Hands-On Project 10-5: Denying Access to Specific Sites for Specific Users
Objective: Configure rule parameters to limit user access to Web functions.
Description: Although Internet access has become a necessity for many organizations, this access also presents problems. Employees might abuse their Internet access and hurt productivity by using social networking sites, or they could even endanger the organization by performing illegal acts through Internet access. TMG allows very specific restrictions to be configured. In this project, you create detailed restrictions for a single user.
1. On the Windows Server 2008 domain controller, create a user with the following attributes:
2. In TMG, click Web Access Policy in the left frame. Click Create Access Rule in the right frame.
3. In the welcome window, type Web Abusers in the Access rule name text box, and click Next.
4. In the Rule Action window, verify that Deny is selected, and click Next.
5. In the Protocols window, HTTP and HTTPS are already selected. Click Add, expand All Protocols, select FTP, and click Add. Click Close, and click Next.
6. In the Access Rule Sources window, click Add, expand Networks, select Internal, and click Add. Click Close, and click Next.
7. In the Access Rule Destinations window, click Add, click the New menu, and click Domain Name Set. In the Name text box, type Social Networking Sites. Click Add, rename the New Domain as facebook.com, and click OK. From the Domain Name Sets list, select Social Networking Sites, and click Add. From the New menu, click Address Range. In the Name text box, type Linux Web Server. In both the Start Address text box and the End Address text box, type the IP address of the Linux Web server. Click OK. In the Address Ranges list, select Linux Web Server, and click Add. Click Close. Click Next.
8. In the User Sets window, select All Users, and click Remove. Click Add, and click the New menu. In the welcome window, type Web Abusers in the User set name text box, and click Next. In the Users window, click Add, and click Windows users and groups. In the Select Users or Groups window, click the Locations button. If the Windows Security window appears, enter administrator as the username and Pa$word as the password, and click OK. In the Locations window, expand Entire Directory, select Teamx.net, and click OK. In the Enter the object names to select text box, type cjack, and click Check Names. Captain Jack's name should appear underlined. Click OK, click Next, and click Finish. In the Add Users window, select Web Abusers, click Add, click Close, and click Next. Click Finish. Click Apply. In the Change description text box, type Web Abusers created and enabled. Click Apply, and click OK.
9. From the Windows 7 system, log on to the domain as Captain Jack. Open a Web browser and attempt to access the Linux Web server, as you did in Step 15 of Hands-On Project 10-3. Your attempt should fail. If your systems were connected to the Internet, access to Facebook and FTP sites would also be denied. 10. Log off the Windows 7 system, and log on as another domain user. Attempt to access the Linux Web server again. This attempt should succeed.
10. Log off all computers.