Microsoft KB Archive/300492

= How To Prevent Users from Accessing Unauthorized Web Sites in ISA Server =

Article ID: 300492

Article Last Modified on 1/15/2006

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition

-



This article was previously published under Q300492



IN THIS TASK
SUMMARY
 * How to Permit Users to View Authorized Web Sites
 * How to Block Access to a List of Web Sites
 * How to Make Rule Exceptions



SUMMARY
This article describes how an administrator can prevent users from accessing unauthorized Web sites by using the tools that are built into Internet Security and Acceleration (ISA) Server. Also, this article describes how the administrator can make exceptions to a blocking rule, based on time of day and week, or based on groups.

back to the top

How to Permit Users to View Authorized Web Sites
The Site and Content rules can be applied to users to either enable or deny access to specific Web sites, computers, or ranges of Internet Protocol (IP) numbers. With ISA Server, the administrator can use two different screening methods to manage client computer access to Web sites:
 * The administrator can enable the users to access any and all Web sites with the exception of certain sites that are specifically blocked.
 * The administrator can deny users access to any and all Web sites with the exception of those that are specifically authorized.

To permit users to view authorized Web sites:
 * 1) Click Start, point to Programs, click Microsoft ISA Server, and then click ISA Management. The ISA Management window is displayed.
 * 2) Click the plus sign (+) to expand Servers and Arrays, and then click the plus sign (+) to expand  , and to expand the tree.
 * 3) On the tree, click the plus sign (+) to expand Policy Elements.
 * 4) Right-click the Destination Sets folder, and a submenu is displayed.
 * 5) Click New, and then click Set.

NOTE: To make up a list of the specific Web sites that clients are authorized to access, the administrator has to manually enter a list of permitted Web sites by using either the name of the Web site (for example, www.msn.com) or the IP address of the Web site (for example, 207.46.179.143), or both. (Or, the administrator can use wildcards, such as, *. microsoft.com, or /Testing/* in the Path box).
 * 1) Click the New Destination Set dialog box. Enter a friendly name for your list of permitted Web sites, such as, &quot;Permitted Web Sites&quot;.

NOTE: Also, you can add a helpful comment, such as, the date that the list had been entered.
 * 1) Click Add, and a dialog box is displayed. Click either Add Destination or Edit Destination, whichever is appropriate.

NOTE: Each Web site name or IP address can be entered one at a time. After you have made up a list of permitted Web sites, you must return to &quot;Access Policy&quot; in the console tree.
 * 1) Click the plus sign (+) to expand Access Policy. Right-click Site and Content Rules, click New, click Rule, and the New Site and Content Rule Wizard is displayed.
 * 2) Enter a friendly name, such as, Allowed Web Sites, in the Site and Content Rule Name dialog box, and then click Next. The Rule Action dialog box is displayed.
 * 3) Click Allow, which is listed under the line &quot;Response to client requests for access&quot;, and then click Next. The Rule Configuration dialog box is displayed.
 * 4) Click Allow Access Based on Destination, and then click Next. The Destination Sets dialog box is displayed.
 * 5) In the Apply this Rule To list, click Specified Destination Set. Examine the Name list. You can observe the friendly name of the list that you entered when you made up the list of permitted Web sites (in this example, you named it &quot;Permitted Web Sites&quot;). Click your list of permitted Web sites, and then click Next.
 * 6) A summary screen is displayed, which displays your selections. If the selections are correct, click Finish. The Wizard disappears, and you are returned to the ISA Management window. Your new rule is displayed in the right pane of the window.
 * 7) If there are any other rules that are displayed in the right pane of the ISA Management window, you can disable the rule by pointing to the rule, right-clicking the rule, and then clicking Disable. A disabled rule displays a red arrow beside the name of the rule.

back to the top

How to Block Access to a List of Web Sites
This example demonstrates how the administrator can permit the clients to access any and all Web sites with the exception of certain sites that are specifically blocked. First, you must create a Site and Content rule that permits access to all Web sites. Then, you must block access to certain selected sites:
 * 1) In Site and Content Rules, right-click New, and then click Rule. The New Site and Content Rule Wizard is displayed.
 * 2) Create a friendly name for your rule, such as, Allow Everybody Access to Anything. Enter this name in the Site and Content Rule Name box, and then click Next when you are finished.
 * 3) On the next screen, the Rule Action screen, click Allow, and then click Next.
 * 4) On the next screen, the Rule Configuration screen, click Allow Access Based on Destination, and then click Next.
 * 5) On the next screen, the Destination Sets screen, in the Apply this Rule to list, click All Destinations, and then click Next.
 * 6) After the summary screen is displayed, check your configurations. If the configurations are correct, click Finish. Your new rule &quot;Allow Everybody Access to Anything&quot; is displayed in the right pane of the ISA Management window.

