Easiest way to Block and Allow Internet Access in AD?

Discussion in 'Server Networking' started by 'puter-rooter, Apr 3, 2005.

  1. I have a customer who wants to prevent a portion of the existing (Class C)
    network from accessing the Internet (XP Pro AD clients). But the same clients
    still need access to the server / shared-network printers / other computers
    on the network. There are other Win98 PC's on the network that need to have
    access to everything including the Internet. Right now, everything is
    networked and has Internet Access.

    The customer wants to add two (Win98) PC's to have access to the Internet,
    but no access to his own network - totally separated - to be used by those
    that are having their access blocked (up front and center so he can monitor
    their use).

    What's going to be the easiest, quickest, simplest method to both prevent
    and allow Internet access in this situation? There is no onsite Network
    Administrator - I'm contracted... so in case I'm not available, this should
    be relatively simple to implement and figure out, and also be a very reliable

    There is an existing single AD, no other servers / domains / DNS's.
    DHCP is not currently running on the 2003 Server.

    Options I'm considering:
    1) Use the existing LinkSys router, (which is currently the DHCP server), to
    block Internet access to those computers and then statically assign addresses
    to the 5 PC's that need access. This two PC's that don't need access can have
    their DNS point to the Internet Provider, instead of the AD Server DNS - they
    won't really be on a 'separate' network this way, but it's a simple solution.

    2) Use the OU in AD that contains the XP Pro clients, to (somehow) prevent
    Internet access through a policy (preferred but not sure how to do this).
    This still doesn't put the other two Internet Access PC's on a 'separate'

    3) Setup DHCP on the server. Create two scopes / subnets, x.x.x.0-126 and
    x.x.x.129-254 : Divide the network by adding another router
    as a GW, and plug the two Internet Access PC's into it. This is probably the
    best solution, although I've never actually setup a subnet using routers -
    just theory / book knowledge.

    My biggest concern is, what will happen to the existing AD / DNS Server if I
    change the subnet mask from x.x.x.0 to x.x.x.128?
    Will it screw up the existing network clients / applications / etc.? Will I
    have to add new Host (A) / PTR records / others, to point to the other
    'puter-rooter, Apr 3, 2005
    1. Advertisements

  2. That is done with a Firewall or Proxy, or in some cases with a LAN Router
    between LAN Segments...not with AD or GPOs.
    Phillip Windell, Apr 4, 2005
    1. Advertisements

  3. Actually I did it with an AD GPO and an additional router.
    There are settings in the GPO that I used to disable access to the 'D:'
    drive, hide the 'A:' drive and prevent the use of Internet Explorer - for the
    XP computers that were in an OU.
    I also setup DHCP on the server and removed it from the original router.
    I could have also used it to create a false Proxy, which would in effect
    cause IE not to work.

    To separate the Internet Access computers from the rest of the network I
    added a router and set them up with another network address / subnet. This
    router provides the DHCP addresses for these computers.

    In the end, it all worked. I've never setup a Proxy server, so this ended up
    being a pretty easy solution. Figuring out how to connect the second router
    to the first was the trickiest part since I've never done that before either.

    'puter-rooter, Apr 5, 2005
  4. OK. Sounds like you got done what you need done. You didn't setup a proxy
    though,...you may have setup a NAT device. But I don't see a proxy,...a
    proxy is a specific Application that runs on a PC tht performs the
    "proxying" (ex. MS Proxy2, ISA 2000, ISA2004). Anyway, if it all does what
    you want, that is what matters.


    Phillip Windell [MCP, MVP, CCNA]

    Phillip Windell, Apr 5, 2005
  5. Yeah, you're right - no proxy.
    I know the theory behind one, but don't know what the process is to set one

    What I did was add a second router and switch on a separate cable segment,
    and connected that to the first router.

    First router: - subnet:
    DHCP Scope: to 125

    Second router: - subnet:
    DHCP Scope: to 150 /

    I connected the second router's WAN port to one of the open LAN ports on the
    first router and set the GW on the second router to point to the first router
    ( I connected the LAN port on the second router to a switch,
    where the Internet PC's are connected.

    That gave me a separate network that can then connect to the Internet
    through the first router, that has the cable modem attached.

    Does that make more sense?

    You're right though - it worked - and it was actually pretty cool to control
    the XP's that way. The users aren't too happy about it, but the owner loves

    I'll have to study up on how to setup a proxy server and try it at home
    sometime. How would I do it with a Server 2003 Standard?

