Intranet Access Control

TL;DR

This guide shows you how to block a user from accessing your intranet using firewall rules and/or Active Directory (AD) group membership. We’ll cover checking current access, blocking via the firewall, and managing AD groups.

1. Identify the User & Current Access

1. Find the User’s Account: Determine the user’s username or email address.
2. Check Firewall Logs: Look in your firewall logs for recent activity from that user’s IP address or device name. This confirms they are trying to access the intranet and shows you which resources they hit. The exact method depends on your firewall (e.g., Cisco, Fortinet, pfSense).
3. Check Active Directory: If using AD, see what groups the user is a member of. Access is often granted via group membership. Use Active Directory Users and Computers to find the user’s account and view their group memberships on the ‘Member Of’ tab.

2. Block Access Using Your Firewall

This is the most direct way to prevent access.

1. Log into your Firewall: Access the firewall’s web interface or command-line interface (CLI).
2. Create a Rule: Add a new rule that blocks traffic from the user’s IP address, MAC address, or device name. The specifics vary greatly depending on your firewall vendor. Here are examples:
   • Cisco ASA:

     access-list BLOCK_USER extended deny ip host [user’s IP address] any

   • pfSense: Create a Firewall Rule under ‘Firewall > Rules’ blocking traffic from the user’s source IP to your intranet subnet.
3. Specify Intranet Resources: Ensure the rule applies to all relevant internal resources (servers, websites, etc.). You may need multiple rules if access is controlled at a granular level.
4. Test the Block: Have the user attempt to access the intranet again. Verify they are blocked and that other users aren’t affected.

3. Manage Active Directory Group Membership (If Applicable)

If your intranet access is controlled by AD groups, removing the user from the appropriate group will revoke their access.

1. Open Active Directory Users and Computers: Find the user’s account.
2. Remove Group Membership: On the ‘Member Of’ tab, remove the user from any groups that grant intranet access. Right-click the group and select ‘Remove’.
3. Force Group Policy Update: To ensure changes take effect quickly, run

   gpupdate /force

   on a computer where the user logs in or restart the computer.

4. Test Access: Have the user attempt to access the intranet again. Verify they are no longer able to connect.

4. Additional Considerations

• Documentation: Record all changes made, including the reason for blocking and the date/time of the change.
• Temporary Blocks: For temporary blocks, consider using a firewall rule with a limited duration or scheduling it to expire automatically.
• VPN Access: If users access the intranet via VPN, block their VPN account in addition to (or instead of) blocking their IP address.
• Cyber security best practice: Regularly review user access rights and remove unnecessary permissions.