Blocking internet access for remote IPs only.

[Skidilliplop]

You think this is simple but it's not

The aim of the game: Block internet/web access on two PCs on a network.

The catch: This network is Active directory with roaming profiles, shares an internet breakout with 5 other sites and the PCs are situated in a pharmaceutical grade cleanroom area.

So I'm looking at free software that I can install locally on the PC to block specific address ranges or ports. The software should be secured against buggeration by non administrators and can be installed completely remotely via RDP/VNC. Also would be nice if it runs as a service and can thus be managed from AD.

your suggestions please

 

[csmager]

So you don't have a firewall that controls access to the internet like, say, ISA Server?

 

[danielanthony]

Why dont you use port filtering on the NIC under TCP/IP Properties>Advanced>Options>TCP/IP Filering Properties. Just filter on port 80 and make sure none of your users have access to amend the NIC settings. No extra software required.

 

[Skidilliplop]

So you don't have a firewall that controls access to the internet like, say, ISA Server?

yes i do, but it's a breakout for 5 sites thus not under my control and anything i do on there might affect other sites and i can't block by address as we run DHCP.

Why dont you use port filtering on the NIC under TCP/IP Properties>Advanced>Options>TCP/IP Filering Properties. Just filter on port 80 and make sure none of your users have access to amend the NIC settings. No extra software required.

^ that would work for all HTTP however i only want remote IPs as we have web based apps used locally which users need to be able to access.


I had tried downloading a freeware firewall and setting up rules on that however the way it saved the rules was annoying, it was a complete pig to try and install remotely and wasn't overly protected from user interference.

 

[danielanthony]

Well in that case you will have to install something locally on the hosts, as the internet gateway is out of your control and your clients need access off-subnet. Most software packages such as Norton have parental controls to stop fiddling and fully customisable firewalls. You can upload the files via drive mapping in RDP and install. No AD integration though.

 

[danielanthony]

One other idea is to remove their default gateway and set up static routes, that way they can get to only the subnets they need to and any other addresses will not be found.

 

[danielanthony]

I haven't tried this though!

 

[csmager]

yes i do, but it's a breakout for 5 sites thus not under my control and anything i do on there might affect other sites and i can't block by address as we run DHCP.

If you actually have ISA, this can do firewall rules based on AD users/groups/computers. If you don't, it's not quite as simple and you'd be better off with your suggestion of local firewalls. Windows Firewall is configureable by AD - might be worth looking into that.

 

[danielanthony]

Or you could give these PC's reserved addresses in DHCP and block somewhere else in your network...

 

[Skidilliplop]

One other idea is to remove their default gateway and set up static routes, that way they can get to only the subnets they need to and any other addresses will not be found.

That sounded like a very very plausible idea if DHCP didn't give them the gateway, however this might be possible to remove with a clever logon script. I'll look into it.

I would never ever consider putting anything like norton on anything. ever. Plus it'd cost money and this isn't really an important enough issue to spend budget on, let alone annual licensing.

I'll have a play with the gateway thing

Static addressing is obviously the easiest way but again that'd have to be blocked at the local cisco or breakout. Tbh the cisco is stretched as it is. When the new eXtreme networks kit goes in it'll be pretty easy, was just hoping to hook up a quick interim solution.

 

[Dogoid]

removing the 'e on the desktop ' is a kin to removing the internet to most people.

 

[Skidilliplop]

If you actually have ISA, this can do firewall rules based on AD users/groups/computers. If you don't, it's not quite as simple and you'd be better off with your suggestion of local firewalls. Windows Firewall is configureable by AD - might be worth looking into that.

I have looked at Windows firewall but as far as i can see it'll only block all port 80 or no port 80 which is a bum.
And no we don't use ISA because it's not really very good at high volumes, we have a sonicwall hardware firewall instead .

 

[FordPrefect]

An easy way if the PC only needs access to a limited number of PCs is to leave out the default gateway and setup static routes on windows for access only to the hosts networks that the PC needs access too. So long as the PC is suitably locked down to prevent users and power users from adjusting the network settings then there is no way for the users of the machines in question to access the internet.

 

[Skidilliplop]

An easy way if the PC only needs access to a limited number of PCs is to leave out the default gateway and setup static routes on windows for access only to the hosts networks that the PC needs access too. So long as the PC is suitably locked down to prevent users and power users from adjusting the network settings then there is no way for the users of the machines in question to access the internet.

this solution was tendered before by danielanthony and would work if the default gateway wasn't issued as part of DHCP.

I've pretty much given up on it for now. Will wait till new infastructure is installed and use that.

 

[WILD9]

You might find this interesting. Looks like you can do what you want with policy.

 

[#Chri5#]

I have looked at Windows firewall but as far as i can see it'll only block all port 80 or no port 80 which is a bum.
And no we don't use ISA because it's not really very good at high volumes, we have a sonicwall hardware firewall instead .

Use the SonicWall then. Give the PCs in question DHCP Reservations and then Deny all traffic from zone LAN > WAN on the SonicWall from the IPs they are given. Sorted.