Lesson 2: Securing Access to the Internet by Private Network Users

When designing network security, consider the security risks of allowing private network users to connect to the Internet.

After this lesson, you will be able to

  • Design secure access to the Internet for private network users

Estimated lesson time: 30 minutes

Identifying Risks When Private Network Users Connect to the Internet

When private network users access resources on the Internet, several risks are introduced to your network's overall security. If they're not carefully managed, these risks can result in reduced security for your network. Typical risks include

  • Introducing viruses. To prevent virus attacks, deploy a virus scanning solution for your network. The virus scanning solution should include all client computers, servers, and entry points to the network.


    The absence of an Internet connection doesn't mean that there's no threat from viruses. Viruses can be introduced through floppy disks and shared files on the network.

  • Installing unauthorized software. In highly secure networks you can control software installation through a central network authority. By ensuring that users are members of the local Users group, you can restrict users to writing data to their hard disk only in common shared areas and their personal profile directory. This strategy requires the installation of the Dfltwk.inf or Basicwk.inf security templates to apply default Windows 2000 security configuration.
  • Exposing private network addressing. Outbound Internet traffic could expose the IP addressing scheme used on the internal network. A network address translation (NAT) service at a firewall or perimeter server will replace all outgoing source address information with a common address configured at the NAT server, as shown in Figure 15.4.

    click to view at full size.

    Figure 15.4 Using NAT to replace the source IP and source port information with a common IP address and random source port

  • Users attempting to bypass the established security. Once restrictions are placed on Internet access, employees might attempt to bypass the configured security mechanisms. One of the most common methods is to use a modem to call directly to an ISP, as shown in Figure 15.5. This method bypasses firewall security.

    click to view at full size.

    Figure 15.5 Using a modem to bypass firewall security

    You can prevent modem usage by using Group Policy to disable the Remote Access Connection Service. This service must be running for Windows 2000 client computers to connect to a remote network by using a dial-up or VPN connection.

Making the Decision

You can reduce the risk of threats introduced to the private network by Internet access by implementing the recommendations in Table 15.2.

Table 15.2 Reducing Risks When Providing Internet Connectivity

To Do the Following
Reduce the risk of viruses

Deploy virus scanning software at each client computer to detect locally introduced viruses.

Deploy virus scanning software at common targets, such as e-mail servers, so that viruses are detected before they enter the e-mail system.

Deploy virus scanning software at perimeter servers such as firewalls to detect virus-infected data before it enters the private network.

Ensure that virus signatures are regularly updated at all deployed locations.

Prevent the installation of unauthorized software

Restrict installation to signed software when installing from the Internet.

Configure Internet Explorer security settings to restrict what content can be installed.

Don't include users in Power Users or local Administrators group. This will restrict user access to specific areas of the local disk system where they can install software.

Prevent Internet users from revealing the private network addressing scheme

Deploy a NAT service at a firewall between the private network and the public network so that all source IP address information is replaced with a common browsing IP address configured at the firewall.

Have all internal client computers access the Internet by connecting to the Proxy Server. All requests will appear as if they were requested by the Proxy Server.

Prevent users from bypassing network security when accessing the Internet

Don't deploy modems to the desktop unless required for another application.

Use Group Policy to disable the Remote Access Connection Manager and thereby prevent dial-up sessions.

Configure the firewall to allow only authorized computers to connect directly to the Internet.

Applying the Decision

To dispel management's fears of risks introduced when employees connect to the Internet, the following items will be included in the Wide World Importers network security plan:

  • Install virus scanning software at multiple locations on the network. Install an antivirus plug-in at the mail server that scans incoming (and outgoing) messages for virus-infected attachments. If the firewall supports content scanning, load a plug-in that scans incoming data transmissions for viral content. Finally, install virus scanning software on each computer in the organization to ensure that all incoming and outgoing traffic on the client computers is scanned for viruses. To ensure that virus signatures are current, Wide World Importers should acquire a virus scanning software solution that includes automatic update features for virus signatures.
  • Preconfigure Internet Explorer to ensure that security settings are set to restrict download of specific content. Use Group Policy to enforce this setting on Windows 2000–based computers. In addition, apply the default or basic security templates to the client computers to ensure that users can only update their personal folders and portions of the registry. This should prevent several forms of software from being installed. You can't prevent a user from installing software, but these settings help restrict many software packages from being installed.
  • Configure the external firewall for Wide World Importers with a NAT service to ensure that the private network addressing scheme isn't exposed on the Internet. The DMZ and private network should be assigned addresses from the network addresses defined in Request for Comment (RFC) 1918. The NAT service ensures that all outgoing packets are translated so that the original source IP address and source port fields are replaced with a common outgoing IP address and a unique source port.

