ManageEngine - Analyst
GROUP SPONSORED BY MANAGEENGINE
In this Discussion
Connect with the world's IT pros
Connect with
Or
Sign up with your email address
We have Windows Server 2003 R2 and my client machines are running Windows XP Pro. Currently we have a handful of machine that are completely blocked from the internet using DHCP settings. This has been done to prevent certain users from accessing the internet.
We now have a request to allow thess machine to have internet access, but only for specific websites.
Can this be done using Active Directory. We would prefer to have the settings on the user accounts rather than on the machines themselves.
Any assistance would be appreciated.
22 Replies
Feb 26, 2009 at 7:36 PM
Through AD alone you will not be able to accomplish this. I believe that you can with an ISA server though.
You might want to check into a solution like Untangle. I have heard great things about it but have not had much of an opportunity to give it a test of my own.
Feb 26, 2009 at 7:46 PM
you can do it pretty easily if your users only have IE. you can push this reg file as a login script then make a copy of the first part and change the proxyenable and migrateproxy back to 0 instead of 1.
we did it this way for a while. if you host a page with IIS on a local machine you put as the proxy you can have that one come up as their home page and when they they to access a page that isn't allowed and have hyperlinks to the pages that are allowed. see example. if you don't want to bother with that just put a bogus address as the proxy and it will just say page not found. Notice that <local> is in there that says to bypass the proxy for local addresses. It will also nypass for the websites that you have listed in the 2nd section. We quit using this method because management wanted full web access on breaks and lunch and this isn't something that is easy to turn on and of other than at login.
copy text below to a notepad window and save as IEblock.reg save the switch back as IEunblock.reg and push them as login /logoff scripts.
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy"=dword:00000001
"ProxyEnable"=dword:00000001
These settings enable the use of a proxy server.
"ProxyServer"="http:/
Contains the address of the Proxy server. Since we want to block web access, just fill this in with a few random characters.
"ProxyOverride"="<local>; http:/
Use this setting if there are websites that you want your users to have access to. Addresses should be separated by a semicolon (;).
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions]
"NoBrowserOptions"=dword:00000000
This setting prevents users from opening "Internet Options" and changing the Proxy settings back to default.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="ipofthemachineyouwant"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy"=dword:00000001
"ProxyEnable"=dword:00000001
These settings enable the use of a proxy server.
"ProxyServer"="http:/
Contains the address of the Proxy server. Since we want to block web access, just fill this in with a few random characters.
"ProxyOverride"="<local>; http:/
Use this setting if there are websites that you want your users to have access to. Addresses should be separated by a semicolon (;).
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions]
"NoBrowserOptions"=dword:00000000
This setting prevents users from opening "Internet Options" and changing the Proxy settings back to default.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="ipofthemachineyouwant"
Feb 26, 2009 at 7:48 PM
just a note, i tried untangle for this purpose and i didn't like it at all. You can also stick with the proxy idea and use something like CCProxy which is cheap. You can monitor a lot with it and set up groups that are allowed certain access and time schedules. That's what we use now.
Feb 26, 2009 at 8:06 PM
i've been through all this before so don't hesitate to message me if you need any help
Feb 26, 2009 at 8:08 PM
CCProxy sounds pretty good. I looked at their website and it looks as though you should check out the 3 user trial that they offer. It even states on their website that it can "merge with AD" although i dont know exactly what that would entail.
Feb 26, 2009 at 8:11 PM
it works pretty well. Not what i would call full featured but the whole prog is like 30 bucks. works for what we use it for.
Feb 26, 2009 at 9:19 PM
My first advice was going to be to modify the hosts file, but that would change it on the computer itself.
I would say limit them to IE, and use Group Policy to set up a PAC file. See my post here for some info on it:
But you could modify it as such:
function FindProxyForURL(url,host)
{
if(shExpMatch(url, "http:/
if(shExpMatch(url, "http:/
else return "127.0.0.1";
}
{
if(shExpMatch(url, "http:/
if(shExpMatch(url, "http:/
else return "127.0.0.1";
}
Which would in effect be a black hole.
Feb 27, 2009 at 1:03 AM
We are using our AD server as a DNS server and setting up a host for each allowed (whitelisted) site. The limited users are only given that server as DNS thus they are limited to a few sites. Management gets that DNS plus openDNS as our DNS provider. Its a hack but it works.
Feb 27, 2009 at 5:11 AM
that's pretty sneaky thinking there Heath. I like it.
Why am i on spiceworks are 11:30 pm?
Ah i know trying to get to my 100+ best answers like Chris.
Feb 27, 2009 at 12:05 PM
Heath - Are you using your DNS server as primary and OpenDNS as secondary? The issue I would see with that would be that once XP fails over to the secondary DNS server, by default it doesn't attempt to switch back until 15 minutes pass. You can get around this however, see this KB article with two typos in the title:
So if it is using the secondary DNS, then AD queries would fail, and cause all kinds of problems.
Also, I'm *pretty* sure that XP will only failover to secondary if the primary doesn't respond. If the primary responds and says "I don't have a record for that and can't forward", then that would be what XP would accept as the answer, not wait for the secondary to respond.
You say it's working though, so you may want to ignore this, but if you start getting strange errors or it doesn't work sometimes, may want to keep this in mind.
