Securing internet connection

I am running a windows server 2003 machine with DHCP and NAT...How do I
controll internet access to only the people or machines that I choose and
make sure that all the other machines do not have access?

You don't. You need a "higher end" product like ISA Server or sometype of
dedicated firewall device. Either of these would replace the NAT
Server,...you would not continue to use both.

Typical firewall devices can only control based on the Source IP# which
isn't very usefull if you use DHCP. ISA can get very detailed and can
control access based on the User Accounts, Groups, IP#s, Subnets, etc.
Other proxy server products may be similar to ISA.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------



"boiseneon" <(E-Mail Removed)> wrote in message
news:5C785178-44B5-4734-8479-(E-Mail Removed)...
> I am running a windows server 2003 machine with DHCP and NAT...How do I
> controll internet access to only the people or machines that I choose and
> make sure that all the other machines do not have access?

bummer...ok thanks

"Phillip Windell" wrote:

> You don't. You need a "higher end" product like ISA Server or sometype of
> dedicated firewall device. Either of these would replace the NAT
> Server,...you would not continue to use both.
>
> Typical firewall devices can only control based on the Source IP# which
> isn't very usefull if you use DHCP. ISA can get very detailed and can
> control access based on the User Accounts, Groups, IP#s, Subnets, etc.
> Other proxy server products may be similar to ISA.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Troubleshooting Client Authentication on Access Rules in ISA Server 2004
> http://download.microsoft.com/downlo...7/ts_rules.doc
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/t...dance/2004.asp
> http://www.microsoft.com/isaserver/t...dance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
>
> Deployment Guidelines for ISA Server 2004 Enterprise Edition
> http://www.microsoft.com/technet/pro...isaserver.mspx
> -----------------------------------------------------
>
>
>
> "boiseneon" <(E-Mail Removed)> wrote in message
> news:5C785178-44B5-4734-8479-(E-Mail Removed)...
> > I am running a windows server 2003 machine with DHCP and NAT...How do I
> > controll internet access to only the people or machines that I choose and
> > make sure that all the other machines do not have access?
>
>
>

I have had success using Group Policy as follows:
1. Create a GPO named "No IE": User Config | Windows setts | IE Maintenance
| Connection/Proxy Setts: set the server and port numbers to bogus values.
I think there is also a setting that won't let them change the IE settings -
enable that too.
2. Link the GPO to an OU or the domain.
3. Create a security group "No IE" with the poor bloaks who cant browse - be
sure to remove the default enabled group: Authenticated Users.
4. Set the GPO security filter to apply only to that group.

Harvey Juster, MCSE


"boiseneon" <(E-Mail Removed)> wrote in message
news:5C785178-44B5-4734-8479-(E-Mail Removed)...
>I am running a windows server 2003 machine with DHCP and NAT...How do I
> controll internet access to only the people or machines that I choose and
> make sure that all the other machines do not have access?

Nice solution. I love seeing people think outside the box!
Seriously, no BS. Good solution.

Do you not just love Group Policy?

--
Manny Borges
MCSE NT4-2003 (+ Security)
MCT, Certified Cheese Master

There are 10 kinds of people in the world. Those who do understand binary
and those who don't.
"Harvey Juster" <(E-Mail Removed)> wrote in message
news:rsLPf.45745$(E-Mail Removed). com...
>I have had success using Group Policy as follows:
> 1. Create a GPO named "No IE": User Config | Windows setts | IE
> Maintenance | Connection/Proxy Setts: set the server and port numbers to
> bogus values.
> I think there is also a setting that won't let them change the IE
> settings - enable that too.
> 2. Link the GPO to an OU or the domain.
> 3. Create a security group "No IE" with the poor bloaks who cant browse -
> be sure to remove the default enabled group: Authenticated Users.
> 4. Set the GPO security filter to apply only to that group.
>
> Harvey Juster, MCSE
>
>
> "boiseneon" <(E-Mail Removed)> wrote in message
> news:5C785178-44B5-4734-8479-(E-Mail Removed)...
>>I am running a windows server 2003 machine with DHCP and NAT...How do I
>> controll internet access to only the people or machines that I choose and
>> make sure that all the other machines do not have access?
>
>

Of course that won't stop anything other than IE.

So if they get firefox on the system, or they use any other internet apps
they will get out.

Of course DCHP classes anad a GPO that assigns a specific classid in a
startup script combined with scopes that have the information you want in
them can solve that.

--
Manny Borges
MCSE NT4-2003 (+ Security)
MCT, Certified Cheese Master

There are 10 kinds of people in the world. Those who do understand binary
and those who don't.
"Harvey Juster" <(E-Mail Removed)> wrote in message
news:rsLPf.45745$(E-Mail Removed). com...
>I have had success using Group Policy as follows:
> 1. Create a GPO named "No IE": User Config | Windows setts | IE
> Maintenance | Connection/Proxy Setts: set the server and port numbers to
> bogus values.
> I think there is also a setting that won't let them change the IE
> settings - enable that too.
> 2. Link the GPO to an OU or the domain.
> 3. Create a security group "No IE" with the poor bloaks who cant browse -
> be sure to remove the default enabled group: Authenticated Users.
> 4. Set the GPO security filter to apply only to that group.
>
> Harvey Juster, MCSE
>
>
> "boiseneon" <(E-Mail Removed)> wrote in message
> news:5C785178-44B5-4734-8479-(E-Mail Removed)...
>>I am running a windows server 2003 machine with DHCP and NAT...How do I
>> controll internet access to only the people or machines that I choose and
>> make sure that all the other machines do not have access?
>
>