In a server-based computing environment (think Windows Terminal Server or Citrix) environment you have quite some challenges to restrict or control web access. The following simple solution solves one of them and it comes without a cost 
In this particular situation, I was looking for a way to restrict web access based on the workstation that a user connected from. The reason for this was that certain workstations were located in areas where browsing was formally not allowed but yet people would need access to their Citrix-based applications. Thus begun a long search …
If you look in the Terminal Services Manager, you’ll see that username and workstation name are properties of a RDP or ICA session. But I can’t do anything with that information because I need to write some kind of script, so I need to retrieve that information from the command line.
net session didn’t turn up anything regarding TS connections, so I ruled that one out.
query user or query session did give me information on the user, but even though the feedback of the tool contained a device column, it didn’t show values for the workstation.
On I went with WMIC, something Ed Skoudis and Paul Asadoorian (amongst others) pointed to in recent publications and podcasts but I wasn’t able to retrieve the information either. Let me tell you I was bummed … I needed one parameter and it wasn’t available through the command line ?
It turned out I was looking too far, searching for a complex solution while the information was readily available. In the end, this was the solution :
FOR /F “tokens=1″ %G in (\\server\share\clients.txt) DO IF %G == %CLIENTNAME% (REG ADD “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings” /v ProxyEnable /t REG_DWORD /d 0 /f)
Yes, the enviromental variable %CLIENTNAME% contains the name of the computer that the user used to connect to the Terminal Server.
A little explanation :
clients.txt is a plaintext file containing the names of the clients from where internet browsing is not allowed. If %CLIENTNAME% matches one of these clients, ProxyEnable is set to 0 and browsing is disabled (assuming you are using a proxy server and direct outgoing web traffic is not allowed). I suggest putting clients.txt on a share as a read-only file for all users.
Please note :
If you run this command from the command line (instead of from a script) change %G to %%G !
Combine this with a GPO restricting access to the proxy settings, so the user can not enable the setting herself and you’re done. Location-based browsing restrictions are in effect.
Previous 
Next 
Categories
Tag Cloud
Blog RSS
Comments RSS
Last 50 Posts
Back
Void 
Life 
Earth 
Wind 
Water 
Fire
anonymous surfing has become so important nowadays, especially some people are doing blackhat CPA and making loads of cash from it.
Like or Dislike:
0 
0