8 Replies
Block it at the firewall instead of messing with the server itself. Best practice would be to limit everything outbound at the firewall and restrict what all servers can get to.
Was this post helpful? thumb_up thumb_down
Do you have VLAN's or other remotes sites that connect to this server? If so I am thinking you could remove just the gateway, and that might work for you. Otherwise you could create ACLs on your firewall or even switch blocking port 80 and 443 outbound from this host.
Was this post helpful? thumb_up thumb_down
I agree, address this at the firewall if you can. I suppose it would be possible to delete something in the routing tables but I wouldn't recommend it.
Was this post helpful? thumb_up thumb_down
Block the IP in the firewall like a few have mentioned. I have a few legacy applications as well, they run on a couple of XP machines and an old 2003 server machine. I gave the XP machines static IP's and blocked them and the 2003 server in the firewall from going online. They still get their antivirus defniations through my inhouse server running our AV software, and the users can access what they need without any issues, but those machines are cut off from the outside world, only accessable inside the network.
Was this post helpful? thumb_up thumb_down
Manually change the gateway ip address to be 127.whatever.
Was this post helpful? thumb_up thumb_down
Block on the firewall and you can also remove the Gateway for the network properties, but it is still on your network and can still poss a security risk. VLAN would be a better option in the long run.
Was this post helpful? thumb_up thumb_down
Block in the firewall or use ACL to block only the server to Internet
Was this post helpful? thumb_up thumb_down
Thanks everyone for your replies. We are going to block at from the firewall side. Appreciate your responses. Thanks
Was this post helpful? thumb_up thumb_down
13 Replies
Have you got a proxy server? If you have , then you can block users from there.
Was this post helpful? thumb_up thumb_down
No I don't have
Was this post helpful? thumb_up thumb_down
Hi Hani
With regards to using group policy management across your domain.
Use this link here to setup a GPO to block internet access: //thesysadminchannel.com/how-to-restrict-internet-access-using-group-policy-gpo/#:~:text=%20Ho... Opens a new window
You can put the GPO anywhere you want in group policy management (just depends on each user on their management of POs)
Then after that's done create a security group in AD (call it whatever) and then follow for the steps in this other link: //www.mustbegeek.com/how-to-apply-gpo-to-computer-group-in-active-directory/ Opens a new window
This will be the very basic restricted setup for the users. Once obviously the GPO is applied to the security group just add any of the users in the domain to it to deny the access.
I hope this helps!
4 found this helpful thumb_up thumb_down
Thank you so much.
Yes that was helpful1 found this helpful thumb_up thumb_down
one way is that suggested by TheLemon,
another one - set proxy server by GPO on some local non-existing IP and secure proxy settings by disabling proxy setting by that users
assign GPO you OU that you ant to block internet access for
Here some describe.
//help.symantec.com/cs/EMAIL_WEB.CLOUD/WEBSECURITYCLOUD/Toc217031499_v116574884/Configuring-pr... Opens a new window
Anyway, consider starting using proxy anyway, that you could control the network traffic in a better way.
1 found this helpful thumb_up thumb_down
Thank you for your question
I never use GPO for blocking access , now I will play with this :)
1 found this helpful thumb_up thumb_down
Jeff-J
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.
cayenne
Depending on your firewall you might be able to do it there as well. I had my firewall linked to AD and I could assign AD security groups to firewall policies to allow or restrict users. It was also nice I could also schedule policies as well. So say during their lunch they could access the internet, I could set a policy on their lunch break allow internet access, then once the break is over turn the internet off.
1 found this helpful thumb_up thumb_down
TheLemon wrote:
Hi Hani
With regards to using group policy management across your domain.
Use this link here to setup a GPO to block internet access: //thesysadminchannel.com/how-to-restrict-internet-access-using-group-policy-gpo/#:~:text=%20Ho... Opens a new window
Seems obvious in retrospect but it's never occurred to me I could block access this way. Great solution.
1 found this helpful thumb_up thumb_down
Try it and let me know
Was this post helpful? thumb_up thumb_down
We created a software restriction policy for all web browsers for some 'protected accounts', like service accounts and local administrators. If a user tries to launch a browser, they get a message that it's blocked by an administrator.
Was this post helpful? thumb_up thumb_down
All options above using GPO are very good and will work. We use client based policies on our firewall to disable or limit internet access. These policies can be tied to Active Directory groups. Both work. Just depends what resources you have available to you.
Was this post helpful? thumb_up thumb_down
dbeato
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.
pure capsaicin
Hani Al-Marzoqi wrote:
Hi every one, some help please on windows server 2019.
I have created in the AD a new orgnazition unit named HR users. Inside the unit 10 users.
How can i block internet access for tow users inside the unit using group policy.You would want to do that at the endpoint , DNS or Firewall level.
You can do this with a Antivirus that has Web Filtering, Firewall with web filtering or installing a PI-Hole and denying any connection from those endpoints. The best option though is using a web filter per user for either ENdpoint Agent or Firewall/UTM/NGFW device.
Was this post helpful? thumb_up thumb_down
Thank you all
Was this post helpful? thumb_up thumb_down