Control internet access for users with terminal servers

[MHCG]

We have a large network with win2k3 terminal servers that users login on and use to connect to the internet through. We need to limit some user's internet access to a specific list of websites and other users should have unlimited internet access.

The terminal servers are all on a domain and of course we use active directory. In order to do this, it seemed that the best way to differentiate is through group policy being applied to specific OUs.

I can't use services like openDNS because it doesn't exist on the internet we use (it's a secure government internet) and we can only use a limited number of pre approved applications and solutions like this aren't on that list.

My thought was that I could set up a proxy server with white lists and have specific user's internet access go through the proxy server. Or, somehow do it through Internet Explorer's security settings. I thought about using a DNS server I create for the limited users, but I don't know that I can apply that to users since it's usually a computer based policy and because limited and unlimited user's will use these terminal servers, I can't restrict it by computer.

Any other ideas?

 

[hondablaster]

Will this work?

Make a batch file that runs @ startup for the users who require limited internet access. The commands below will change the DNS server to the restricted DNS that you create. (Or vice versa, apply the batch start up concept to the least amount of users, or all if you want) The instructions for some of the commands are below.

Does each terminal session get its own private IP to the server by tunnelling over the real IP? Even if all the clients are sharing the same IP I would imagine they would NOT need to share the same DNS settings. I dont know much about W2K3 Terminal Server just throwing out an idea because I want to be where your at!!!!!!!!!!!!!!!!!!!! I figure each individual session would have its own Tunnelled IP that runs encapsulated over through the real IP much like a VPN.

Taken from google.
Of course you can change the IP from the command prompt.

The command is:
to change IP and default gateway:
netsh int ip set address "local area connection" static 192.168.0.101 255.255.255.0 192.168.0.254 1

to change DNS:
netsh int ip set dns "local area connection" static 192.168.0.254 primary

This is assuming 3 things.
1) The network adapter you're trying to change the IP for is "local area connection". It could also be "local area connection 2" or "wireless network connection". Look in your control panel for the correct name
2) The IP you want to set is 192.168.0.101, change this to whatever IP to want to use.
3) The default gateway and dns are the same IP. If you are using some kind of router they usually are. Change this to match your network config found with the command ipconfig /all

You will need to run both commands to change the IP.

 

[MHCG]

Will this work?

Make a batch file that runs @ startup for the users who require limited internet access. The commands below will change the DNS server to the restricted DNS that you create. (Or vice versa, apply the batch start up concept to the least amount of users, or all if you want) The instructions for some of the commands are below.

Does each terminal session get its own private IP to the server by tunnelling over the real IP? Even if all the clients are sharing the same IP I would imagine they would NOT need to share the same DNS settings. I dont know much about W2K3 Terminal Server just throwing out an idea because I want to be where your at!!!!!!!!!!!!!!!!!!!! I figure each individual session would have its own Tunnelled IP that runs encapsulated over through the real IP much like a VPN.

That's the dilemma I had with DNS, I don't think it's possible to have a user specific DNS setting. Summarized, terminal servers essentially allow many users to log in on a server via remote desktop. The end user's terminal merely displays the user's session so they have no hard drive, GPU or things like that (thin client). So, everybody uses the same IP settings, DNS etc.

I think I have a solution that I'm going to test today. As I was writing out my original post, I had a thought. I believe I can set the group policy to set the limited users to send everything to a fake proxy 192.168.10.X (an unused IP) and then have a list of exceptions in the group policy. This theoretically should accomplish what I want.

 

[Blues]

I have had this delima currently we just don't allow those users with the increased access on terminal servers. From what we have found there is nothing you can set on the server you need a proxy hardware device that checks AD security groups for the user when they request an internet webpage. All users regardless of what they log into would be subjected to this device but since each user is setup with authority it won't matter. I don't remember what solutions I had looked at so I don't have anything to suggest but basicly it is going to have to be external hardware the interacts with AD.

 

[thecoldone06]

Does everyone in the company use IE? if so, have you ever looked into Content Adviser. In group policy editor, go to user config > windows settings > internet explorer maintenance > security. double click security zones and content ratings. in the content rating section (lower section) click 'import the current content ratings settings'. Click modify settings. there is now an approved sites tab where you can approve or disapprove sites. You could disapprove '*' which would be everything then allow the specific sites you want.

 

[MHCG]

Everybody uses IE.

I was able to get it to work the way I mentioned earlier. I ended up creating a group policy that I applied to the student (limited user) OU in active directory. The group policy set the internet explorer proxy server to 0.0.0.0 and then I set up the exceptions as the sites they're allowed to acccess. Additionally, I had to restrict their ability to change the proxy.

Voila, terminal server users now are able to either have unlimited internet access or limited access, depending on which OU their login account resides in.

 

[Blues]

We grant our users too much authority so it doesn't work for us and our main issue was how our content filter bypass works off IP and a Terminal Server is one machine so many users one IP.