Thursday, January 20, 2011

Restrict Computer or Users from Internet but allow access to intranet and Windows Update / ePO?

So this may be impossible but I've been asked to try and find something about it. So far nothing I have found is possible.

I need to restrict specific machines or user accounts from regular Internet access but let them have access to the intranet portion of our network. I do not have Active Directory control, nor does anyone at my local workplace (corporate control in a different state). I have tried going through IPsec and doing this per local machine, but that system seems to have been removed from the images that are installed on these machines so that is out.

So far the only other option I can think of is assigning the machines a specific ip address and removing their gateway access. This would probably work but the machines need to be able to receive updates that are being pushed to them through ePO and LanDesk.

I would really like to do this on the user level because then if I need to do tech work to the machine and need internet access I can get to it but a "special" user could login and not be able to get into anything.

  • I found out how I'm going to do it. Created a special noaccess.rat file for content advisor for internet explorer. Added the addresses that they need access to and nothing else. Problem solved.

    Skaughty : Curses.. I was trying to type that before you answered. You could also look at rules on the external router/firewall.
    MoSiAc : Well we're thinking that would be the most secure but everything here is outsourced so we would have to call the guys to come set that up. We are looking into that though. Kinda wondering if content advisor allows wildcards. We've also tried setting PROXY to NO in internet explorer, which usually keeps users out for about a day.
    From MoSiAc
  • External firewall / router is probably the most secure. You could set up a walled garden / captive portal (much like the ones that you get when you log into a wifi hotspot) which permits access to your update services but nothing else unless a superuser password is entered.

    MoSiAc : This would be the way we would like to go, but again we don't have that kind of control here sadly. Just asked to complete a task local machine side.
  • This is definitely something that is better done on the network.

    You could use a cheap router hacked to use something like http://www.dd-wrt.com/

    You could connect this between your company network and the computers you want to isolate.

    You should be able to use the router's admin page to allow access to your LAN and certain whitelisted networks (for your updates) but restrict all others.

    The benefit of doing it at network level is you block the entire networks, not just DNS or port 80 / 443 (web/ssl) as some solutions to this problem do. Both can be easily circumvented by knowledgable users, but it is much harder for users to bypass a captive portal. Not impossible, but then nothing is!

    The DD-WRT forums should be able to help you do this.

    There may be commercial solutions that achieve the same. Any Layer 7 style firewall technically has the ability to be able to do this - as they can inspect tcp/ip packets and modify / block them in real time according to specified rules. Whether this is functionality is exposed at user level in a particular product is something to discuss with the manufacturer.

    However if you are not allowed to do this to your network due to company policy then you could:

    (i) look into software designed to prevent children from accessing the internet without patent supervision; or

    (ii) look at whether a software firewall would enable to you whitelist / blacklist certain networks. You could whitelist your internal network and specific networks you wish to connect to, and blacklist everything else.

0 comments:

Post a Comment