| gf |
| (Fresh Scripter) |
| 2003-02-02 09:38 AM |
deny internet acces by group
|
Hi i am administrating 25 clients with win 98 in a win 2000 server. Is it posible to deny internet acces for a group for eksampel: pupils?
regards
glennf
| pvds |
| (Hey THIS is FUN) |
| 2003-02-02 03:20 PM |
|
Re: deny internet acces by group
|
Hi,
Yes it can be done with MS proxy or ISA server.
GR Peter
| Sealeopard |
| (KiX Master) |
| 2003-02-02 04:12 PM |
|
|
Re: deny internet acces by group
|
Or any other proxy server, e.g. free Linux-based proxies.
BTW, as this question is not KiXtart-related it should rather be posted in the 'General' forum.
[ 02. February 2003, 16:13: Message edited by: sealeopard ]
| jpeachman |
| (Fresh Scripter) |
| 2003-02-03 08:47 AM |
|
Re: deny internet acces by group
|
It can be done using KiXtart--I'm doing exactly that at a public school. If your browser is Internet Explorer, you don't actually have to use a proxy server, but this method does require you to create a registry entry for a "phantom" proxy server:
code:With this entry in place (which only has to be done once per user account), the following code can be used to turn access on and off:WriteValue("HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings","ProxyServer",
"ftp=0.0.0.0:80;gopher=0.0.0.0:80;http=0.0.0.0:80;https=0.0.0.0:80","REG_SZ")
code:You can set the value of $internet according to whatever criteria you wish, including group membership. You can also get fancier by turning on or off the IE icon on the desktop, and hiding or showing it in the start menu and quicklaunch bar.IF $internet="Y"
WriteValue("HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings","ProxyEnable","0","REG_DWORD")
WriteValue("HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel","Proxy","0","REG_DWORD")
ELSE
WriteValue("HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings","ProxyEnable","1","REG_DWORD")
WriteValue("HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel","Proxy","1","REG_DWORD")
ENDIF
One caveat: on your Windows 98 clients, the HKCU hive (where these entries need to be made) isn't loaded yet when the normal login script is processed. I handle that by including all the HKCU entries for Win9x clients in a second script (called logon9x.kix), and create a RunOnce entry invoking it in my primary login script:
code:Hope this helps!WriteValue("HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce","Logon9x",
"kix32.exe \\servername\netlogon\LOGON9x","REG_SZ")
Joe
| gf |
| (Fresh Scripter) |
| 2003-02-03 02:37 PM |
|
Re: deny internet acces by group
|
thanks
This is the kind of code i was looking for.
Anyone knows it can be done with a proxyserver
| Stephen Wintle |
| (Seasoned Scripter) |
| 2003-02-03 03:40 PM |
|
Re: deny internet acces by group
|
hello I use the following to good effect
code:Regards
;---------------------------------------Removes internet access PER GROUP ----------------------------
;disable proxy
If InGroup("YR6")
$rmv = DelKey("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings")
Shell "regedit /s c:\WINDOWS\disanet.reg"
EndIf
;disable proxy
If InGroup("YR8")
$rmv = DelKey("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings")
Shell "regedit /s c:\WINDOWS\disanet.reg"
EndIf
;disable proxy
If InGroup("YR9")
$rmv = DelKey("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings")
Shell "regedit /s c:\WINDOWS\enanet.reg"
EndIf
;disable proxy
If InGroup("YR10")
$rmv = DelKey("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings")
Shell "regedit /s c:\WINDOWS\disanet.reg"
EndIf
;disable proxy
If InGroup("YR11")
$rmv = DelKey("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings")
Shell "regedit /s c:\WINDOWS\disanet.reg"
EndIf
;---------------------------------------Removes internet access PER USER ----------------------------
;disable proxy
If @USERID="9368KASHIF"
$rmv = DelKey("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings")
Shell "regedit /s c:\WINDOWS\disanet.reg"
EndIf
;disable proxy
If @USERID="9286NAVEED"
$rmv = DelKey("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings")
Shell "regedit /s c:\WINDOWS\disanet.reg"
EndIf
Steve Wintle
| Stephen Wintle |
| (Seasoned Scripter) |
| 2003-02-03 03:43 PM |
|
Re: deny internet acces by group
|
I guess Id better tell you that disanet and enanet both toggle the proxyserver setting per user and i have copied each reg setting to the clients..