    Thanks for your input Phillip!
    ~ Mike

    'puter-rooter, Apr 5, 2005
  6. You created a Back-to-Back DMZ. The DMZ is an "untrusted" network that
    exists between the two NAT Devices.
    Phillip Windell, Apr 5, 2005
  7. Ok - what exactly does that mean?

    I know that a DMZ is a demilitarized zone... but what does it mean to be
    'untrusted', when it's within an existing network like this, behind routers?

    What is the significance of it being 'untrusted' in this situation?

    How else would you / should I have setup the network / router connections so
    that it was 'trusted'? or is that where the Proxy comes into play?

    You're scaring me! LOL
    ~ Mike
    'puter-rooter, Apr 5, 2005
  8. Trusted/Untrusted is defined from the perspective of the Firewall (NAT
    Device) or Proxy that separates the two.

    The Internet is always an "untrusted" network.
    A Back-to-Back DMZ is an "untrusted" network for the innermost NAT Device,
    but is "trusted" by the outermost NAT Device.
    The Internal Network is always a "trusted" network.

    A Trusted network is allowed to reach an Untrusted Network.
    An Untrusted Network is not allowed to contact a Trusted Network, however
    NAT Devices and Proxys can "publish" machines or services from the "trusted"
    network to the "untrusted" network
    I would not have built it the way you did unless there was a specific reason
    to do so. I typically place just one Proxy or NAT Device (one or the other)
    at the network edge between it and the Internet. So there would be one Proxy
    (or NAT Device) with the Internet being "untrusted" and the LAN being
    "trusted". I would have only one Subnet.

    I then control who has access to the Internet using the abilities built into
    the Proxy (or NAT Device). At worst, that may mean that some machines use
    static (or DHCP Reserved) address so you always know what their IP# is.

    If some machines are not supposed to have access to certain things on the
    LAN, then that is handled by the NTFS Permissions on the "targets". In some
    cases it may be controlled by the Services or Applications they connect to
    if those services or applications have their own built in Authentication
    abilities such as SQL Server and many proprietary Applications. The fact
    that they can see the "targets" in Network Places is meaningless,...the fact
    that they may be able to ping the "targets" is also meaningless. You just
    simply don't give the User accounts permissions to things they aren't
    supposed to get to,..it's just that simple.

    For example, at our place:
    1. A File Server stores files in many different "shares". Users can only
    get to the files they are supposed to get to and nothing else. It is
    controlled by NTFS permissions.
    2. Sales/Accounting access the Applications they run by logging into the
    Application. These are Applications designed with "user databases" built
    into them and only the users with "accounts" in those Applications can use
    the Applications
    3. NewsRoom Users,...it is just a repeat of above. The NewsRoom System
    has its own build in User Accounts in the Application itself that controls
    who can use it and what they are allowed to do.
    4. Internet Access is controlled by ISA Server (a proxy server) and
    Users are allowed/denied to the Internet based on *who* the are, not by what
    machine they are sitting at. They are also limited by what they can actually
    do on the Internet, different users may have different abilities,...again
    based on *who* they are.

    Although I have multiple subnets now,..this all worked perfectly fine and
    securely with just one single large subnet. There was no "fooling around"
    with NAT Devices, Routers, or Proxys on the internal part of the LAN to make
    that happen. NAT Devices and Proxys are designed to protect User from the
    Internet,..not from each other.
    Phillip Windell, Apr 5, 2005
  9. Ok, I see what you mean by trusted / untrusted - and 'normally' I setup
    networks the way you described. One network / one NAT at the edge.

    But I thought that 'technically' a DMZ is an area that sits outside of your
    firewall, so that it is accessible from the Internet, like a IIS / FTP
    server? In my setup, none of the network is accessible from the Internet, but
    the Internet is accessible from either of the two networks.

    The reason for setting it up the way I did was for one reason... the
    customer wants to be sure his network never gets infected by any kind of work
    / trojan / virus, that can spread through network shares. Since the server
    hosts a client / server application that all (other) users access, he wanted
    to separate the servers' network from the internet accessible network. The
    theory (fact) is that there are known threats that can spread through network
    shares. I didn't see any other way to achieve that kind of protection... does
    that make sense, and would you say that this setup achieves that?

    I would agree with you if you said this is overkill / a little more than
    paranoia - but, is my application / thought process (in this case), correct
    or (at least) effective?

