Blocking Staff from Websites - Windows 7 Enterprise

2 Hell and Back

Windows 7 Enterprise

How would I go about blocking users from visiting websites in a company scenario?

I am aware of the parental control option via Windows Live Family Safety; but this doesn`t sound like the right thing to do in a company environment..?

Any other methods that would typically used in a Company environment?

This is for a college assignment and were are told not to use the following methods:

1. Do not use the host file to block the site
2. Do not use the router to block the site.

Thanks for any suggestions

Lelantos

2 Hell and Back wrote: »

Windows 7 Enterprise

How would I go about blocking users from visiting websites in a company scenario?

I am aware of the parental control option via Windows Live Family Safety; but this doesn`t sound like the right thing to do in a company environment..?

Any other methods that would typically used in a Company environment?

This is for a college assignment and were are told not to use the following methods:

1. Do not use the host file to block the site
2. Do not use the router to block the site.

Thanks for any suggestions

Many anti virus programs have net nanny software built in. You can block by specific search words, category or individual websites.

Marcin_diy

proxy connection with set blocked websites, or software calledwebsense. in websense create rules and assign to these rules( categories) security groups in active directory. Then jus set proper ad groups fo each user. websense must be deployed to all machines.

Tazium

Does the assignment specify that you need to use only the built in software?

There's a couple of options that jump out without much consideration.
1. Use Local group policy to disable the browser or prevent access to specific sites.
2. Use Windows Advanced firewall to block outgoing connections using the browser or ports.
3. Rename the browser exe to something not exe and prevent access using acls.

Ensure regular users are not administrators, this would stop them from changing your rules.

2 Hell and Back

Tazium wrote: »

Does the assignment specify that you need to use only the built in software?

There's a couple of options that jump out without much consideration.
1. Use Local group policy to disable the browser or prevent access to specific sites.
2. Use Windows Advanced firewall to block outgoing connections using the browser or ports.
3. Rename the browser exe to something not exe and prevent access using acls.

Ensure regular users are not administrators, this would stop them from changing your rules.

Thanks,

It doesn`t specify to only use built-in software but He did mention not to use the host file or the router. I guess the more options I give will grab me extra marks but I need to nail down the best option!!

We are to block specific websites..I presume options 2 and 3 above are a blanket ban on the web??

demanufactured

Group policy

VictorRomeo

demanufactured wrote: »

Group policy

Not group policy. You'll never manage that. Buy a webfilter appliance with a blacklist service - Barracuda are reasonably cheap. You could build one on Linux as there are a number of 3rd party applications you can use. But, and I'm guessing as you asked, this sort of thing is is unfamilar to you so buy something that's easy to maintain, offers decent reporting, is well supported and will take care of the filtering for you (the blacklist service).

GreenWolfe

This should be handled by a filtering/proxy server - that way every device regardless of operating system or type are covered. Local controls may prove easier to bypass, and group policy may only cover Internet Explorer.

seamus

VictorRomeo wrote: »

Not group policy. You'll never manage that. Buy a webfilter appliance with a blacklist service - Barracuda are reasonably cheap. You could build one on Linux as there are a number of 3rd party applications you can use. But, and I'm guessing as you asked, this sort of thing is is unfamilar to you so buy something that's easy to maintain, offers decent reporting, is well supported and will take care of the filtering for you (the blacklist service).

EarthlyPangaea wrote: »

This should be handled by a filtering/proxy server - that way every device regardless of operating system or type are covered. Local controls may prove easier to bypass, and group policy may only cover Internet Explorer.

The assignment specifically says that a router can't be used to block them, which no doubt includes any kind of proxy server.

Which makes it a ridiculous question because that's what you would do in a real-world scenario.

I suspect the answer they're looking for is to use group policy to:

1. Add the sites to the list of restricted sites in IE
2. Lock down the Internet Options controls to prevent changes
3. Not allow users to install software or change local policy on their own machines.

GreenWolfe

seamus wrote: »

The assignment specifically says that a router can't be used to block them, which no doubt includes any kind of proxy server.

Which makes it a ridiculous question because that's what you would do in a real-world scenario.

I suspect the answer they're looking for is to use group policy to:

1. Add the sites to the list of restricted sites in IE
2. Lock down the Internet Options controls to prevent changes
3. Not allow users to install software or change local policy on their own machines.

I'd add blocking any portable apps from running too, and restricting a whole load of file types from downloading. Staff in that scenario could just put a portable apps launcher and some browsers on a USB stick - either by putting the USB stick into a computer, or just downloading a portable browser directly to a computer.