Restricting Internet Access to Specific Computers

One method of restricting access to the Internet is to allow only specific computers to access the Internet. By assigning users to computers, you can limit Internet access to users who are authorized to log on to specific computers.

Granting computers access to the Internet involves more than configuring client computers. You must also configure Internet permissions for network servers that send data transmissions to the Internet. Resources in a DMZ must be allowed to respond to queries from the Internet. Some servers must initiate connections to the Internet. Servers that require access to the Internet through an external firewall to initiate connections include the following:

  • DNS servers. DNS is a distributed database of all hosts on the Internet. To resolve a host name to an IP address, the DNS server may have to contact other DNS servers on the Internet.
  • Mail servers. Internet e-mail is sent to recipients using SMTP. Your mail server must be able to determine which mail server to deliver mail to for a specific recipient by querying a DNS server for the recipient's domain Mail Exchange (MX) resource record. Once the mail exchange is determined, the mail server uses SMTP to send the e-mail message to the recipient.
  • FTP servers. Passive FTP clients require data transfers from the FTP server to the FTP client to be initiated by the FTP server. Once the FTP client sends the request to download a file, the FTP server initiates a connection to the FTP client.
  • Proxy Servers. Proxy clients forward all of their Internet-bound requests to their configured Proxy Server and the Proxy Server sends the requests to the Internet. The Proxy Server must have nearly unlimited access to the Internet.

You can restrict access by internal computers to the Internet by configuring the firewall to limit which computers are allowed to connect to the Internet. You can further restrict each computer by defining outbound packet filters that define which protocols a computer can use to connect to the Internet. Figure 15.6 shows a firewall that limits the mail server to sending and receiving only SMTP packets.

click to view at full size.

Figure 15.6 A firewall configured to allow the mail server to send and receive SMTP packets


The mail server doesn't require DNS access to the Internet because all DNS requests are passed to the DNS server that's also located in the DMZ.

Making the Decision

You must make the following decisions when determining the design of your firewall's packet filters to allow Internet access.

  • Determine which computers are required to respond directly to incoming requests. Typically, all computers located within your DMZ provide secure access from public network users. Configure your firewall to allow only the required protocols into the DMZ. Additionally, the packet filters should be mirrored to allow the server to send response packets.
  • Determine which computers are required to initiate data exchange with computers on the Internet. Identify all computers that require direct connection (not through the Proxy Server) to resources on the Internet.
  • Determine if the computers that require access to the Internet have a static IP address or a Dynamic Host Configuration Protocol (DHCP)-assigned IP address. If a computer is required to have direct access to the Internet, consider assigning a static IP address to the client computer, rather than using DHCP for IP addressing. If you use DHCP-assigned addresses, you may have to update the firewall packet filters to reflect changes in IP addressing.


    You can even assign static IP addresses to remote access clients by configuring the user's dial-up properties to request a static IP address.

  • Determine which protocols the computers use when accessing the Internet. Identifying the protocols will assist you in defining the required packet filters at the firewall.

Making these four decisions will help you design the necessary outgoing packet filters at your firewall. In a DMZ you may have to establish rules at the internal and external firewall.


If NAT is performed at a firewall, you must establish the packet filters at that specific firewall to limit protocols and destination IP addresses. Once the data passes through the NAT service, other firewalls will be unable to identify the packet's original source.

If you're channeling all Internet bound traffic through the Proxy Server, you can restrict specific subnets from using the Proxy Server by excluding their subnet network addresses from the Local Address Table (LAT) table. Figure 15.7 shows the default network ranges that are loaded into the LAT table. By excluding any addresses from these ranges, you effectively block those subnets from using the Proxy Server.

click to view at full size.

Figure 15.7 Configuring which subnets are included in the LAT table

Applying the Decision

The network security design for Wide World Importers must include the following items:

  • Apply the following packet filters to the internal firewall to allow the Proxy Server to access the Internet using any protocol. Although Internet users are restricted to using HTTP, HTTPS, FTP, and NNTP, administrators have no restrictions on the protocols that they can use. Table 15.3 shows the required packet filter.

