Some organizations restrict Internet access based not only on users and computers, but also on the content of the Internet resources. Restrictions may be required for
If you employ these strategies, you will also require a way to ensure that your employees can't bypass or modify the required settings.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
Once you've granted access to a specific protocol, you might wish to restrict access based on the Web site's host. For example, your organization's Internet acceptable use policy may not permit access to an Internet gaming site. You configure Web site restrictions by defining domain filters in Proxy Server 2.0. Domain filters block all access to Web sites and Internet resources that are located within the blocked domains. For example, Figure 15.16 shows a domain filter list that prohibits access to any resources in the hansonbrothers.tld Internet domain.
Figure 15.16 Using domain filters to block access to specific URLs
This domain filter blocks access to any resource within the hansonbrothers.tld domain, including first-level hosts such as www.hansonbrothers.tld/ or hosts in child domains such as mail.east.na.hansonbrothers.tld.
NOTE
All fully qualified domain names (FQDNs) in the domain filter list are converted to IP addresses before they're applied. This ensures that access is prevented to blocked Web sites even if the user attempts to connect to the Web site using the IP address instead of the Universal Resource Locator (URL).
When designing security for private network users accessing the Internet, you can prevent access to specific Web sites by
Wide World Importers must configure a domain filter for nwtraders.tld to prevent the Proxy Server from allowing access to any Web sites for nwtraders.tld. The filter will prevent access to any Web site within nwtraders.tld.
The Internet Explorer Administration Kit (IEAK) allows you to preconfigure Internet Explorer settings before deploying Internet Explorer to the desktops in your organization and to update deployments on an ongoing basis.
NOTE
The IEAK is available for download by going to http://www.microsoft.com and searching for "IEAK."
The IEAK consists of two applications: the Internet Explorer Customization Wizard and the IEAK Profile Manager. The Internet Explorer Customization Wizard allows an administrator to define custom settings for all security settings in Internet Explorer. The IEAK Profile Manager allows modifications to be applied to existing installations by storing the modified configuration settings in a .ins file. Internet Explorer clients will detect the .ins file and apply those settings when Internet Explorer is configured to Automatically Detect Settings.
You can configure the following security related options within the IEAK Customization Wizard:
You must consider the following items when planning consistent security configuration of Internet Explorer within an organization:
Wide World Importers is currently supporting both Internet Explorer and Netscape Navigator. If Wide World Importers moves to a pure Internet Explorer environment, using the IEAK will reduce the cost of deploying the latest version of Internet Explorer and ensure that consistent security settings are deployed to all computers in the organization. The IEAK will work in the Wide World Importers network because the IEAK supports Windows 95, Windows 98, Windows NT, and Windows 2000 installations.
To ensure that modified settings are deployed to the desktop, use the IEAK Profile Manager to create a modified .ins file and post it on an accessible share on the network. If Internet Explorer is configured to autodetect Proxy settings, the .ins file will be read from the network location and used to apply any modifications to the Internet Explorer configuration.
Internet Explorer allows you to use security zones to manage what content can be downloaded from Web sites. Each security zone is configured with a security setting that defines what content can be downloaded from Web sites in the security zone.
The predefined security zones that are included with Internet Explorer are
NOTE
You can't add additional zones to the predefined zones included with Internet Explorer.
For each zone you can define the security settings by associating a security level with each zone. Four security levels are predefined, but you can also define custom settings if the defaults don't meet your organization's security needs. The default security levels include
An organization can ensure that correct settings are applied to all Internet Explorer clients by using a mix of the IEAK and Group Policy. The IEAK allows default security settings to be defined for Internet Explorer and allows settings to be modified from a central location by defining configuration (.ins) files. Group Policy allows Windows 2000–based computers to secure Internet Explorer by preventing the display of configuration property pages. If users can't access the property pages, they won't be able to modify the default settings.
Table 15.7 lists the actions that you must include in your security design to meet common objectives related to preventing harmful Web content from the Internet.