2 Hell and Back

seamus wrote: »

The assignment specifically says that a router can't be used to block them, which no doubt includes any kind of proxy server.

Which makes it a ridiculous question because that's what you would do in a real-world scenario.

I suspect the answer they're looking for is to use group policy to:

1. Add the sites to the list of restricted sites in IE
2. Lock down the Internet Options controls to prevent changes
3. Not allow users to install software or change local policy on their own machines.

Thanks,

Ill probably go with the group policy, and provide the other options as an alternative.

Should I block the users from accessing the command prompt? Would a tech-savie user be able to override these settings via the command prompt?

seamus

You would need to test it. The settings aren't stored in simple text files, so can't be readily edited. If the user does not have administrative access, then they will be prevented from launching the registry editor or local policy editor, which will prevent 99.99% of users from finding a way around it.
So in the vast majority of cases, having the command prompt is fairly innocuous. Though I would block them from launching powershell or powershell scripts.

This is basically why you use a proxy server. When an end-user has logon access to the OS, if they're determined enough they will find ways around whatever roadblocks you put up. The proxy acts as the only doorway to the internet and the end-user has no OS access, so they cannot find ways around it.

It would be worth asking the professor straight up if "not using the router" also excludes using a proxy server.

homer911

We use Bluecoat http://www.bluecoat.com/ with a proxy server for enterprise wide website control. On some Internet Cafe PCs in breakout areas, which are off the company network, we just use Windows Family Safety

Capt'n Midnight

no hosts
no proxy

http://www.schooner.com/~loverso/no-ads/

all resolved web addresses requests can be sent DIRECT , (to any number of proxies) or to a localhost / null / blackhole proxy

so split between DIRECT and 127.0.0.1



Since it's for college if you use any help from here you must reference it.

homer911

Capt'n Midnight wrote: »

no hosts
no proxy

http://www.schooner.com/~loverso/no-ads/

all resolved web addresses requests can be sent DIRECT , (to any number of proxies) or to a localhost / null / blackhole proxy

so split between DIRECT and 127.0.0.1



Since it's for college if you use any help from here you must reference it.

This looks interesting - I will give it a go on my home PC

Fysh

While I understand that part of the goal is to learn how to lock down Windows 7, any corporate solution that didn't also consider a proxy for the various reasons stated upthread would be a solution designed by a fool. Proxy servers are an excellent solution to this exact problem, and can be elegantly combined with a desktop configuration which is secured via group policy.

McG

if the staff in question aren't too technically proficient you could use set up an opendns account (free) and change their dns entries. Works a treat as long as they don't know how to change their dns (though group policy could ensure that they can't even if they knew how to)

Tazium

Use of proxy can be fuddled by adding another gateway such as a USB midband stick, or mifi router and a static route, or as mentioned already a portable browser.

If you want to restrict any bit of the OS use policies. It's what they are for. You can turn the PC into a locked down machine with access to just notepad and microsoft.com if you are so inclined.

Is the client PC connected to a Windows Domain? That makes central administration of policies more effective.

Fysh

Tazium wrote: »

Use of proxy can be fuddled by adding another gateway such as a USB midband stick, or mifi router and a static route, or as mentioned already a portable browser.

If you want to restrict any bit of the OS use policies. It's what they are for. You can turn the PC into a locked down machine with access to just notepad and microsoft.com if you are so inclined.

Is the client PC connected to a Windows Domain? That makes central administration of policies more effective.

Using a proxy doesn't mean give the end user root, it means forcibly channeling network traffic on certain ports associated with internet access through a proxy server which can be used to enforce network access policies and log access to facilities in a non-intrusive way which is compliant with the DPA.

Group Policies are very useful for locking down a machine, but there's absolutely no sane reason for refusing to let your network administrator install and deploy a proxy server for internet-facing network traffic as an additional safeguard. It also offers other benefits for network administration.

Tazium

^Agreed.

We don't know the exact specifics of the college assignment though. Important things like, network size, bandwidth, device types, designs and methodologies, strategies and budget.

Going on what we do know, the presented options so far meet the criteria.

2 Hell and Back

Just to clear up any confusion,

According to the Assignment the computer is a single machine with multiple users. Now this would not happen in a real computer since each user would have their own machine... but I`m guessing the single machine could be a server machine.

We are using a virtual machine to set up the system.

Still can`t decide whats the best option to block the websites but will do some more research on the options alot of you have provided, thanks for that.