Home / server / Questions / 342249
Accepted
Heinrich
Asked: 2011-12-19 23:44:49 +0800 CST

Applying outbound connection rules PER USER in Windows Firewall with Advanced Security

  • 772

In the latest version of the Windows Firewall, included for example in Windows Server 2008 R2, you can block incoming connections and apply this rule only for a set of users (Users Tab in the rule properties).

Why is this not possible for outbound connection rules and how can it be achieved? I need a software solution that blocks all internet access for specific users and for others not and I hope to realize this with the windows firewall.

windows-server-2008 firewall networking windows-firewall

2 Answers

  1. This is doable, I just did it for my kid's computers. Just create the entries below in Task Scheduler. Note that this is not super-secure, since it doesn't account for things like multiple sessions from remote desktops, etc. That said, hopefully it will help a lot of people viewing this topic. Also, note the 30-second delay in Step 2 before the firewall is turned off for registered users. Not sure if that can be made quicker somehow, 5-10 seconds would be more than enough for my computers.

    Step 1) Create a Task that turns ON the firewall when anyone logs on:

    Task Scheduler -> Action -> "Create Task"

    General:

     Name:TurnOnWindowsFirewall
 Security Options:"Run whether user is logged on or not" checked
 Security Options:"Run with highest privileges" checked

    Triggers: (click 'New...')

     BeginTheTask:"At log on"
 Settings:"Any User" checked
 Advanced Settings:"Stop if task runs longer than:" checked; "30 minutes" selected
 Advanced Settings:"Enabled" checked

    Actions: (click 'New...')

     Action:"Start a program"
 Program/script:"netsh"
 Add Aruments:"advfirewall set allprofiles state on"

    Conditions:

     Uncheck everything on this tab

    Settings:

     AllowOnDemand: checked
 RunTaskAsSoonAsPossible: checked
 IfTheTaskFails: unchecked
 StopTheTaskIfItRunsLonger: checked; "1 hour" selected
 IfTheRunningTaskDoesNotEndForceIt: checked
 IfTheTaskIsNotSchedAgainDeleteIt: unchecked
 IfTheTaskIsAlreadyRunning: "Do not start a new instance" selected

    Step 2) Create a Task that turns OFF the firewall when a certain user logs on:

    Task Scheduler -> Action -> "Create Task"

    General:

     Name:TurnOffWindowsFirewall
 Security Options:"Run whether user is logged on or not" checked
 Security Options:"Do not store password" checked
 Security Options:"Run with highest privileges" checked

    Triggers: (click 'New...')

     BeginTheTask:"At log on"
 Settings:"Specific User" checked  (select user that should have OPEN internet access.)
 Advanced Settings:"Delay task for:" checked; "30 seconds" selected
 Advanced Settings:"Stop if task runs longer than:" checked; "30 minutes" selected
 Advanced Settings:"Enabled" checked

    Actions: (click 'New...')

     Action:"Start a program"
 Program/script:"netsh"
 Add Aruments:"advfirewall set allprofiles state on"

    Conditions:

     Uncheck everything on this tab

    Settings:

     AllowOnDemand: checked
 RunTaskAsSoonAsPossible: checked
 IfTheTaskFails: unchecked
 StopTheTaskIfItRunsLonger: checked; "1 hour" selected
 IfTheRunningTaskDoesNotEndForceIt: checked
 IfTheTaskIsNotSchedAgainDeleteIt: unchecked
 IfTheTaskIsAlreadyRunning: "Do not start a new instance" selected

    Good Luck!

    • 5
  2. Best Answer

    This just isn't a feature that's available. If you want to do something like this, you might look at using Microsoft TMG as an outbound proxy. It can do user/group based access to Internet resources.

    • 2