Home / server / Questions / 338522
Accepted
Heinrich
Asked: 2011-12-08 04:37:12 +0800 CST

Totally blocking Internet Access though Group Policy on Windows Server 2008 R2

  • 772

I need to block internet access for some users on our Windows Servers 2008 R2. If you google this question you will find a lot results that propose to disabling Internet Explorer and setting a proxy to 0.0.0.0. Unfortunately this can easily bypassed using a portable Firefox for example.

Is there a more restrictive solution? I need to find a way that even telnet, ftp etc. won't work.

Thanks for your help!

Update for clarification: I would like to block internet access only for some users, not or all on this server.

windows-server-2008 group-policy windows-server-2008-r2

5 Answers

  1. Best Answer

    The best solution is probably to do this on the network level with a proxy. You can force all Internet-bound traffic through the proxy using WCCP or the like and not configure anything on the hosts themselves. Otherwise, I think you might be able to configure the Windows firewall to disallow this outbound traffic via GPO which would catch all outbound traffic. Furthermore, since it's a server, it likely has a static IP and you could just block outbound traffic at your perimeter firewall - assuming you are actaully trying to block Internet access from the server itself - it wasn't clear to me if you mean for all users (using the server and GPO to accomplish) or if you just wanted to block access from your servers.

    • 8

  2. ...why not just set the gateway in DHCP to a non-routed address or a blank address so traffic can't go out? Set it for those user's MAC address so they always get that (incorrect) gateway address.

    Otherwise proxy it, log it, and then fire them if this is a business discipline problem.

    • 2

  3. You could use a proxy for this or you could set up an ACL (access control list) on your router to block outbound traffic from the workstations in question.

    • 2

  4. I hate to give an expensive commercial recommendation, but the Barracuda Web Filter 310 does everything you're asking and can definitely tie into your AD topology. It has content and protocol awareness, so you could restrict downloads, telnet, ftp, etc. on a user or group basis.

    • 2

  5. The only realistic option probably is to disable direct internet acces, thus forcing all internet traffic through a proxy. Then configure this proxy to require authentication (ideally against the Active Directory[AD]). That way, everyone has to authenticate to go online.

    Disadvantages:

    • If any programs on the server require net access, they need to get special service accounts that grant them access (either real AD accounts, or just special accounts on the proxy). These accounts will of course need to be protected.
    • If some programs or users require protocols that cannot be easily proxied (e.g. exotic protocols), you will have to find a case-by-case solution.
    • It will mean extra configuration for all users (though I believe some browsers can automatically log on to a proxy)

    I have never implemented this, but I believe it should work. At least Squid lets you authenticate against an AD; I assume other proxies can do the same.

    • 0