Re: Restrict All Internet Access except one web site

From: Alex (Alex_at_discussions.microsoft.com)
Date: 12/07/04 

Date: Tue, 7 Dec 2004 09:05:01 -0800

I want to make sure we are on the same page......
We have some users (about 20) that do not currently have internet access
that are inside our firewall - the rest of our company has internet access.
They need to be able to access two secure INTERnet websites outside our
firewall.
I don't want those 20 users to be able to access anything else.
I thought that maybe we would find out the IP addresses for those websites
and then only allow enough services to enable internet access to and from
those websites.
I am not worried that the 20 users inside our firewall which have restricted
user accounts will attempt to change their own IP addresses.
I and wondering 1) will this work - will it restrict internet access to only
those two websites? 2) Is there any danger from the outside?

But if you know of somthing in active directory / group policy that can do
this instead or any other way - I would greatly appreciate it.

"Steve Riley [MSFT]" wrote:

> If I can learn one of the two IP addresses that your firewall is allowing,
> then I can cause a denial of service attack against one of those computers,
> change my address to that computer's address, and then get out the firewall.
>
> IP addresses cannot be used as trusted identifiers of people or machines --
> they were never intended for that purpose. You must use a firewall that is
> able to understand who the *user* is.
>
> Steve Riley
> steriley@microsoft.com
>
>
>
> "Alex" <Alex@discussions.microsoft.com> wrote in message
> news:772A275D-FAB5-4CB4-BD6C-A01C4CE79FB8@microsoft.com...
> > Steve,
> > I'm going to have my network Admin check the IP thing out on our
> > firewall -
> > we use static IPs.
> > You said something about IPs being forged - I'm assuming you are talking
> > about IP addresses outsite my network - I'm only going to let one or two
> > IP
> > addresses through for the users I'm attempting to restrict - it is for our
> > new payrol punch-in/out system. Is there a real posibility that one of
> > these
> > two IP addresses will be intercepted and forged by some melitious code?
> >
> > But if you know of a better way like something in Active directory / group
> > policy - Please let me know, I am very interested.
> >
> > "Steve Riley [MSFT]" wrote:
> >
> >> You can't do this with the host-based firewall in Windows XP, it isn't
> >> designed for such things.
> >>
> >> You will need a network firewall that is aware of user IDs. Tying such
> >> decisions to IP addresses won't work for two reasons:
> >>
> >> * addresses can be forged
> >> * if you're using DHCP, there's no guarantee that a client
> >> address will always be the same
> >>
> >> Steve Riley
> >> steriley@microsoft.com
> >>
> >>
> >>
> >> "Alex" <Alex@discussions.microsoft.com> wrote in message
> >> news:CF5AB17A-6328-4493-8FF0-9F2E3B3688D4@microsoft.com...
> >> > When you say "Firewall" are you talking the network's firewall or
> >> > WinXP's
> >> > firewall because I am not seeing anything in WinXP firewall that would
> >> > allow
> >> > that.
> >> > Please Advise.
> >> >
> >> > "Leythos" wrote:
> >> >
> >> >> In article <AA9BCA5B-8574-4CF6-AC24-E9B0CD4AC8B1@microsoft.com>,
> >> >> Alex@discussions.microsoft.com says...
> >> >> > Is it possible to restict all internet access except one or two web
> >> >> > sites I
> >> >> > could put on a list?
> >> >> > We are using a domain with Active directory.
> >> >> > For a few users in our company, we only want to give them access to
> >> >> > one
> >> >> > or
> >> >> > two web sites and no others.
> >> >>
> >> >> Set the firewall to only allow access to that website for their IP.
> >> >>
> >> >> --
> >> >> --
> >> >> spamfree999@rrohio.com
> >> >> (Remove 999 to reply to me)
> >> >>
> >>
> >>
> >>
>
>
>

Relevant Pages

  • Re: SNAT
    ... NATing could cause any problems with outbound/inbound internet access. ... Get rid of your external NAT box. ... Choose the upcoming ISA2K4 as your firewall solution. ... computers you have to make them either firewall or webproxy client. ...
    (microsoft.public.isa)
  • Re: Disable Internet Explorer
    ... The best solution is to use a firewall that can ... can not access the proxy settings via Group Policy or registry mod. ... do that- or at least the same result of disallowing internet access ... Shouldn't the enforcement option allow the runas? ...
    (microsoft.public.windowsxp.security_admin)
  • Re: message 0x80072EFD
    ... This is how I set Norton firewall so I can download updates and keep the ... in resulting dialog box, under Program Internet Access, scroll down to Microsoft Generic Host Process for win32 services. ... Computers: Only the computers and sites listed below - ... Generic Host Proc - Windows Update 5 (or call it anything else ...
    (microsoft.public.windowsupdate)
  • Re: Tool to find hidden web proxy server
    ... >> This problem is strictly with in company internet access firewall and in the ... policy for Internet access says it is through IP ... >> default ports and distributed the internet access to their friends. ... admin & senior security consultant: ...
    (Pen-Test)
  • Re: Tool to find hidden web proxy server
    ... This problem is strictly with in company internet access firewall and in the ... policy for Internet access says it is through IP ... Tool to find hidden web proxy server ...
    (Pen-Test)
Quantcast