    Table 15.3 Packet Filter Required for the Internal Firewall

    Protocol Source IP Source Port Target IP Target Port Transport Protocol Action
    Any Any Any Any Any Allow


    The internal firewall requires additional filters to define network traffic from the private network to the servers in the DMZ. Specifically, filters are required to allow the internal DNS server to connect to the external DNS server and all internal clients require access to the mail server. The required packet filters are discussed in Chapter 14, "Securing anExtranet."

  • Configure the Proxy Server to restrict computers at the Mexico City office from using Proxy services because the manager of the office refuses to allow employees to sign the Internet acceptable use policy. Assuming that only network addresses in the network range will ever be used, configure the LAT table shown in Figure 15.8 to exclude the Mexico City office from using LAT services.

    click to view at full size.

    Figure 15.8 LAT definition that excludes the network range

  • The external firewall must have the packet filters defined in Table 15.4 to allow Internet access for the Proxy Server, mail server, and DNS server.

    Table 15.4 External Firewall Packet Filters

    Protocol Source IP Source Port Target IP Target Port Transport ProtocolAction
    DNS Any 53 TCP Allow
    DNS Any 53 UDP Allow
    DNS Any Any 53 TCP Allow
    DNS Any Any 53 TCP Allow
    SMTP Any Any 25 TCP Allow
    SMTP Any Any 25 TCP Allow


    The first two packet filters allow the external DNS server ( to forward DNS queries to the ISP's DNS server ( The third and fourth packet filters allow DNS clients on the Internet to connect to the external DNS server to resolve host names for the wideworldimporters.tld Internet domain. The fifth packet filter allows the mail server to send e-mail to any SMTP server on the Internet, and the final packet filter allows the mail server to accept incoming SMTP messages.

Restricting Internet Access to Specific Users

Although it's possible to restrict Internet access to specific computers, sometimes it's more appropriate to restrict access based on user accounts. By defining which users and groups can access the Internet, you can extend the standard Windows 2000 security model of assigning permissions to groups for resource access. In this case the resource is simply Internet access.

Providing Proxy Services

To manage Internet access based on user accounts, you need a service capable of enforcing which users or groups can access the Internet. This service must provide an authentication mechanism that can identify users and evaluate group memberships. Proxy Server 2.0 provides this functionality through the following services:

  • Web Proxy service. Allows users to connect to Internet resources by using HTTP, HTTPS, Gopher, and FTP through a Conseil Europeén pour la Re-cherche Nucléaire (CERN) compliant Web browser. The Web Proxy requires that the user authenticate with the Proxy Server to determine whether the user may use the Web Proxy service.
  • Windows Socket (WinSock) Proxy service. Allows applications that make use of Windows sockets to connect to servers through the Proxy Server. This type of connection, known as a circuit-level connection, requires that the client computer install Proxy Client software so that all WinSock requests are redirected to the Proxy Server.
  • Socks Proxy service. Allows the establishment of a SOCK 4.3 protocol data channel between a client and server with the Socks Proxy acting as an intermediary. The Socks Proxy service support TCP-based protocols such as Telnet, FTP, Gopher, and HTTP. The Socks Proxy service doesn't support RealPlayer, streaming video, or NetShow. The Socks Proxy is defined according to protocol connections and can't be restricted by users. Restrictions can only be defined based on IP addresses and ports.


Microsoft's next generation firewall and proxy server, known as Internet Security and Acceleration (ISA) Server, will provide firewall services to a Microsoft network. ISA will provide the same proxy services with more firewall services than were available in Proxy Server 2.0. For more information on Microsoft ISA Server, please see http://www.microsoft.com/isaserver/.

You can configure each proxy service to restrict access to specific Windows 2000 security groups. Group membership is determined by the access token presented by the user connecting to the proxy service. The access token contains the user's Security ID (SID) and the user's group SIDs.

When the user attempts to access an Internet resource through a proxy service, the user's SID and group SIDs are compared to the Access Control List (ACL) configured for the protocol the user is attempting to use. If the SID is allowed access, the Proxy Server completes the connection.

Authenticated access must occur in order to determine the user's SID and the SIDs of their group memberships. Only if anonymous access is enabled can a user connect to Internet resources without authenticating with the Proxy Server.