Table 15.7 Designing Content Rules by Internet Zone
To | Do the Following |
---|---|
Allow download of safe content from trusted sites | Add all trusted sites to the Trusted Sites zone. Configure the security settings for the Trusted Sites zone to Medium-Low. |
Allow unrestricted access to content on the private network | Ensure that Internet Explorer is configured to bypass the proxy for local intranet access. Configure the security settings for the Local Intranet zone to either Low or Medium-Low. |
Prevent download of harmful content from all Internet sites | Add sites that may contain harmful content to the Restricted Sites zone by adding the URLs to the list of sites. Configure the security settings for the Restricted Sites zone to High. |
Apply security settings that match the Internet acceptable use policy for your organization | Define custom settings for the security zone where you require the custom settings. |
Ensure consistent security settings on all client computers | For all operating systems running Internet Explorer, define the required settings in the IEAK and ensure that all clients use automatic configuration so that the settings are updated whenever required. For Windows 2000–based computers, define a Group Policy object that restricts access to the Internet Explorer's properties to prevent modification of the security settings. |
Wide World Importers wants to place restrictions that make it difficult to download software from the Internet. Configuring the Internet zone to use the High security setting prevents the download of most harmful content from the Internet. Combining the High security settings with a deployment of a security template limits users to creating files in their personal folders and common shared files locations. This makes it difficult for a user to download and install unauthorized software from the Internet.
NOTE
Make sure that the users aren't members of the Power Users group on the local computer, because membership in that group would elevate privileges and allow the users to install software in other locations on the disk.
Many Web sites contain content that isn't appropriate for business purposes. Con- tent that falls into this category can include nudity, sex, language, and violence.
You can block access to Web sites that contain unauthorized content by using plug-ins that allow content scanning at the Proxy Server. If any inappropriate content is discovered, the Proxy Server won't load the materials and instead inform the user that the content is blocked.
NOTE
A list of plug-ins for content scanning is available at http://www.microsoft.com/proxy/.
Another method is to use the Internet Explorer Content Advisor in Internet Explorer. The Content Advisor controls which content can be displayed in the browser window by using the Recreational Software Advisory Council on the Internet (RSACi) rating system. RSACi categorizes Internet content into four categories based on language, nudity, sex, and violence. When the Content Advisor is enabled, Internet Explorer scans the Hypertext Markup Language (HTML) source code for RSACi ratings contained in HTML metatags. If the rating is one that's blocked for access, the Web page won't be loaded in the browser window. You must also define what action to take if a site is unrated. If the Content Advisor doesn't find an RSACi metatag, you can choose to either prevent or grant access to the Web site HTML source code.
NOTE
Deciding whether to block unrated sites is difficult. It isn't compulsory to include RSACi metatags in a Web site. Blocking access to unrated sites may deny access to sites that aren't offensive.
If you use the Content Advisor, you can prevent users from changing the content ratings. You can do this either by locking the Content Advisor settings with a supervisor password or by preventing access to the Content tab in the Internet Explorer Properties dialog box.
Take the following actions when designing a strategy to block specific types of Internet content:
Wide World Importers wants to prevent employees from connecting to sites that contain pornography and violence. Wide World Importers must enable content ratings for all Internet Explorer clients to ensure consistent application of the restrictions. In the Content Advisor, define restrictions to prevent access to sites that contain nudity, sex, and violence. To ensure that the settings aren't modified by employees, configure the settings using the IEAK so that the required settings are configured as the default settings. The IEAK can also ensure that Internet Explorer clients are configured to autoconfigure settings and will download any modified content settings. Finally, configure Group Policy to prevent access to the Content tab of the Internet Explorer Properties dialog box.
Creating restrictions on the content that can be accessed from the Internet ensures that the Internet isn't abused by an organization's employees. You can configure restrictions to block access to specific Web sites or to block access based on a Web site's contents. Additionally, you can use the IEAK to ensure that consistent configuration is applied to all the computers in the organization.
As with most security settings, Group Policy provides added control by restricting user access to certain property pages. By removing the ability to modify configurations, you can ensure that the desired default settings are maintained.