Restrictions For One User
Aug 03 07 5:15 am
We've got a server with two NICs running WG. Its configured for Winsock redirector (no proxy) and the clients authenticate via XP or 2000 computers running the WGIC. Active Directory is running on the WG server. The only policies that were active are the system policy, effecting "everyone".
I've noticed in the log files that we occasionally have different entries for WG User and Netbios name.
The system has run for a few years with every user given unrestricted access. Now I want to have an account that will be restricted to a number of sites.
So I've added two policies for the Winsock service, one for most of our users and one for the user that will be restricted. I've changed the policy setting to ignore system policies. Within the advanced tab of the restricted user policy, I've put criterea to allow servers containing the names, for example, google.
The first problem is that I'm having difficulty testing it. Logging out of my regular account and logging into the restricted user account frequently still retains the WG credentials of the regular account (but not the Netbios name). I've noticed that are system policies allow users to be assumed, and the assumed list has never been populated. The restricted user policy requires authentication. I would prefer to not touch this and potentially effect the 200+ users on the system.
The second problem is that only some of my filters work. For example, I make a filter with the criterea that server containing the name "google" and another that a server containing the name "dogswithpants". dogswithpants will work consistently but google will not. Am I missing something in my syntax or usage?
Thanks for any help you can provide. Oh yeah, IE advanced authentication settings have been confirmed as set as mentioned in other posts in the forum.
I've noticed in the log files that we occasionally have different entries for WG User and Netbios name.
The system has run for a few years with every user given unrestricted access. Now I want to have an account that will be restricted to a number of sites.
So I've added two policies for the Winsock service, one for most of our users and one for the user that will be restricted. I've changed the policy setting to ignore system policies. Within the advanced tab of the restricted user policy, I've put criterea to allow servers containing the names, for example, google.
The first problem is that I'm having difficulty testing it. Logging out of my regular account and logging into the restricted user account frequently still retains the WG credentials of the regular account (but not the Netbios name). I've noticed that are system policies allow users to be assumed, and the assumed list has never been populated. The restricted user policy requires authentication. I would prefer to not touch this and potentially effect the 200+ users on the system.
The second problem is that only some of my filters work. For example, I make a filter with the criterea that server containing the name "google" and another that a server containing the name "dogswithpants". dogswithpants will work consistently but google will not. Am I missing something in my syntax or usage?
Thanks for any help you can provide. Oh yeah, IE advanced authentication settings have been confirmed as set as mentioned in other posts in the forum.
Aug 06 07 9:07 pm
Logging out of my regular account and logging into the restricted user account frequently still retains the WG credentials of the regular account (but not the Netbios name).
You need to close any active connections to the internet from your computer and then wait 30 seconds for your session to timeout.
I've noticed that are system policies allow users to be assumed, and the assumed list has never been populated.
An authentication level of "User may be assumed" denotes an insecure authentication method which includes "Assumed by ip address", "Assumed by computer name" and the WWW Proxies "BASIC" authentication. Where "User must be authenticated" denotes a secure authentication method such as NTLM.
The second problem is that only some of my filters work. For example, I make a filter with the criterea that server containing the name "google" and another that a server containing the name "dogswithpants". dogswithpants will work consistently but google will not. Am I missing something in my syntax or usage?
I presume your policies look similar to this if you are making a white list:
Filter 1
This criterion is met if Server name contains Google
Filter 2
This criterion is met if Server name contains dogswithpants
And I presume they look like this if you are making a blacklist:
Filter 1
This criterion is NOT met if Server name contains Google
This criterion is NOT met if Server name contains dogswithpants
*Filters are OR'd and multiple criterions within Filters are AND'd
I envisage your solution based off the details given will look like this:
Winsock Redirector Service --> Policies
Default Rights = Are ignored
Add --> "Full Access Group", User must be authenticated
OK back to Winsock Redirector Service --> Policies.
Add --> "Restricted Access Group", User must be authenticated
Advanced tab:
Filter 1
This criterion is met if Server name contains google
Filter 2
This criterion is met if Server name contains dogswithpants
**If I was setting this up for myself, I would have the Winsock Redirector Service setup to authenticate the user but have the WWW Proxy Server intercept any connection on port 80 and control web access through there - so you would have more criterions available to use; such as "HTTP URL" and "HTTP Resource" etc..
***If you stuff up the policy and people then cannot access the internet again, then just add a "Everyone" User may be unknown, to the service that is having problems - the policy with the most access would override the policy with the least access.
****To backup your WinGate registry you would do the following:
GateKeeper --> Options menu --> Advanced --> Save Registry.
Aug 09 07 5:31 am
Thanks for the response.
Can I can force WGIC to drop and re-establish the connection, such as running something in the startup/shutdown scripts in the GPO?
With respect to the permit list technique, I've had better success with "ip address equals" instead of "server name contains". Proxy does look like a better solution, if I can't get the rules worked out within the Winsock Redirector Service I'll considering figuring out why proxy wasn't used.
Can I can force WGIC to drop and re-establish the connection, such as running something in the startup/shutdown scripts in the GPO?
With respect to the permit list technique, I've had better success with "ip address equals" instead of "server name contains". Proxy does look like a better solution, if I can't get the rules worked out within the Winsock Redirector Service I'll considering figuring out why proxy wasn't used.