Block web browsing from critical systems such as Windows Domain Controllers

What’s an easy way to do block web browsing on mission critical systems?

Jan De Clercq

August 3, 2015

1 Min Read
Block web browsing from critical systems such as Windows Domain Controllers

Q: We want to block web browsing from critical systems such as our Windows Domain Controllers (DCs), because our administrators could while cruising the web inadvertently download malware and infect our entire Active Directory (AD) infrastructure. What’s an easy way to do this?

 

A: A very easy way to block web browsing from your domain controllers is to define AppLocker executable rules and apply these rules to your domain controllers using Group Policy Objects (GPO). To effectively block browsing you will need to define an executable rule for each browser executable that may be used on your DCs. You must certainly include a rule for the most commonly used browsers such as Internet Explorer (Iexplore.exe), Google Chrome (chrome.exe), and Mozilla Firefox (firefox.exe). Microsoft provides an example on how to set this up in the recently released “Recommended Security Baseline Settings for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11”. You can also use these settings on older Windows platforms that include AppLocker support (AppLocker was introduced in Windows 7 and Windows Server 2008 R2). You can find a link to download the security baseline settings for Windows 8.1, Windows Server 2012 R2 and IE 11 and the associated documentation and tools in the following Microsoft TechNet blog post: http://blogs.technet.com/b/secguide/archive/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final.aspx.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like