    The two Internet computers that are connected to the Router #2 network are
    in their own Workgroup (anyway) and not part of the AD Server - connected to
    Router #1. My guess is, that (alone) would be enough to prevent any type of
    threat (worm / virus) from spreading to any other part of the network - since
    the Internet computers have no mapped drives to the other network anyway.

    I guess my thinking was that by having them on their own network, connected
    to another router (back-to-back DMZ), that there would be absolutely no way
    any threat could spread to the Servers network?

    I've never setup a network like this before, and wouldn't have this time,
    except for the customer's extreme paranoia.

    I think there are legitimate situations where routers are used to segment /
    divide / separate, networks. In a situation like that, wouldn't you connect
    one router to another, in the same way that I did? Or how else would it be

    Thanks for your explanations and taking the time to answer my lengthy
    I really appreciate it!
    ~ Mike
    'puter-rooter, Apr 6, 2005
  10. So each NAT Device is "side-by-side" and independent of each other?
    Nothing you are attempting to do will stop that. That is why on the 8th day
    God invented Anti-Virus software. A week later Bill Gates created Security
    Patches. ;-)
    Then you use a LAN Router (not an Internet Sharing NAT Device) between the
    two LAN segments. None of this has anything to do with the Internet
    connection or the NAT Devices providing it. But it won't stop what you are
    wanting to stop. Whatever you do in the idea of "stopping the viruses" will
    also stop the user's ability to do their jobs.
    Not paranoia,...they are legitiment concerns,...but just, I think,...
    misguided. You protect the system from what you described via AntiVirus
    software and the other methods I described in the last post.
    That doesn't matter.
    No it will not, and additionally, mapped drive don't matter either.
    Having them on thier own network would not do that.
    I think you are falling into the trap of letting the customer tell you the
    right way to do something. The fact is the customer doesn't know,...if they
    did they would do it themselves and wouldn't need you. Your job is to know
    the right way to do something, explain to them the right way it is
    done,...and then do it.

    I sympathize with your situation and am many times thankful that I am not in
    that type of situation. I deal with the same system everyday that does not
    change often. I am also the "decision maker" of that system and I build an
    design it as I know best. So I don't have to deal with "customers" that in
    many cases think they know more than they really know and have many
    "superstitions" to overcome.
    If you mean LAN Routers, ...yes. Typically there are two reasons:

    1. The number of Hosts increases above 250-300, and the network begins
    to degrade as a result of "broadcasts" which are the normal characteristics
    of Ethernet.

    2. Security concerns. ACLs are used on the LAN Routers to restict
    traffic at the OSI Layers 3 & 4. These methods typically do not stop
    viruses, worms, spyware, etc. These methods are simply to assure the the
    LAN Users cannot use certain types of communincation (certain protocols)
    over the Router.
    These restrictions are only *supplementary* to the *primary* security
    that is based on the NTFS permissions and the permissions drived from
    Applications that have their own build in user databases and authentication
    Phillip Windell, Apr 6, 2005
  11. So much for my theory then... (that's funny!)
    On the bright side, I think he's willing to purchase the necessary
    client/server anti-virus software. His original point was that if his network
    wasn't connected to the Internet, then he wouldn't have to anti-up (pardon
    the pun) for the protection. As it is, he still has four other PC's connected
    to the servers network that also have an internet connection. As it turns
    out, all I've really accomplished was to give him (and me until now) a false
    sense of security. I already told him the only way to be safe is to not get
    on the internet - otherwise his only other (practically safe) answer is

    Thanks again for your input! Good stuff!
    Wish I could find someplace to work, with someone like you to learn from.
    Actually, I guess I'm already doing that here - LOL

    ~ Mike
    'puter-rooter, Apr 6, 2005
  12. Thank you. Well some days I do fine in the newsgroups, other days I'm just
    an idot that can't get it right. It varies.

    If you haven't already done the equivalent, I'd recommend checking into one
    of the local schools and see if they handle the 4 classes for the Cisco CCNA
    exam. They cover a lot of the stuff that would make a lot of what you been
    wondering about seem obvious. It builds the foundation that all the other
    things you do are built on top of.

    If you get the Cert it needs renewed every 3 years. I plan to retake the
    classes again at the time as a "refresher" before retesting. A person rarely
    uses all that stuff everyday so you don't always retain it,...plus the
    material changes and evolves over time so you get some new stuff each time
    you go through it.

    It has been some of the best time & money I've spent.
    Phillip Windell, Apr 6, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.