network guru wanted
 

Here's my situation. I'm an admin at a local high school. We have all the students computers running on a domain, that way they can log in have access to shared network files and internet. I have a specific lab that I want to remove the internet privilege from but NOT network access. What would be the best way to do this?

Any way to add a filter on the main router to filter/block a certain range of IP addresses?

(just trying to remember back form school when i was learning this stuff)

Unfortunately I don't have direct access to the firewall as that is run by our ISP offsite. However that is a good idea.

Possibly an easier way than this, but just change the gateway in a script, have a reverse script running on startup+shutdown to set it back. Apply the script to a group/GPO with those denied access.

What if the domain controller was on a different subnet?

Could you put hardware into the network? if so, there are a ton of solutions for you. Hell, I think even an off-the-shelf Linksys router can disable Internet access for an IP range.

What about firewalling all port 80 traffic on those PCs (though, HTTPS and non-standard port assignment would still work)? Or breaking the DNS address (though, browsing via IP address or updating host files would still work)?

Without buying any extra hardware you could use a Computer GPO to force Internet Explorer to use a non-existent proxy address. Lock down changing of any settings and you shouldn't have to worry about the students going around it.

They could however use firefox or another browser from a jump drive and surf to their hearts content.

Do you use any kind of software for monitoring and filtering the Internet? Being a school you absolutely should and if you aren't you are in violation of CIPA (if in the USA) and could lose any funding the district receives for Internet connectivity. Just about any content filtering software allows you to block Internet access based on users and times.

The fake proxy would work. Also if IE is the only browser you could remove all security permission to the mshtml.dll file on the systems which will kill IE real fast.

Non-existent proxy will work for IE until one of those kids finds out how to get around it then it's pretty useless because everyone will know what to do in about 10 seconds. The only way to actually stop them from accessing the internet is to put in hardware, either a firewall that will bar access from a certain IP range or a transparent proxy. The best solution would be the transparent proxy as as it allows monitoring of traffic and restricted access based on IP, user or group. With a transparent proxy there is no way around it as all traffic goes through the box so and there is no settings to configure on the clients. Still it might be cheaper and more simple to put a firewall in. Proxy GPO settings are User based so they aren't going to help you in this situation.

N.B. I was also an admin at a high school.

Our ISP does all our filtering and monitoring for us (the district admin likes making everything as abstracted from us as possible). I couldn't just use GPO to block them out because when they log in their student profiles auto config their proxy, and I don't really want to hand sort 200+ students and give them special profiles every semester.

I assume you are using a router to connect to your ISP? If you could put that room on it's own IP range you could use your router as a firewall of sorts and just drop all traffic from that range, even a lot of standard DSL modems have this option. Else you could go to your ISP and get them to block that IP range either with their management software or their firewall. The simple fact is that it's easy to change windows settings or just get around them even without admin or power user permissions.

Do you have VLAN capable switches? You could drom those clients into a different VLAN and have a router to block that particular ID.

remove gateway from network settings and lock down their priviledges to amend it?

This is what it looks like is going to happen. I managed to get a hold of them today and they should be able to do that for me, as they are also able to open addresses to bypass the filter. Of course they aren't positive and will have to get back to me http://www.discussworldissues.com/fo...ies/wacko1.gif.

I was an admin for a high school as well, worst job ever. I didn't mind dealing with the PCs, but the students were horrendous. When I first started, nothing was locked down. The students would install CS on the laptops and game across the wireless network in the building. I locked everything down using GPOs and filtering, even went as far as to only allow certain ports through the wireless network.

Yeah, the students pretty much hated me [thumbup].

Yeah it's a terrible job. Damn kids always find a way to make life hard for you. LOL

There are many methods. However, locking it down via IP works, but not always because the client IP can change, resulting it in being outside the block IP range. The same goes for MAC addresses, as the user could change the Mac address. Blocking via MAC address can be bypassed too, even if its a Default Deny policy, as the user could find a valid mac addy thats got net access, then change the client machines mac to match the good one.

Really, the only full proof method is to have a range of ports on the central switch go to a VLAN that has no internet access. That way no matter what they do to the client, it still won't grant access.

Had a smart user get around this VLAN restriction by bringing in a wireless router, plugging it into the VLAN with internet access, then using a wireless client in the pressroom (pressroom VLAN is static IP only and completely locked down except for company intranet sites). Soon as I saw the unauthorized wireless network I had a wireless signal grapher on my phone and I walked around the building using it like a geiger counter till I found the router. Then I confiscated it. No-one EVER stepped forward to claim the wireless router! I got a WRT54G out of that deal. http://www.discussworldissues.com/fo...ies/smile1.gif