Steve
| Les |
| (KiX Master) |
| 2003-02-03 03:53 PM |
|
Re: deny internet acces by group
|
Controlling internet access through reg hacks rather than by proxy is relying on ignorance. What's to stop the students from changing it after logon?
| Stephen Wintle |
| (Seasoned Scripter) |
| 2003-02-03 05:29 PM |
|
Re: deny internet acces by group
|
IEAK....
Steve
| Les |
| (KiX Master) |
| 2003-02-03 05:34 PM |
|
Re: deny internet acces by group
|
I'm sorry, but IEAK cannot prevent even a novice cracker from reversing what the logon reg hack does.
That is just security by ignorance.
| Sealeopard |
| (KiX Master) |
| 2003-02-03 06:33 PM |
|
|
|
Re: deny internet acces by group
|
The correct (and secure) way to enable/disable Internet access is by written policy and proxy server (free Linux-based for the continously cash-strapped schools).
| jpeachman |
| (Fresh Scripter) |
| 2003-02-03 10:23 PM |
|
Re: deny internet acces by group
|
I don't disagree that running a REAL proxy server is more ironclad, but....
In real life, 99%+ of the students at my school don't have the skills or knowledge to begin to attack the "problem" of bypassing a reg hack, nor do even the more knowledgeable among them know this is WHY they can't get on in the first place. We do remove display of all IE icons on restricted accounts, and have limited Windows Explorer to local folders only. We've actually done a pretty decent job of closing loopholes through which they might attempt unauthorized internet access, even on Windows 9x machines. They don't have access to Internet Options, registry editing tools, a command prompt, etc., can only run authorized programs, and local hard drive contents are hidden. And our students' computer access is monitored, in that staff are present and screens visible when students are using them.
There are further blocks which could be applied, such as manipulating Content Advisor settings, if you want another line of defense. If you don't mind running more than one network protocol, you might even try fiddling with TCP/IP settings. But in several years, it hasn't been a problem yet, though I'm not oblivious to the possibility--and I'm always looking for new ways to crank up security (I even challenged a gifted student who worked with me to come up with creative ways to hack our system, and used the results to improve our security). But in the end, this is less intended as an absolute lockdown than as a practical management tool. Backing everything up with written policies defining consequences for unauthorized tampering with the system is an essential element, too.
Frankly, as long as some accounts have internet access and some don't, the greater danger probably lies in students obtaining access to passwords letting them use someone else's account, which would be an issue even with a proxy server in place. We all hear that "social engineering" represents the greatest threat to most systems.
I'm not going to say this is the best possible solution, but the question was raised in the KiXtart forum, which I take to imply asking can this be done using KiXtart, and the answer is yes, it can. In our case, there are some practical problems with using a proxy server, with some machines on our network being maintained and controlled by our district, and others at our site level, with different rules and access needs being applicable. It's not necessarily that it can't be physically done, but there are some very real administrative obstacles which we're working with here. Meanwhile, we've come up with an approach that is getting the job done.
Joe
| Darren_W |
| (Hey THIS is FUN) |
| 2003-02-04 10:51 AM |
|
Re: deny internet acces by group
|
Hi,
You don't need to install a linux server to use Squid as there is a precompiled GPL version that will run on NT/2000 available from here.
There may be some advantages to this with improved speed from cacheing and as mentioned above:
Link to Site
Think this UDF May be handy to: Proxy UDF
Darren
[ 04. February 2003, 10:54: Message edited by: Darren ]