Blocking Internet Access to selected computers

vijayvm · Apr 21, 2015

Hello everyone!

We have a basic office network with a domain controller that runs Windows Server 2008 Standard and about 30 computers that connect to the switch. The Router connects into the switch as well. There is an ERP server that connects to the switch as well.

I want to be able to block internet access totally on a few computers based on their IP. Or conversely only allow internet access on a selected few computers and disable access for the rest. However, the disabled ones should be able to connect to Outlook and download email (We use gmail and access the emails on outlook via pop & smtp). Also I need the antivirus software to be able to update on all computers though internet.

What is the best / fool proof way to do this through the Domain Controller using Windows Server itself? I don't want to install any software. Any help would be appreciated.

Thanks in advance!

bill001g · Apr 21, 2015

Not so sure you can do it with the domain controller. This is mostly a function of a firewall. The traffic does not actually pass though the domain controller. You would have to get creative and try to push firewall rules to the end machine which users can bypass if they have local admin.

Still even with a actual firewall it is going to be tricky. You are going to have to more clearly define what traffic you want to get. One of the worst is some of the antivirus software. Things like symantec endpoint use akaimai server so there is no fixed list of ip addresses and you can not just blindly use ip ranges because these ip are used for many other application that akaimai is hosting for their customers.

Unless you want to spend money for the filter lists used in firewalls that let you pick categories and someone else has done the work to find a way to identify the traffic you are pretty much going to have to find this by blocking everything and then via trial and error open things via rules.

Alabalcho · Apr 21, 2015

As @Bill001g said, you cannot do that from the Windows server. Your router might have the capability to block access to Internet based on IP and/or MAC addresses.

But - this is more management than technical problem. Strongly worded "Acceptable / permitted use" policy issued by your HR department should be more than enough.

Urumiko · Apr 22, 2015

There is no sensibl way to do it without A using the DC as a proxy and sending all of your traffic through the DC unnescesarily, and it being insecure and easy to bypass. The proper solution is to set up some access lists on your switch, and optionally a firewall as well.

Someone Somewhere · Apr 22, 2015

I don't see a proxy based system working effectively - your antimalware suite is going to want to update via TLS, and any TLS traffic is very hard to distinguish from any other.

I'd look at using AD to prevent them using web browsers of any kind, basically. And stop them opening executables outside of Program Files, though you should probably have that already.

Search

Blocking Internet Access to selected computers

vijayvm

Reputable

bill001g

bill001g

Titan

Alabalcho

Titan

Urumiko

Distinguished

Someone Somewhere

Titan

TRENDING THREADS

Latest posts

Moderators online

Share this page