Announcement

Collapse
No announcement yet.

Blocking Websites Using GPO in a Windows 2003 Domain Environment

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Blocking Websites Using GPO in a Windows 2003 Domain Environment

    We are using Windows 2003 Server as Domain Controller and
    Windows XP SP2 operating system in Clients.

    1. Is there any option available using GPO to Block websites for Particular user of the Domain?

    2. How to block Uploading of Files?

    Help in this regard, will be gracefully appreciated.
    Thanks in Advance
    Last edited by kriish; 3rd March 2008, 13:13. Reason: One more Option needed
    sigpic

  • #2
    Re: Blocking Websites Using GPO in a Windows 2003 Domain Environment

    Kriish,

    You would have to configure a GPO for IE setting, however you can't block sites. You can however configure IE via GPO's to allow certain sites by configuring the Content Advisor. Take a look at this article here:

    http://searchwindowssecurity.techtar...215636,00.html

    If you need more granularity in with the ability to block sites you will have to look a some type of proxy server. ISA 2006 is good especially if you are a microsoft shop. Websense is another on.

    For the blocking of file uploads especially through like bit torrents or via IM you have your work cut out. Traditional firewalls have a hard time blocking that stuff because the ports for those types of programs tunnel through ports that are already open on the firewall. I would like a some type of Intrusion Prevention System or Layer 7 firewall. Again ISA 2006 is a good canidate.

    Ryan

    Comment


    • #3
      Re: Blocking Websites Using GPO in a Windows 2003 Domain Environment

      Hi ryan,

      Thanks for your Valuable Suggestions, I will configure ISA 2006 and Come Back to you.

      kriish
      sigpic

      Comment


      • #4
        Re: Blocking Websites Using GPO in a Windows 2003 Domain Environment

        Hi

        I just did this at work without using ISA - I just made a GPO for one user, and in Internet Explorer Maintenance configured the proxy to redirect all http requests to 127.0.0.1. Then I added the websites that I wanted allowed in the exceptions list.

        So far it's working well. Note that the limitation is that the exception list can't be very big (depending on your version of Win Server 2k3, I think SP2 allows 2048 characters in the exceptions list).

        Cheers

        Comment


        • #5
          Re: Blocking Websites Using GPO in a Windows 2003 Domain Environment

          Originally posted by mo_rocks View Post
          Hi

          I just did this at work without using ISA - I just made a GPO for one user, and in Internet Explorer Maintenance configured the proxy to redirect all http requests to 127.0.0.1. Then I added the websites that I wanted allowed in the exceptions list.

          So far it's working well. Note that the limitation is that the exception list can't be very big (depending on your version of Win Server 2k3, I think SP2 allows 2048 characters in the exceptions list).

          Cheers
          Well I don't think that really helps people who need to block only a few particular sites though.
          VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

          Comment


          • #6
            Re: Blocking Websites Using GPO in a Windows 2003 Domain Environment

            One specific reason as to why the traditional firewalls are not able to block uploads and P2P traffic is they work at Layer 3 level while devices like ISA 2006 and Websense work at layer 7 level. So thats the reason why we can allow users to access Gmail but disable the same Gtalk app which runs inbuilt in Gmail Window.
            MCSE : Windows Server 2003

            Comment


            • #7
              Re: Blocking Websites Using GPO in a Windows 2003 Domain Environment

              one thing you can do to block certain sites without ISA server is to deploy a custom hosts file using a startup script.

              For the sites you want to block you would add a static entry into a hosts file that pointed to an invalid ip like 0.0.0.0

              your batch file would look kind of like this:

              Code:
              del c:\windows\system32\drivers\etc\hosts 
              copy \\fileserverpathtoshare\hosts c:\windows\system32\drivers\etc\hosts

              also a side note to mo_rocks:

              you can use wildcards in the exceptions list, so say you wanted to allow http://www.gmail.com you could accomplish this by using only *gmail.com
              Last edited by wiredteknologies; 4th April 2008, 22:19. Reason: added side note
              Technology is only as good as those who use it

              My tech blog - wiredtek.wordpress.com

              Comment


              • #8
                Re: Blocking Websites Using GPO in a Windows 2003 Domain Environment

                Or since you manage DNS, create A records for those sites pointing to 127.0.0.1
                VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

                Comment


                • #9
                  Re: Blocking Websites Using GPO in a Windows 2003 Domain Environment

                  Gepeto and Wiredteknologies solutions work but only in a small environment. This would get insanely cumbersome to manage and doesn't scale very well. Better to go with an enterprise solution if it is possible.

                  Ryan

                  Comment


                  • #10
                    Re: Blocking Websites Using GPO in a Windows 2003 Domain Environment

                    Yes definitely. I am definitely not recommending that someone use these solutions when you can get very inexpensive proxy servers for SMB. For enterprise, I don't even think the original poster would be asking about doing this using GPOs
                    VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

                    Comment


                    • #11
                      Re: Blocking Websites Using GPO in a Windows 2003 Domain Environment

                      Block Web Browsing with IPSec
                      CCNA, Network+

                      Comment


                      • #12
                        Re: Blocking Websites Using GPO in a Windows 2003 Domain Environment

                        I think this thread is going nowhere. Daze posted a workaround and so did other people.. but the bottom line is, using GPOs to block websites is like using a lawn mower to get to work.

                        You can do it but I'd rather get a car
                        VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

                        Comment


                        • #13
                          Re: Blocking Websites Using GPO in a Windows 2003 Domain Environment

                          Hi,
                          Thanks for all the people who have contributed with ideas. I will deploy and work for the result.

                          regards,
                          kriish
                          sigpic

                          Comment

                          Working...
                          X