Restricting web access to users

[Phoenix32]

We are running a 2000 server domain controller, with workstations using 2000 pro. I have found how to restrict users installing software but there is still a large problem with agents browsing sites and picking up malicious programs and wasting time with web based games and such.

How would I implement policies by group to restrict access to only approved sites? I would need to establish one group with strict control, one with slightly less, and one for management with little to no restrictions.

-David

 

[xmario2013]

that really depend on how you want to manage the allow/disallow list, you can do this in several ways and in several different level in your network

if you have a list of approved sites, that is probably much easier trying to think what users can't not go to, however if that list changes freqently, you may want to consider third party web filtering software or hardware like surfcontrol or websense.

you may not want to implement this restriction using GPO in a large number of computers or users since it will increse the logon time every time they try to log in since it will try to load a list of web site addresses which user can or cant go to.

 

[wdoellefeld]

The poor mans method at least to block is to create and assign a GPO that changes the IE proxy settings to point to a bogus entry, bogus.domain.com. If you want different levels of blocking then you will need something else. I like the iPrism appliance from saint bernard.



FRCP

http://www.frcp.net

 

[Phoenix32]

I've been directed to a program from microsoft called Internet Explorer Administration Kit. Since we will restrict installion of programs, there shouldn't be a problem with using an alternate browser, but how well would this utility work for what I'm looking at?

 

[wdoellefeld]

I haven't personally worked with this kit. As far as I know its a installation and UI customizer. Not sure what else it could offer you regarding blocking.



FRCP

http://www.frcp.net

 

[Binkie]

Phoenix32,

Are you open to suggestions for third party tools? If so, you may want to take a look at SysTrack from Lakeside Software.

Good luck!

 

[minxca]

how many approved sites do you want?

 

[Phoenix32]

third party solutions are a consideration, I'll look into SysTrack, thanks.

winoto, that question is still up in the air. Our agents use several web based programs that potentially could need access to various domains. There will have to be extensive testing on whatever solution is created, which is why I'd like to roll this out in segments. First restricting installation of unapproved software, then eliminating websites used by adaware/spyware, and finally allowing only the access that is needed for their particular position.

 

[ADB100]

Why not implement a Microsoft ISA and restrict Internet access to specific users/groups? You could also create a rule to only allow specific websites to be accessed by users/groups etc.

Andy

 

[minxca]

with gpo you can enter (allow web site) up to 256 chars, so I just put i.e: *411* instead of *.canada411.* or *.411.*. It's not perfect but better than nothing. Go with ISA if you have budget for it.

If you use GPO, you have to set the permission to proxy setting in HKCU otherwise they can delete the proxy setting everytime they log on.

 

[Binkie]

You may want to give some thought to tracking usage.

ISA is a great tool if you know the sites you want to block; however, you may additionally want to track what sites people are visiting. ISA is a little weak in the reporting area.

 

[Castor66]

The question is - who is going to approve the sites? It's always a bugbear. There is some software out there from a company called Bascom which implements a filtering front-end but AFAIK they manage the approvals list with input from you. Worth a look. Probably the same cost as ISA.

If cost is an issue then you should look at smoothwall. It doesn't plug into AD (AFAIK) but you can define groups based around IP addresses. By using static IP mapping and switch port security then you can lock everything tighter than a drum. They also have a proxy add-on which you can use for Black-lists and White-lists etc. Cost : Free. Knowledge Required : probably quite a bit to get it right - not a lot required to get a simple system that does 80% of what's required.

 

[Phoenix32]

Binkie, that's a very good point. One problem I'm facing is that one group will need to access partner sites and possibly do searches for relevant information (all in the name of customer service) while another will need access to maybe 3 domains total. If I can see which sites are popular and block those I could limit the amount of resources used strict for blocking sites. Blocking by rating and unrated sites appeared useful until I discovered so many sites that were not rated, including microsoft and were not accessible.

What sort of monitoring software would you recommend? Free would be best since we're a relatively small company and this would be my baby anyway.

 

[Binkie]

Phoenix32,

I'm going to have to stick to my guns on this one, and recommend SysTrack. Easy to implement, use, and maintain. There is an agent which is pushed out to each machine, and runs locally at the system level, 24/7. This capability allows monitoring of the sites automatically, without any intervention on your part.

SysTrack also gives you the flexibility to block different sites for different people; assigning different users to different profiles. This solves your two "group" situation.

The only draw back, SysTrack is not a free solution, inexpensive, but not free. Web tracking is around $10 per client machine.

Their site has a "free" 14 day evaluation, try it out when you get a chance. (

http://www.LakesideSoftware.com)

Good luck