Authenticating Proxy Server Requests

Proxy Server 2.0 supports three methods of authenticating users: anonymous access, basic authentication, and Windows Integrated Authentication. The authentication methods supported by Proxy Server 2.0 are configured in the Directory Security tab of the Default Web site in the Internet Services Manager MMC console, as shown in Figure 15.9.

Figure 15.9 Configuring authentication mechanisms for the Proxy Server

  • Anonymous Access. Allows anyone to use the Proxy Server services. When anonymous authentication is enabled, the Proxy Server doesn't request user credentials. All users are granted access to the proxy services.
  • Basic Authentication. Allows authentication with the Proxy Server using clear text. While this is considered a security risk, it's sometimes the only way authentication can take place if non-Microsoft Web browsers are deployed.
  • Integrated Windows Authentication. The user's access token is checked to obtain the user's SID and any group SIDs on the access token in a process that's transparent to the user. In previous versions of Windows this authentication mechanism was referred to as Windows Challenge/Response authentication.


Because Proxy Server 2.0 was originally written to operate in a Windows NT 4.0 environment, you must download the Proxy Server update to configure the software to authenticate with Active Directory directory service. You can obtain the Proxy Server update from http://www.microsoft.com/proxy/.

Making the Decision

When designing Internet access by user account, include the design decisions in Table 15.5.

Table 15.5 Restricting Which Users Can Access the Internet

To Include the Following in Your Security Design
Allow all users to access the Internet

Configure anonymous authentication and don't configure ACLS for the proxy services.

Allow the Users group for the domain to use any protocols available in the proxy services and to use any of the available authentication mechanisms.

Simplify the process of granting users access to Internet protocols

If the Proxy Server is installed on a domain controller, create domain local groups in the domain where the Proxy Server resides to represent each level of access to Internet protocols required.

If the Proxy Server is installed on a member server or stand-alone server in a workgroup, create local groups in the local Security Account Management (SAM) database to represent each level of access to Internet protocols required.

Create global groups in each domain that will allow users to access the Internet.

Place the global groups within the domain local group or local groups previously created.

Distinguish users connecting to the proxy service Plan which authentication mechanisms are required for the network.
  • Microsoft clients can use Integrated Windows Authentication.
  • Non-Microsoft clients may use basic authentication, which is a security risk.
Specify which users can use the Web Proxy serviceConfigure the ACL for the Web Proxy service in the Internet Services Manager console to permit only specific groups to use protocols enabled through the Web Proxy service. Protocol choices include HTTP, HTTPS, Gopher, and FTP through the browser interface.
Specify which users can use the WinSock Proxy serviceConfigure the ACL for the WinSock Proxy service in the Internet Services Manager console to allow only specific groups access to each protocol defined for the service.

Applying the Decision

Wide World Importers has identified two groups of employees who require access to the Internet.

  • Members of the IT department. IT department employees require access to the Internet using all available protocols. Create a local group in the local Security Accounts Manager (SAM) database of the Proxy Server and global groups containing the members of the IT department in the wideworldimporters.tld and engineering.wideworldimporters.tld domains. Then make the two global groups members of the local group, as shown in Figure 15.10.

    click to view at full size.

    Figure 15.10 Creating groups to provide the IT department internet access

  • Employees allowed to access the Internet. Create a global group in each domain that contains all users who have signed the Internet acceptable use policy. Create a local group in the local account database of the Proxy Server that contains the two global groups as members. This group is shown in Figure 15.11.

    click to view at full size.

    Figure 15.11 Creating groups to provide Internet access to employees granted access to the internet


    Regularly audit membership of the Internet Users global groups in the wideworldimporters.tld and engineering.wideworldimporters.tld domains to ensure that users from the Mexico City office aren't included in the membership. This prevents users from the Mexico City office from connecting to the Internet if they connect to the network from another office.

To determine membership in the groups, authenticate the users with the Proxy Server. To provide authentication, configure the Proxy Server to support basic authentication and Windows Integrated Authentication. Basic authentication is required to authenticate the Netscape Navigator users because Netscape doesn't support Windows Integrated Authentication. Netscape Navigator uses only basic authentication for Proxy Server access. Disable anonymous authentication on the Proxy Server because Internet access is restricted to members of the IT Access and Internet Access domain local groups. You will use these groups to assign permissions in the Web Proxy and WinSock Proxy permission pages.

