RE: GPO that forces users to use a proxy server.

leomail04-focusms_at_yahoo.es
Date: 11/02/04

  • Next message: Nelson Brandon: "AW: Remove "Shutdown" command from w2k PCs but enable restart"
    Date: Tue, 2 Nov 2004 15:30:38 +0100 (CET)
    To: focus-ms@securityfocus.com
    
    

    Hi Ryan,

    I think one of the best approaches to resolve your
    problem is the one pointed by Jim Harrison, using a
    .pac file, that way whatever “browser” (ie, mozilla…)
    your company uses, you can have automatic configured
    the proxy when they are at your LAN and this will be
    disabled when they are outside since this file wont be
    reachable.

    (You can have the file in a web server inside your
    network and configure the browsers like this in the
    “automatic proxy configuration url tab”)

    https://intranet/proxy.pac

    -------- Surfing the Internet trough outside networks,
    why not? -------

    My personal point of view is that is useless to force
    your laptops to get trough your VPN just to surf the
    web when they are at home or on the road. It’s much
    solid to have good policies, a good antivirus and
    firewall in every laptop (plus education to users) and
    also considerer to assign a special PVLAN in the
    office to this “less trusted computers” and take
    special care of this segment.

    Other way is easily:

    1) To figure out how to get on the net when they are
    outside,
    2) They might not surf the web (at first) but get
    connected to untrusted networks and get infected /
    exposed.
    3) You are going to allow then to get to others
    networks since you want them to get to your VPN, so
    first they need to get on a network
    4) Not always is possible to get to the VPN using
    IPSec.

    Regards
    Leo

                    
    ______________________________________________
    Renovamos el Correo Yahoo!: ¡100 MB GRATIS!
    Nuevos servicios, más seguridad
    http://correo.yahoo.es

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Nelson Brandon: "AW: Remove "Shutdown" command from w2k PCs but enable restart"

    Relevant Pages

    • Re: How to network home and office without terminal services??
      ... I left the vpn connection ... network places was populated with all remote computers. ... master browser is the pdc,all workstations on the lan have browser ...
      (microsoft.public.windows.server.networking)
    • Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
      ... This set of steps is redundant in many places, and it's also enormously expensive, since you're using no less than three different expensive bits of networking hardware (AP, PIX, VPN Concentrator), in addition to a bunch of x86 server hardware, windows server licenses, and at least one ISA license. ... Your computers necessarily don't have full access to your network infrastructure when they aren't logged on, so GPOs, software updates, etc can't be applied at the times you want them to be applied. ... Turning on, enabling, and implementing every possible security setting and device you think of is not defence in depth, and will probably only have two effects - your users won't use your wireless network, and you'll burn so much cash you won't have any left to spend on *useful* security measures. ...
      (Full-Disclosure)
    • TidBITS#792/15-Aug-05
      ... We also note the release of Security Update 2005-007, ... Macintosh FTP client, free for educational and charitable use. ... mentioned virtual private network (VPN) technologies. ...
      (comp.sys.mac.digest)
    • RE: VPN Error 800
      ... The VPN client IP is 10.0.1.40, this is a private IP address. ... server IP address is 81.137.105.244, this is a Internet IP address. ... not test VPN connection from your perimeter network. ... SBS on your switch to make it work. ...
      (microsoft.public.windows.server.sbs)
    • Re: VPN with SBS 2003 (not R2) and DSL.
      ... Reading property value for VPN returned OK ... Reading VPN Server Name returned OK ... identical network cards. ... it seems doubtful that SBS will work properly with two NICs ...
      (microsoft.public.windows.server.sbs)