To block access to certain Web sites:
 * 1) Click Start, point to Programs, click Microsoft ISA Server, and then click ISA Management. The ISA Management window is displayed.
 * 2) Click the plus sign (+) to expand Servers and Arrays, and then click the plus sign (+) to expand  , and to expand the tree.
 * 3) On the tree, click the plus sign (+) to expand Policy Elements.
 * 4) Right-click the Destination Sets folder, and a submenu is displayed.
 * 5) Click New, and then click Set.NOTE: As an administrator, you must make up a list of the specific Web sites to which you want to block access. The administrator has to manually enter a list of blocked Web sites by using either the name of the Web site (for example, www.msn.com) or the IP address of the Web site (for example, 207.46.179.143), or both. Or, you can use wildcards, such as, *. microsoft.com., or /testing/* in the Path box.

To create a list of blocked Web sites:
 * 1) Click the New Destination Set dialog box, and then enter a friendly name for your list of denied Web sites, such as, &quot;Blocked Web Sites&quot;. (Also, you can add a helpful comment, such as, the date that the list had been entered.)
 * 2) Click Add. When a dialog box opens, click either Add Destination or Edit Destination, whichever is appropriate.

NOTE: Each Web site name or IP address can be entered one at a time. After you have made up a list of blocked Web sites, you must locate &quot;Access Policy&quot; in the tree.
 * 1) Click the plus sign (+) to expand Access Policy. Right-click Site and Content Rules, click New, and then click Rule. The New Site and Content Rule Wizard is displayed.
 * 2) Enter a friendly name, such as, Blocked Web Sites, in the Site and Content Rule Name box, and then click Next. The Rule Action dialog box is displayed.
 * 3) Click Deny, which is listed under the &quot;Response to client requests for access&quot; line, and then click Next. The Rule Configuration dialog box is displayed.
 * 4) Click Deny Access Based on Destination, and then click Next. The Destination Sets dialog box is displayed.
 * 5) In Apply this Rule To list, click Specified Destination Set. In the Name list, you can observe the friendly name of the list that you entered when you made up the list of permitted sites that had been named &quot;Blocked Web Sites&quot; (in this example). Click your list of blocked Web sites, and then click Next.
 * 6) A summary screen is displayed, which displays your selections. If your selections are correct, click Finish. The wizard disappears, and you are returned to the ISA Management window. Your new rule is displayed in the right pane of the window.
 * 7) If there are any other rules that are displayed in the right pane of the ISA Management window, you can disable the rule by pointing to the rule, right-clicking the rule, and then clicking Disable. A disabled rule displays a red arrow beside the name of the rule.

back to the top

How to Make Rule Exceptions
The administrator can make important refinements to the site access list or to the blocked access list rules that have been made up. The two most important refinements to the Web site rules are the exceptions that are based on time of the day and week, or the exceptions that are made by either the Security Group or the User Group.

How to make a rule exception that is based on the time of day or week:
 * 1) If you want to use the Access or Deny rule only at certain times, right-click the rule that is displayed in the right pane of the ISA Management window, and then click Properties.
 * 2) Click the Schedule tab, click Always, and then click either Work Hours or Weekends as the time that this rule is to be used. When finished, click OK. The default work hours are 8:30 A.M. to 4:30 P.M. from Monday through Friday. This default, however, can be modified.

How to make a rule exception that is based on Security or User groups:
 * 1) The administrator can make exceptions to the site-blocking rule based on groups, such as, Administrators, Managers, Executives, certain users, and so on. To make an exception, the administrator, in the right pane of the ISA Management window, must right-click the Site and Content rule that the administrator wants to make an exception to, and then click Properties.
 * 2) Click the Applies To tab, click Users and Groups Specified Below, and then click Add. The Select Users and Groups dialog box is displayed.
 * 3) The administrator must include in the Applies to Requests Coming From box all of the security groups to which the rule applies. Click Add, and then click OK to return to the Applies To tab. All of the selected groups are displayed in the Applies to Requests Coming From box. When finished, click OK.
 * 4) Click Add, which is next to the Exceptions box, and then open the Select User or Groups box. Select those groups or users that you want exempted from the rule, and then click OK to return to the Applies To tab. All of the selected groups are displayed in the Exceptions box.
 * 5) Click OK, and the wizard disappears. Your Exceptions rule is displayed in the right pane of the ISA Management window.

back to the top

Keywords: kbhowto kbhowtomaster KB300492

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.