Restricting Internet Access to Specific Protocols

Once a user is authenticated, configure the proxy services available in Proxy Server 2.0 to allow access only to specific protocols. For each available protocol, assign permissions to allow only specific groups to use the protocol through the Proxy Server.


Only the Web Proxy and the WinSock Proxy support permissions based on user accounts. The Socks Proxy permissions are based on the connection attempt's properties. Much like a packet filter, Socks Proxy permissions define the source and destination IP address and port information for identifying permitted connections.

Restricting Protocol Access in the Web Proxy

The Web Proxy allows you to define permissions for the four protocols available in the Web Proxy through the Permissions tab for the Web Proxy service properties, as shown in Figure 15.12.

click to view at full size.

Figure 15.12 Setting Web Proxy permissions in the Permissions tab of the Web Proxy property pages

You can set permissions separately for the Web (HTTP), Secure (HTTPS), Gopher, and FTP Read services to allow only authorized groups to use the designated protocol. For each protocol, you can define which groups are allowed access to the protocol. You can't assign partial permissions to the protocols.

Restricting Protocol Access in the WinSock Proxy

As with the Web Proxy, you can set permissions for individual protocols in the WinSock Proxy on a per protocol basis. Because the list is extensive, an additional option exists to grant unlimited access to all protocols supported by the Proxy Server, as shown in Figure 15.13.

click to view at full size.

Figure 15.13 Using the WinSock Proxy to grant unlimited protocol access to security groups

The WinSock Proxy not only provides support for most popular protocols but also allows you to provide access to newer protocols by adding the protocol definitions to the WinSock Proxy. If you're defining a new protocol, you must know exactly what ports are used during a connection attempt that uses the protocol so that you can define the protocol for the WinSock Proxy.


Use of the WinSock Proxy service in Proxy Server 2.0 requires the WinSock Proxy client to be installed at the client computer. The proxy client can be installed on Windows 95–, Windows 98–, Windows NT 4.0–, and Windows 2000–based client computers.

Making the Decision

Use Table 15.6 when deciding which protocols you will allow for Internet access.

Table 15.6 Determining Which Protocols Can Access the Internet

To Do the Following
Determine what protocols are required

Survey all employees to determine which applications they use or wish to use to access the Internet.

Audit all Internet traffic that originates on the private network to determine protocols currently in use.

Identify whether any protocols introduce risks to the private network. For example, Telnet typically uses clear text authentication. Ensure that domain passwords aren't used to access Internet resources.

Determine who requires protocol access Ensure that logging contains information on the user or IP address that uses the protocol. This helps you design your groups for restricting access to a specific protocol.
Define allowed protocols Configure the Web Proxy, WinSock Proxy, and Socks Proxy to permit only authorized protocols through the Proxy Server.
Add new protocols Provide a protocol definition in the WinSock Proxy that accurately describes the ports used by the new protocol.
Allow access to the WinSock Proxy Install the WinSock Proxy client on all computers that require access to the Internet using the WinSock Proxy service.

Applying the Decision

Wide World Importers must include the following permissions in their Web Proxy and WinSock Proxy configuration:

  • Configure the Web Proxy to grant access permissions to the Internet Access local group and the IT Access local group for the Web (HTTP), Secure (HTTPS), and FTP Read protocols.
  • Configure the WinSock Proxy to grant unlimited access to the IT Access local group.
  • Configure the WinSock Proxy to grant access permission to the Internet Access group for the FTP and NNTP protocols.

Wide World Importers must also develop a strategy for the deployment of the WinSock Proxy client to enable the use of FTP and NNTP client software for accessing the Internet.

Lesson Summary

Your organization may need to configure restrictions on the computers, users, or protocols that can access the Internet. Your design must ensure that all computers and users that require access to the Internet can have it without exposing the network to additional risks. Develop your security plan so that it controls which computers and users can access the Internet. For each scenario that you develop, identify the required protocols so that you can restrict access to the correct protocols.

Microsoft Corporation - MCSE Training Kit (Exam 70-220. Designing Microsoft Windows 2000 Network Security)
MCSE Training Kit (Exam 70-220): Designing Microsoft Windows 2000 Network Security: Designing Microsoft(r) Windows(r) 2000 Network Security (IT-Training Kits)
ISBN: 0735611343
EAN: 2147483647
Year: 2001
Pages: 172

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net