Internet restrictions part 2

  • Thread starter Thread starter Vlaad
  • Start date Start date
V

Vlaad

Can anyone help?
I am trying to make a group policy that denies users to
access the Internet using IPSEC filters.
What I need to accomplish is as follows:
Users in a specific group can't access the Internet via
Internet Explorer (Or any other browser).
Each time I develop a specific IPSEC policy, I find that
I have restricted them too much or I have not restricted
them at all.I just need to block HTTP and HTTPS access
from users in a specific OU.

Does anyone out there have a restriction policy that
works that they could share with me?

Thanks in advance,

Vlaad
 
Vlaad said:
Can anyone help?
I am trying to make a group policy that denies users to
access the Internet using IPSEC filters.
What I need to accomplish is as follows:
Users in a specific group can't access the Internet via
Internet Explorer (Or any other browser).
Each time I develop a specific IPSEC policy, I find that
I have restricted them too much or I have not restricted
them at all.I just need to block HTTP and HTTPS access
from users in a specific OU.

Does anyone out there have a restriction policy that
works that they could share with me?
Click to expand...

All you need to do is create a policy to block
From My IP Address
To Any IP Address
Protocol TCP
Port 80

And another Filter to block the same attributes on port 443 for HTTPS.


Andy.
 
You would have to configure an ipsec policy for "computers" - not users in
an OU. Ipsec can only be applied to computers. I prefer a "block all" rule
and then configure rules for the exceptions as users can access a lot on the
internet other that ports 80/443 tcp. I start with a mirrored block all
rule, then add a mirrored permit all rule for the lan subnet, and then add
to the permit rule filter exceptions for outbound internet access if any are
allowed. See the link below for more info on ipsec filtering. --- Steve

http://www.securityfocus.com/infocus/1559
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
 
Steven L Umbach said:
You would have to configure an ipsec policy for "computers" - not
users in an OU. Ipsec can only be applied to computers. I prefer a
"block all" rule and then configure rules for the exceptions as users
can access a lot on the internet other that ports 80/443 tcp. I start
with a mirrored block all rule, then add a mirrored permit all rule
for the lan subnet,
Click to expand...

I've actually gone a step further then that and only applied a permit rule
for the required ports to/from the servers and administrators workstations.

All traffic between workstations is blocked. I don't see the need for
general workstations to be able to talk to each other and this way if one
of the workstations should be compromised or infected, the risk of the
problem going any further is minimised.
This took a fair bit of analysis to determine exactly which ports were
required, but once set up it's extremely easy to maintain. Just drop the
machine in the relevant OU and it's done.

Andy.
 
Ipsec is very powerful, but often not used. I have suggested similar setup
to those who experience a lot of user problems such as in a school to
prevent users from trying to access each others computers. That and the
Software Restriction Polices in XP Pro can allow an admin to really lockdown
and secure the domain. I have also suggested ipsec to those who find
"unathorized" computers on the network such as an employees personal laptop,
though I think it should be communicated to employees that is not allowed
and be dealt with severely but I guess I am old fashioned. In an all W2K/XP
domain with those problems it would make sense to have an ipsec require
policy on servers and such and a client respond on domain members with
exemptions for traffic to/from domain controllers, possibly using only AH to
minimize overhead, to deny access to those servers from non domain
computers. Of course the "add workstations to the domain" user right would
need to be removed for authenticated users in the Domain Controller Security
policy so that they could not add their computers to the domain. I have
however not been able to successfully implement an require policy on domain
controllers for communications between domain members trying various
combinations of ports and just using AH. It is not supported by Microsoft
[KB 254949] for W2K or W2003 . Generally when I implement one on a test
network the computer stalls when trying to logon. --- Steve
 
Back
Top