'd say lock it down to a point, and then see what the idiot does, and just see what happens. There will be ways around just about everything because it is windows, but you can start there.

The ideal solution, put him on an isolated routed network, which passes DHCP, DNS, and NTP. Let traffic come in, but not leave the subnet, and that should fix the issue. You can also setup a SUS server locally (software update service) so that the computers all talk to that system, as opposed to Microsoft to get their updates.

The last and final suggestion I have - poke around the web, and see if you can find one of the DHCP programs that are written so that you must log in to a workstation before being granted an IP to browse the internet. His login, will conveniently, not work. This will kill whatever active directory stuff you wish to impose on the machine, since AD requires DHCP, DNS, and NTP to function correctly. This is the same sort of stuff hotels, colleges, starbucks, airports, etc... use to give internet access to allowed customers.

-Alex

[Bruce1807]

This brings the actual issue.
Is it a user at one machine you want blocked or is a user that logs onto any machine you want blocked?
Or is it simply any user that logs on to a particular machine will not get internet.
In that case it is computer policy rather than user policy.

[alex]

This brings the actual issue.
Is it a user at one machine you want blocked or is a user that logs onto any machine you want blocked?
Or is it simply any user that logs on to a particular machine will not get internet.
In that case it is computer policy rather than user policy.

Not really 100% true in active directory. In Active Directory, everything has a container that it can get put in to. If you make a new container, assign a group, user, or PC to that container, it will inherit the properties of that container. So, If I want to restrict a user from resizing the desktop, but allow everyone else to, I'd create a container and toss that user in it, and if user b comes along, they can change the desktop. Our user "A" comes along, no such luck.

You could take the entire computer, and place it in the container, and that whole computer would inherit that computers restrictions, regardless of the users permissions, unless that user has something overridden. I forget what the permissions flow is, but the options for a GPO for a person or computer in AD are the same.

-Alex

[Bruce1807]

GPOs are processed are Local, Site, Domain, and OU

However
User settings in a GPO that are applied to an OU that only has computers will not be processed anyway - unless loopback processing is in use. If the user himself is in that OU, then yes. Otherwise the user settings will be ignored, since the object is a computer.
Unless Loopback processing is enabled, if there are conflicting settings applied to the computer vs. user (such as offline files for instance which can be applied either to the computer or user), then the user settings will take precedence since they are applied last.

Just looked at TechNet and it states this
Computer policy is processed at startup and then user policy is processed when the user logs on. Although computer policy is applied before user policy, if user and computer policy settings specify different behavior, the computer policy will generally prevail. This is not enforced by the Group Policy infrastructure, but is rather a convention that is followed by the operating system and by applications that exploit Group Policy unless there are specific reasons that the convention is not appropriate for a given policy setting.

In most cases policy settings specified in the Computer Configuration node have precedence over the same setting if one exists in the User Configuration node. There are a few exceptions and their behavior is set forth in the Explain text for those settings. An example is Administrative Templates\Windows Components\Windows Installer\Always install with elevated privileges, which requires the setting in both Computer and User Configuration to be enabled or it is not activated. See the Explain text for that policy setting for details.

So need to look to see which one it is.

[tvsjr]

Are you running a real firewall?

A simple deny rule would fix it... set it for everything except the windows update IPs (googling left up to the user). If you want to deny */*... run a WSUS instance on the server and have the denied client get its windows updates from there.

A real firewall (ASA5505) can be had for $500-800.

[Bruce1807]

need to assign the PC a fixed IP and it will work if its a real firewall.

[rrfd43]

Thanks for the input. The concern is a new dispatch computer. We want to limity the specific machine from interent access. The object of the machine is a few selected applications and to keep the assigned user for the timeframe they work from crawling the internet. Unfortunatly the only firewall at my disposal at this time is the netopia router and symantec client firewall. At this time I have been able to do substantial computer upgrades in this budget, but any other large pieces I just can't make the stretch to.

One simple solution that came up was to not put in the default gateway durig the IP configuration. I can lock these settings so they can't be changed. Users will be limited so I think the games will be minimal.

[tvsjr]

If you can't afford ~$600 for an ASA5505 50-user license to protect a dispatch center... you have more serious issues.