Feb 27, 2009 at 1:16 PM
I think there are some good answers here but I think it might be worth the time to at least look at Windows Steady State. Even though it is a Microsoft product it was not as much trouble to figure out as I had thought. My original idea was to put it on all of our school computers but I have not done that for two reasons. 1.) I found it just after school started and did not want to do a major configuration and 2.) I found that you can add many of the Steady State controls to Group Policy and turn them on or off through that; does not have to be installed on each PC.
Here's the latest link.
Feb 27, 2009 at 1:34 PM
Did I miss something with SteadyState? It's purpose is to return the computer back to it's "pristine" condition, removing files that have been added, settings that were changed, etc., from what I remember of it, it had no built-in mechanism on it's own to limit internet access, but that is the second post I've seen in the community that has aluded to that.
Feb 27, 2009 at 2:57 PM
I have it in my head that you can just use a Hosts file on the selected systems. Just put the IP addresses of the websites you want to allow access to, also including the ip addresses (and names) of your internal servers. Then, disable the dns service on those specific system, or supply them with bad DNS server addresses.
When the computers attempt to resolve host names, they will first go to the hosts file. If the site they are trying to reach is not located in the hosts file, because DNS is disabled, or pointed to an invalid server, they will not be able to access any other site.
The drawback is, that if a sites IP changes, or has a subsite the user needs access to located at a different IP, you will have to manually reconfigure the HOSTS to include the changes. Only 1 file needs to be changed, and can be pushed with a logon script to the workstations affected by the needed changes.
Feb 27, 2009 at 3:13 PM
Chris- That doesn't work well when you have AD in the picture - there are several records in DNS that the workstation relies on to find and authenticate with a DC.
Also, the OP requested something that would work per user, not per machine - editing the hosts file on the machine and breaking DNS would make it work that way for every user.
Feb 27, 2009 at 3:35 PM
With untangle you need to install a couple of paid add ons, active directory integration and policy manager. You can then assign different users to different racks.
Using different racks in policy manager you can fine tune who has access to what and at what time etc.
Works well.
Feb 27, 2009 at 4:49 PM
I have done this for years, first at the school where I taught and now at my workplace. As long as you are not afraid to learn, download a current iso of Ubuntu and install it to some spare workstation that you no longer use. The minimum specs for Ubuntu are good enough for your purpose. After you have Ubuntu up and running, you can use either the GUI Package Manager or apt-get at the command line and install Squid Proxy server. It can do all you need and more.
I set AD up to have most users point at the squid server for Internet using the IE proxy server settings pointed at the IP address of the squid server and port 3128. On the squid server, I have ACLs that set up groups of PCs and Internet sites that are banned for all, whitelisted for all, and direct for some sites to bypass.
For specific settings and ease of use contact me directly via email and I can help you get through the process.
Feb 27, 2009 at 8:46 PM
Well if your open to using linux I would suggest using Squid/DansGuardian. DansGuardian's config files are very easy to setup. You can even setup filter groups to assign different filter settings to different users. After you get dansguardian and squid all setup, just open up group policy and create a new policy. The policy should set user configuration/windows settings/internet explorer maintenance/connectionproxy settings to point to the IP of your dansguardian box. In the same policy you should go to user configuration/windows settings/administrative templates/windows components internet explorer internet controlpanel and set the disable the connection page to enabled so the users cannot overide your proxy server. This configuration works well for me. Good luck!
Feb 28, 2009 at 12:42 AM
I think the original poster wants a solutions that can be integrated with AD.
I use squid/dansguardian (part of redwall-firewall) myself, but AFAIK it can't be integrated with AD. Maybe I'm missing something?
Mar 5, 2009 at 2:21 PM
you can limit access to users by creating a Intranet find the IPs for the sites they need to use to do their work, put the links on the Intranet using Ip addresses a good program to use to find the correct IP addresses a good program to find the correct IP for the links is than you can set up different levels of access on your watchguard.
Mar 6, 2009 at 2:02 PM
Did I miss something with SteadyState? It's purpose is to return the computer back to it's "pristine" condition, removing files that have been added, settings that were changed, etc., from what I remember of it, it had no built-in mechanism on it's own to limit internet access, but that is the second post I've seen in the community that has aluded to that.
I could be wrong. Since that was not a major goal (I was looking for the "pristine" functions) then maybe I glossed over whether or not you could actually block the Internet access. I'll look again. Maybe not until summer. Right now we are still "herding gesse" but at least all in one direction.
If you implement "Steady State" into Group Policy (apparently have to load it into each OU) that helps control a lot. I did runinto the Law of Unintended Consequences there also when it came to printing from the Internet. we actually have kids that HAVE to be able print backgrounds becase some FFA applications are set up that way. But that's another story.
May 19, 2009 at 8:52 PM
The best/right way is with a SonicWall or other router/proxy system.
However, plan b, to roll it out through Group Policy is through this little known IPSec gem:http://www.petri.co.il/block_web_browsing_with_ipsec.htm. Apply the gpo to ou's, use loopback, place the unlucky users in the ou. Done.
This can be used to only block port 80/443, block other ports, allow some ip blocks (local intranet anyone?), etc. Make sure you test this one in the lab, because it can mess up your machines if down incorrectly (little hard to fix group policy if your machine isn't allowed to talk any network at all).
I have used it with great success for kiosk machines that were only for one website and to lock down computers connected to lab instruments.
May 20, 2009 at 1:56 PM
in AD setup on OU and drop these users in it, then setup an invalid proxy server for this OU using GPO
Comments
Post a Comment