Describe how Proxy Server domain filters prevent unauthorized Internet access.
Restricting outbound Traffic using Domain Filters
You can restrict private network traffic to Internet resources by specifying Proxy Server domain filters.
Domain filters provide a way for you to restrict access to Internet content using the DNS names of the destination servers to which you want to restrict access. For example, if you are having problems with users going to aol.com to check the personal ads, you can place a domain filter for aol.com and no resources from that domain will be accessible to internal network users.
Why focus on domain filters?
Proxy Server domain filters affect the SOCKS proxy, Web proxy, and WinSock proxy. As with packet filters, you can create a combination of domain filters in order to meet the particular security requirements of any organization. Domain filters and packet filters both apply to all Proxy Server services. You cannot selectively apply domain filters to a particular Proxy Server service, and you cannot restrict particular users or groups from accessing specified domains. Again, this is an "all or nothing" situation, as it is with packet filtering.
Windows Server 2022 using Windows Defender Firewall with Advanced Security
On Windows Server 2022, to achieve similar functionality as managing internet access through domain filters and setting default behaviors as you did in the year 2000, you can use the following tools and features:
Windows Defender Firewall with Advanced Security
Use the firewall's outbound rules to control access to specific domains or IP addresses.
Create a custom rule to deny access to the IP ranges or domains of AOL and allow others by default.
Web Proxy or Reverse Proxy using IIS
Configure Internet Information Services (IIS) as a reverse proxy using the Application Request Routing (ARR) module.
Define rules to block or allow specific domains.
Group Policy (GPO)
Use Group Policy Management to enforce web filtering rules:
Navigate to: User Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > URL Action Rules.
Configure allowed or blocked websites.
Microsoft Endpoint Manager (Optional)
If your organization uses Microsoft Endpoint Manager or Intune, set up compliance policies to manage which websites can be accessed from company devices.
Third-Party Proxy Software
Install and configure third-party software like Squid Proxy or NGINX Proxy Manager to act as a filtering proxy.
Set up rules to block or allow specific domains based on your requirements.
DNS Filtering Services
Use DNS filtering by configuring the DNS Server role or integrating with services like OpenDNS or Microsoft Defender for DNS:
Block or allow specific domains by adding them to the DNS blacklist or whitelist.
For DNS Server on Windows Server, you can create custom DNS zones and configure policies to redirect or deny access to specific domains like aol.com.
Windows Firewall Rules and App Control
For domain-specific filtering, combine firewall rules with third-party extensions or integrations that allow more granular web filtering capabilities.
Steps for a Simple Proxy Setup (Example: Squid Proxy on Windows)
Install Squid Proxy on Windows Server 2022.
Configure the squid.conf file to:
Allow access to all domains by default.
Add acl rules to block specific domains like aol.com.
Example:
acl BLOCK_AOL dstdomain .aol.com
http_access deny BLOCK_AOL
http_access allow all
Restart the Squid service to apply changes.
These tools provide robust options for filtering and managing internet access in a modern server environment.
The Enable checkbox has been selected. This enables the domain filtering mechanism. At this point, access to all Internet sites will be granted. Notice that there are no exceptions in the list at this time. To add an exception, click the Add button.
You see now that all Internet sites are available except aol.com. If a user attempts to go to a resource located on the aol.com domain, the Proxy Report informs them that access has been denied.
As a result, you can specify Proxy Server domain filters to:
Reject packets specified in the criteria of the filter and forward all others
Forward packets specified in the criteria of the filter and reject all others
How to define domain-filter criteria
You should define the Proxy Server domain-filter criteria based on the security requirements of the organization.
For example, if an organization wants to restrict access to a specific Web site by name, you should define a Proxy Server domain filter that is based upon the domain name of the Web site.
The following image lists the criteria upon which you can base your Proxy Server domain filter, and when you would specify that criteria in your design.
Your Proxy Server domain filter can be based on only one of the criteria listed in the MouseOver above.
In the next lesson, you will learn how Proxy Server Web Publishing prevents unauthorized access to Web servers on the private network.