Is there any way to disable user add any add ons in firefox or any web browser from Active Directory Policies
-
Why not block all outbound port 80 and port 443 on the firewall except for the proxies?
Basically block any outbound that you don't specifically allow.
Frankly I don't understand why more firewalls aren't setup that way by default.
-
Do users have local admin?
Can non admins install FF addons?
-
@Dashrender said:
Do users have local admin?
Can non admins install FF addons?
not all users have local admin, some using domain user ..
my engineers r already set on firewall to block http proxy , but doesnt works ..thats why i just want to know, is there any way to set some policy on AD
-
This isn't an AD problem though. This is a firewall problem.
At best you might be able to add some Firefox templates to group policy then force FF to use your proxy, but I don't know if that is possible.
As a side note, this is really an HR problem not a technical one. If management has a policy in place disallowing the use of non corporate proxies, then those you know who have this software installed should be written up.
Easier to make them enforce those policy sometimes instead of trying to put technical limitations in place.
-
@shybrsky said:
@Dashrender said:
Do users have local admin?
Can non admins install FF addons?
not all users have local admin, some using domain user ..
my engineers r already set on firewall to block http proxy , but doesnt works ..I'm guessing you're only blocking http proxy, not https proxy, though that is much harder... Really start by blocking outbound 443, bit that is also easily bypassed.
To really stop this you need to stop all outbound traffic that you don't specifically allow.
-
@Dashrender said:
@shybrsky said:
@Dashrender said:
Do users have local admin?
Can non admins install FF addons?
not all users have local admin, some using domain user ..
my engineers r already set on firewall to block http proxy , but doesnt works ..I'm guessing you're only blocking http proxy, not https proxy, though that is much harder... Really start by blocking outbound 443, bit that is also easily bypassed.
To really stop this you need to stop all outbound traffic that you don't specifically allow.
if i block 443, some of my web services like mapi and another web applications also using https ...
-
@shybrsky said:
@Dashrender said:
Do users have local admin?
Can non admins install FF addons?
not all users have local admin, some using domain user ..
my engineers r already set on firewall to block http proxy , but doesnt works ..thats why i just want to know, is there any way to set some policy on AD
Sounds like your firewall isn't set up properly. If an add on can bypass the firewall, the firewall isn't working properly or isn't set up properly. A correctly set up proxy and firewall is literally impossible to bypass. This can only expose a mistake in the setup, it cannot work around a correctly setup system.
-
@shybrsky said:
thats why i just want to know, is there any way to set some policy on AD
Did you install the version of Firefox that supports Group Policy? If so, yes. If not, no.
-
@scottalanmiller said:
@shybrsky said:
thats why i just want to know, is there any way to set some policy on AD
Did you install the version of Firefox that supports Group Policy? If so, yes. If not, no.
just tested , not works ..
do i need to log off or restart ?? -
@scottalanmiller said:
@shybrsky said:
thats why i just want to know, is there any way to set some policy on AD
Did you install the version of Firefox that supports Group Policy? If so, yes. If not, no.
I've never needed to do this, I didn't know there were two versions, one for GP and one without.
-
@shybrsky said:
@Dashrender said:
@shybrsky said:
@Dashrender said:
Do users have local admin?
Can non admins install FF addons?
not all users have local admin, some using domain user ..
my engineers r already set on firewall to block http proxy , but doesnt works ..I'm guessing you're only blocking http proxy, not https proxy, though that is much harder... Really start by blocking outbound 443, bit that is also easily bypassed.
To really stop this you need to stop all outbound traffic that you don't specifically allow.
if i block 443, some of my web services like mapi and another web applications also using https ...
As Scott said, a properly setup firewall and proxy setup will allow these things to work. Of course you will have more work in front of you, for example outlook won't use a proxy that you don't setup by default. You may have other software that you will have to manually setup assuming you are not using a transparent proxy.
What kind of proxy sever are you using?
-
TMG Forefront
-
@shybrsky said:
@scottalanmiller said:
@shybrsky said:
thats why i just want to know, is there any way to set some policy on AD
Did you install the version of Firefox that supports Group Policy? If so, yes. If not, no.
just tested , not works ..
do i need to log off or restart ??Just tested what? If you installed the right type of Firefox? You would know if you got the special GP enabled one or if you got the normal one, presumably. You do not need to log off or restart, it is just an application.
-
@Dashrender said:
@scottalanmiller said:
@shybrsky said:
thats why i just want to know, is there any way to set some policy on AD
Did you install the version of Firefox that supports Group Policy? If so, yes. If not, no.
I've never needed to do this, I didn't know there were two versions, one for GP and one without.
Yup, a normal version for normal users and a business MSI installer with GP built in for businesses.
-
-
@scottalanmiller said:
@shybrsky said:
TMG Forefront
Do you have it set up as transparent?
nope ..
but now its ok ..
it works with new firewall .. -
Ah good, that will help. So it is working now? The things that you need to block are now blocked?
-
what did you do to fix it?
-
@Dashrender said:
what did you do to fix it?
my network tim and vendors did it .. look like they block any adds on, application, vpn tunneling from firewall tools ...
-
Ah, so it sounds like the firewall was just not blocking them before?