Quite frankly, a dispatch computer shouldn't be allowed access outside the network *at all*. As those systems are mission-critical, they should reside on a protected subnet.

[Bruce1807]

how true.
our elites have absolutly no way to get to the internet, intranet or anything but elite.
They are so locked down that they never have problems (ok sometimes need a reboot but that Bill gates for you)
I also have PC anywhere installed so I can get on them from any site if theres a problem and can also access Moscad and the system itself from one in each centre. The rest are clients only.

[rrfd43]

The computer only handles administrative items....reporting and paging. No radio control at all.

[JAYMZ]

If you can't afford ~$600 for an ASA5505 50-user license to protect a dispatch center... you have more serious issues.

Quite frankly, a dispatch computer shouldn't be allowed access outside the network *at all*. As those systems are mission-critical, they should reside on a protected subnet.

There are a lot of the CAD systems these days that require internet access for its updates, text paging, Rip and Run(If going by e-mail) and reporting. You can't always just lock it down and walk away. They are mission critical applications, but lets face it, the internet is an integral part of the entire world anymore. Luckily some the internet requirement does reside on the server side, but it is a little more complicated than "set it and forget it".

Also... in the world of government control of funding they get a little funny about how they spend their money. If there is infrastructure in place they may very well tell you to deal with it and pound sand. You have to prove need and most of the time the people holding the purse strings are the tightest people you'll ever meet.

[tvsjr]

If you can't afford ~$600 for an ASA5505 50-user license to protect a dispatch center... you have more serious issues.

Quite frankly, a dispatch computer shouldn't be allowed access outside the network *at all*. As those systems are mission-critical, they should reside on a protected subnet.

There are a lot of the CAD systems these days that require internet access for its updates, text paging, Rip and Run(If going by e-mail) and reporting. You can't always just lock it down and walk away. They are mission critical applications, but lets face it, the internet is an integral part of the entire world anymore. Luckily some the internet requirement does reside on the server side, but it is a little more complicated than "set it and forget it".

Also... in the world of government control of funding they get a little funny about how they spend their money. If there is infrastructure in place they may very well tell you to deal with it and pound sand. You have to prove need and most of the time the people holding the purse strings are the tightest people you'll ever meet.

Internet access for updates - contact the vendor and ask them to provide the updates on CD/DVD. If you absolutely have ZERO other options, install a real firewall/router and open up access to the vendor's specified IP and port ranges ONLY. Text paging, email, reporting, whatever else... run a multihomed server and have it act as proxy.

Yes, you have to show need to get money. There should be no issue illustrating this need.

Want real fun? Try adminning servers on a true secure network (military). You don't get the option of internet connectivity.

[rrfd43]

OK Now i have to find something that will track and record websites visitied. I think i need something like, computer-user-date/time-site. I need to create and audit trail for lack of a better word. Need to keep it for a few months...This is all computers on the network. Any software on or hardware that could do this?

understand this is 20 computers in three buildings. I can't afford thousands and thousands of dollars, or I at least need understand that this is what it will cost and pass that information onward.

[Bruce1807]

ISA + ISA server tools will do the job.
Track internet usage to the minute by username, username wildcard patterns, Active Directory Group, and IP address.
Establish daily, weekly and monthly time limits by username, username wildcard patterns, Active Directory Group and/or IP address.
Specify what action (if any) to take when individual limits are exceeded.
ISA Time provides three action types:
Send an email alert to one or more email addresses you specify.
Redirect the user's subsequent access attempts to a specified URL.
Block the user's access attempts and return the standard ISA Server error page.
Automatically generate daily, weekly, and monthly summary reports which can be exported to any of the following:
Adobe Acrobat .PDF file.
Excel spreadsheet.
HTML document.
Rich text format document.
Automatically email exported reports to an email address.
Monitor online usage in real-time using the ISA Time Control Panel.

[rrfd43]

Thats about exactly what I think I'm gonna need.

[Bruce1807]

http://www.microsoft.com/technet/isa/2006/default.mspx
http://www.isaservertools.com/isatime/ although it is still for ISA 2004