Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Monday, April 27, 2009

Disabling (serverside) Internet access on clients

So Many Roads
Corporate employee policy is absolutely necessary for this (and plenty of other IT-related) issue(s). Enforcement in a cubicular environment obviously depends on a variety of factors.
A proxy-defining script is very attractive. I've met with good success with security by obscurity, not the least notable of which has been renaming Explorer.exe (&/or Netscape) and/or assigning appropriate rights to the file. You can also use your firewall/AV app to monitor downloads or iterations of alternate browsers.

Why not keep it simple
Just give static addresses and do not specify any gateways or DNS. Adjust priviledges so they can't change these settings and they can still use shared printers and resources, but cannot get off of the network. This should be sufficient for the average user that has very little knowledge of how the network is put together.

Simple is fun
add an entry to the PC's hosts file pointing the proxy server to null yourproxyserver
users do not have rights to edit the file.

how about?
when I want keep the kids from spending the night on the net, I go to RUN>CMD>IPCONFIG/RELEASE to stop the browser.
When I want to turn it back on,

Edit the local group policy on the PC to dis-allow iexplore.exe from running, use 'Add/Remove Programs' to remove all access to Internet Explorer and move the shortcut to Windows Update from the '\Documents and Settings\All Users\Start Menu' to the desktop of the local administrator's profile.
All of my users are running as 'Restricted Users' (no user should even have 'Power User' rights), so this works very well.

block port 80
Hi. If you are using XP, you can create a security policy in computer management to block all traffic on port 80. This will kill internet access and nothing else (and requires admin rights to change) and does it does not matter what browser you use.

Account restrictions
Simply applying your GPO & even some of the other tips here without applying account restrictions does not deal with Domain Accounts with mail services.
The easiest way would be to simply setup a domain local group for firewall users & that would end the surfing.
Yeah, well that's all fine and dandy...
You can also cut the wave out from underneath most surfers just by not allowing iexplore.exe to be run in gpedit.msc.
We are implementing SharePoint and blocking port:80 and cutting off gateways and using bogus proxy servers won't cut it for us.
Simple is good, but (as I've tried these solutions before) I find I wind up hosing somebody in the all-or-nothing solutions.
XP SP2 offers solutions for this. Of the hundreds of NEW GPO settings, cutting off Internet access (or portions thereof) is now available. (Note: you could do it before via restricting zone settings yada yada, but now there's a one-stop-shop block Internet settings GPO)
With some experimentation, you can cut off the IntErnet without cutting off the IntrAnet, per user or per computer (per OU actually) and still allow for WUS updating and other apps that need port:80 access or some other internet functions.
I can actually make it so the forklift driver can't get on the 'net on any machine, meanwhile the secretary can...on the same machine. Pretty nifty.
You should be able to do this with the local gpedit.msc too if you don't have an AD network.
The catch is..naturally, it doesn't work unless you have WinXP SP2 clients.

MS Content Advisor - No Access option
Microsoft has a rating you can use called noaccess.rat and is activated through the Tools/Internet Options/Content area. It will block all outside Internet access in IE, but allow only Intranet access. I have customized our Company's Browser and include this file along with a couple other rating files that I can turn on and off whenever the need arises. If I turn on the No Access, I usually will also uncheck the box for allowing users to see site with no ratings under the General Tab just to be safe.
I guess this would be outdated, but... Based on the replies you've gotten thus far, this is a much less sophisticated option, but for our small customers who wish to have some clients off the net our solution is twofold:
1. As mentioned before, remove all indications of Internet Explorer from the computer - go to the Control Panel and in Add/Remove choose the "Add/Remove Windows Components" option on the left pane and deselect Internet Explorer. (By the way, nosy users will still be able to browse the Internet by typing the URL in the Windows Explorer address bar, that's why there's step two)
2. Find on the web (or I can send a copy to you) "Noaccess.rat". This is an Internet Explorer ratings file that you can load in your "%SystemRoot%\System32" folder, then enable in the Internet Options section of Internet Explorer [TOOLS>>INTERNET OPTIONS] on the menu bar. Choose the "Content" tab at the top and select "Enable". There you will see the default rating scheme and the "Noaccess" scheme. If you are absolutely sure you want to do this, then remove the default scheme (the other .rat file in %SystemRoot%\System32) and configure your noaccess.
Problem is this only works for IE, and I said, if a user is a little too smart for his/her britches then they'll probably just download firefox or load it from a CD.
The second part of the solution (I don't really care for the first one, it's to easy for a user to figure out) given by Zaferus is really the most ideal "set the Internet router to deny all port 80 traffic to the WAN from the IP address of the client PC you want to block."
interesting conundrum
That sort of carefully controlled environment is difficult to achieve with a Windows network. You could probably do it by segmenting the network and controlling traffic between network segments with a tiered Windows update deployment setup, so that individual machines aren't getting direct access to the Internet, and with a proxy server that grants access to some user accounts but not others (I think it'd have to be a non-Windows proxy server, like Squid on Linux, to work properly, though I'm not sure about that).
If you were running Linux systems, it would be much, much easier, since Linux (like any Unix) is an inherently multi-user system. All you would have to do is create user accounts with specifically tailored application access for the users that you don't want doing anything except what is directly required for their jobs. This sort of thing is sorta possible in a Windows network, but it tends to require jumping through a lot of hoops, tying OS configuration into knots, and a lot of server-side monkeying around.

1 comment:

JobSearchNinja said...

"When one door closes another door opens, but we so often look so long and so regretfully upon the closed door, that we do not see the ones which open for us."