Blocking Websites Using a GPO

[PolygonGTC]

So, I work for a company the recently let go their sys admin. I've been working here as a hardware tech and I don't know a ton about group policy. Anyhow, the short of it is that they want me to work into the sys admin position. One thing they requested recently was that they want a certain user to be whitelisted on what sites they can visit. This is a call center, and all the callers use the same domain account. Is there a way to use group policy to use a whitelist for websites for one specific domain user? The domain controller is running Windows Server 2003. The clients are Windows 7 machines.

 

[jjeff1]

Let me save you some trouble. Buy a web filtering product. Barracuda makes one that's decent.

You can do something crazy with the hosts file on a PC to block access to some web sites, but it'll be a messy hack at best. If you manage to get it to work, you'll get another request to block/allow some site, and another., and another.

Far better off to nip it in the bud. Buy something that lets you control web access on a per user basis and has reporting capability.

 

[PolygonGTC]

Yeah, I would love to do that, but they don't want to spend any money to do this.

 

[-Dragon-]

All I can think if is a GPO to add certain sites to the Restricted Sites list as a form of blacklist, but even that doesn't fully block them, but does restrict a lot of things like javascript and such and may make the sites less usable.

 

[jjeff1]

Yeah, I would love to do that, but they don't want to spend any money to do this.

Then it must not be important to them.

Seriously though, there is no part of windows which is intended to do what they want. In any case, if you do manage to allow/block various web sites, people will be able to use anonymous proxies or a host of other things to waste time and/or visit malicious web sites.

What you can do is look at your firewall and anti-virus solution and see if there is something built into those products that will do what you need.

 

[bigdogchris]

Easiest thing (and cheapest $0) to do would be to setup an Open DNS account and change your DHCP to dish out that as your DNS (or statically change each machine). Then under your Open DNS settings disable the categories that you don't want users going to (time wasters, porn, etc). You can also set a custom domain (site) to block.

For yourself or managers that do not want to be filtered, manually set their DNS to something else.

 

[Nate7311]

Easiest thing (and cheapest $0) to do would be to setup an Open DNS account and change your DHCP to dish out that as your DNS (or statically change each machine). Then under your Open DNS settings disable the categories that you don't want users going to (time wasters, porn, etc). You can also set a custom domain (site) to block.

For yourself or managers that do not want to be filtered, manually set their DNS to something else.

THIS is your $0 solution... And because you specified GPO, then set the DNS forwarders to OpenDNS. The only thing you can't do is exempt users.

 

[RocketTech]

You could use pfSense to do this. It could be done for no cost. They need to be upgrading their DC from Server2k3 to 2k8r2 or Server2012. Mainstream support ended two years ago. You will be looking for a new job when their poor understanding of IT results in disaster.

 

[diizzy]

You use a web proxy software such as Squid for doing this effectively, it runs on pretty much any OS and is bundled with some distributions.
http://wiki.squid-cache.org/SquidFaq/BinaryPackages#Windows if you want somewhat dated binaries.
I'd really recommend you to setup a separate machine running FreeBSD or similar though.
//Danne

 

[gimp]

this would be really fucking crude way of doing it, but technically, you can do it with GPO. Sorta kinda.
Had to go find the thread, as I remembered seeing it some time back.

http://hardforum.com/showthread.php?t=1634533

Basically configuring Proxy Settings via GPO, and the "whitelisted" sites go in the "Exceptions" list of the Proxy Settings GPO.

 

[shade91]

this would be really fucking crude way of doing it, but technically, you can do it with GPO. Sorta kinda.
Had to go find the thread, as I remembered seeing it some time back.

http://hardforum.com/showthread.php?t=1634533

Basically configuring Proxy Settings via GPO, and the "whitelisted" sites go in the "Exceptions" list of the Proxy Settings GPO.

Been there, done that. A clever user found a way around this hacking the current user registry keys and then telling others how to do the same.

 

[Eickst]

Easiest thing (and cheapest $0) to do would be to setup an Open DNS account and change your DHCP to dish out that as your DNS (or statically change each machine). Then under your Open DNS settings disable the categories that you don't want users going to (time wasters, porn, etc). You can also set a custom domain (site) to block.

For yourself or managers that do not want to be filtered, manually set their DNS to something else.

This is as close as he can get to what he wants without spending money. But he needs to leave the DHCP pointing to his domain controllers and set up the ad integrated dns to use opendns as its only forwarder.
Otherwise he'll have ad issues when his domain computers can't resolve the domain controller names.....

 

[RocketTech]

OP asked for a per-user solution- not sure how you would do that for free with openDNS, except by using a different openDNS account for every block profile desired.

 

[PolygonGTC]

Yeah, I would love to do that, but they don't want to spend any money to do this.

Then it must not be important to them.

I can't comment to that. All I know is, like any company, keep their expenditures low. They don't understand that a GPO would only work for IE and not other browsers. They also don't' understand that it doesn't really work all that well to begin with. Which I've found while messing with it. I agree with everyone that's posted. It's not a viable solution.

I had considered Open DNS, but it just takes me to Umbrella by Open DNS which does cost money. However, it's only $25 per user annually which would work perfectly since we only need it for one user, the account the callers log into. They can't complain about $25 per year.

Thanks for all the replies everyone. I had a feeling it was going to be a lost cause.

 

[Mackintire]

A couple of thoughts here. If you want to use group policy you will need to use Microsoft's
IEAK framework.

http://technet.microsoft.com/en-us/library/gg699416.aspx

Otherwise your IE control via group policy will be extremely limited.

Its a huge annoying pain to setup, and it will wipe everyones IE settings when you deploy it the first time. After than everything will update and work the way you want.

You'll be able to globally block/add or change settings on the fly using GPO permissions. Including initial settings, persistent settings, blacklists, whitelists and configurations, items in various zones etc...

as far as prevention... you'll either need to remove admin/poweruser privileges from your users or also use a webfilter device to block non-ie indentified traffic.

 

[pcjunkie]

Let me save you some trouble. Buy a web filtering product. Barracuda makes one that's decent.

You can do something crazy with the hosts file on a PC to block access to some web sites, but it'll be a messy hack at best. If you manage to get it to work, you'll get another request to block/allow some site, and another., and another.

Far better off to nip it in the bud. Buy something that lets you control web access on a per user basis and has reporting capability.

+1...don't use gpo or host file...

 

[diizzy]

or like I said earlier use Squid which actually does the same thing (in this case) as a Barracuda device.
//Danne