Q: We want to block web browsing from critical systems such as our Windows Domain Controllers (DCs), because our administrators could while cruising the web inadvertently download malware and infect our entire Active Directory (AD) infrastructure. What’s an easy way to do this?
A: A very easy way to block web browsing from your domain controllers is to define AppLocker executable rules and apply these rules to your domain controllers using Group Policy Objects (GPO). To effectively block browsing you will need to define an executable rule for each browser executable that may be used on your DCs. You must certainly include a rule for the most commonly used browsers such as Internet Explorer (Iexplore.exe), Google Chrome (chrome.exe), and Mozilla Firefox (firefox.exe). Microsoft provides an example on how to set this up in the recently released “Recommended Security Baseline Settings for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11”. You can also use these settings on older Windows platforms that include AppLocker support (AppLocker was introduced in Windows 7 and Windows Server 2008 R2). You can find a link to download the security baseline settings for Windows 8.1, Windows Server 2012 R2 and IE 11 and the associated documentation and tools in the following Microsoft TechNet blog post: http://blogs.technet.com/b/secguide/archive/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final.aspx.