Wednesday, February 11, 2009

A cool way to block internet access to certain users / machines

As a system administrator, you might find it useful to block internet access for certain users

and / or machine, but in many cases, you do want to allow access to several specific web sites.

This article shows an alternative way of doing it without using ISA, Firewall applications,

IPSec and other complex solutions.

The first thing you want to do is create a simple HTML document which says

'Internet access is forbidden… blah blah blah'.

You can use MS Word or simple Notepad to create such HTML file and save it somewhere

under the name 'Default.htm'.

The next step would be to publish this HTML document on one of your IIS servers.

You should use a dedicated web site which listens on some unused TCP port for this.

You can use any IIS server (or other OS) for publishing the HTML document.

However, I used IIS7 for enumerating the steps:

1. Create a folder on the IIS server and assign read access to the server's computer account

in the domain. (For example, if your server name is 'IISSRV01', assign to permissions on the folder.

2. Copy the 'default.htm' file you created to this directory.

3. Open Internet Information Services (IIS) manager (Shortcut: Start --> Run --> inetmgr)

4. On the left pane, Expand

5. Right click 'Sites' and choose 'Add new web site…'

a. Type 'InternetForbidden' in the 'Site Name' text box

b. Under the 'Physical Path' text box, type the path to the directory you copied
the 'default.htm' to.

c. Under the 'Port' text box, type any available TCP port number, higher than 1025.
For example: '8765'

d. Click 'OK' to save the web site. If your newly added web site appears with a
red X next to it, click 'Sites' and the refresh display by using 'F5' keyboard key.
At this point, your new site should appear with a little 'Earth' icon, meaning
everything is fine.
e. In order to test your settings, try to browse to the web site by typing the
following address in the Internet Explorer Address bar of one of your
client machines:
If everything worked fine by now, continue to the next stage.

The next stage would be to set this web site address as a proxy server for those
users / machines you want to restrict. There are many ways to apply these settings to clients.
In this article, I will go through the steps of configuring the proxy address through Group Policy.

1. Create a security group that will include all user / computer accounts which should be restricted.

2. Start Group Policy Management (Shortcut: Start --> Run --> GPMC.msc)

If you don't have GPMC installed, it is about time you install it! -

3. On the left pane, select the OU which contain the user / computer accounts which you want

4. Right click the selected OU and choose 'Create and link a GPO here…'

5. Type a name for the GPO and click 'OK'

6. On the left pane, click on the newly created GPO.
7. On the lower part of the right pane, click the 'Authenticated Users' group
(under 'Security Filtering') and click 'Remove'. Click 'OK' to approve.
8. Click 'Add…' and browse to select the security group you created in the first step.

9. On the left pane, right click the GPO and click 'Edit…'

10. On the left pane, Expand 'User Configuration' à 'Windows Settings' -->
'Internet Explorer Maintenance' --> 'Connections'

11. On the right pane, double click 'Proxy Settings'

12. Check 'Enable Proxy Settings'

13. In the 'Address of proxy' text box, type the address of the web site you created
at the beginning of the article. On the 'Port' text box, type the port of your web site
(In this example – 8765)

14. If you have URLs of sites which should not be restricted, type the URLs in the
'Exceptions' list.

15. Click 'OK'

16. On the left pane, Expand 'Administrative Templates' --> 'Windows Components' -->
'Internet Explorer'.

17. On the right pane, double click 'Disable Changing proxy settings', change to 'Enabled'
and click 'OK'.

18. If you are restricting computer accounts (and not user accounts), meaning that the
OU you selected in step #3 contains the computer accounts and that the security
group you created in step #1 contains computer accounts, perform the following tasks:
a. On the left pane, Expand 'Computer Configuration' -->
'Administrative Tools' --> 'System' --> 'Group Policy'.
b. On the right pane, double click 'User Group Policy loopback processing mode',
choose 'Enabled', select 'Merge' and click 'OK'.
19. That's it! You can now close the Group Policy Object Editor and the
Group Policy Management Console and test your settings.
Note that group membership is updated at logon, so you will need your clients to log off
and back on in order to be restricted. If you are applying the GPO on a group of
computer accounts, the client computer should be restarted in order for the
computer account's group membership to be applied.

No comments: