Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Blocking Staff from Websites - Windows 7 Enterprise

  • 30-01-2013 9:12am
    #1
    Registered Users, Registered Users 2 Posts: 60 ✭✭


    Windows 7 Enterprise

    How would I go about blocking users from visiting websites in a company scenario?

    I am aware of the parental control option via Windows Live Family Safety; but this doesn`t sound like the right thing to do in a company environment..?

    Any other methods that would typically used in a Company environment?

    This is for a college assignment and were are told not to use the following methods:

    1. Do not use the host file to block the site
    2. Do not use the router to block the site.
    Thanks for any suggestions :)


Comments

  • Closed Accounts Posts: 3,612 ✭✭✭Lelantos


    Windows 7 Enterprise

    How would I go about blocking users from visiting websites in a company scenario?

    I am aware of the parental control option via Windows Live Family Safety; but this doesn`t sound like the right thing to do in a company environment..?

    Any other methods that would typically used in a Company environment?

    This is for a college assignment and were are told not to use the following methods:

    1. Do not use the host file to block the site
    2. Do not use the router to block the site.
    Thanks for any suggestions :)
    Many anti virus programs have net nanny software built in. You can block by specific search words, category or individual websites.


  • Registered Users, Registered Users 2 Posts: 464 ✭✭Marcin_diy


    proxy connection with set blocked websites, or software calledwebsense. in websense create rules and assign to these rules( categories) security groups in active directory. Then jus set proper ad groups fo each user. websense must be deployed to all machines.


  • Registered Users, Registered Users 2 Posts: 909 ✭✭✭Tazium


    Does the assignment specify that you need to use only the built in software?

    There's a couple of options that jump out without much consideration.
    1. Use Local group policy to disable the browser or prevent access to specific sites.
    2. Use Windows Advanced firewall to block outgoing connections using the browser or ports.
    3. Rename the browser exe to something not exe and prevent access using acls.

    Ensure regular users are not administrators, this would stop them from changing your rules.


  • Registered Users, Registered Users 2 Posts: 60 ✭✭2 Hell and Back


    Tazium wrote: »
    Does the assignment specify that you need to use only the built in software?

    There's a couple of options that jump out without much consideration.
    1. Use Local group policy to disable the browser or prevent access to specific sites.
    2. Use Windows Advanced firewall to block outgoing connections using the browser or ports.
    3. Rename the browser exe to something not exe and prevent access using acls.

    Ensure regular users are not administrators, this would stop them from changing your rules.

    Thanks,

    It doesn`t specify to only use built-in software but He did mention not to use the host file or the router. I guess the more options I give will grab me extra marks but I need to nail down the best option!!

    We are to block specific websites..I presume options 2 and 3 above are a blanket ban on the web??


  • Closed Accounts Posts: 5,756 ✭✭✭demanufactured


    Group policy


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 301 ✭✭VictorRomeo


    Group policy

    Not group policy. You'll never manage that. Buy a webfilter appliance with a blacklist service - Barracuda are reasonably cheap. You could build one on Linux as there are a number of 3rd party applications you can use. But, and I'm guessing as you asked, this sort of thing is is unfamilar to you so buy something that's easy to maintain, offers decent reporting, is well supported and will take care of the filtering for you (the blacklist service).


  • Registered Users, Registered Users 2 Posts: 1,731 ✭✭✭GreenWolfe


    This should be handled by a filtering/proxy server - that way every device regardless of operating system or type are covered. Local controls may prove easier to bypass, and group policy may only cover Internet Explorer.


  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    Not group policy. You'll never manage that. Buy a webfilter appliance with a blacklist service - Barracuda are reasonably cheap. You could build one on Linux as there are a number of 3rd party applications you can use. But, and I'm guessing as you asked, this sort of thing is is unfamilar to you so buy something that's easy to maintain, offers decent reporting, is well supported and will take care of the filtering for you (the blacklist service).
    This should be handled by a filtering/proxy server - that way every device regardless of operating system or type are covered. Local controls may prove easier to bypass, and group policy may only cover Internet Explorer.
    The assignment specifically says that a router can't be used to block them, which no doubt includes any kind of proxy server.

    Which makes it a ridiculous question because that's what you would do in a real-world scenario.

    I suspect the answer they're looking for is to use group policy to:

    1. Add the sites to the list of restricted sites in IE
    2. Lock down the Internet Options controls to prevent changes
    3. Not allow users to install software or change local policy on their own machines.


  • Registered Users, Registered Users 2 Posts: 1,731 ✭✭✭GreenWolfe


    seamus wrote: »
    The assignment specifically says that a router can't be used to block them, which no doubt includes any kind of proxy server.

    Which makes it a ridiculous question because that's what you would do in a real-world scenario.

    I suspect the answer they're looking for is to use group policy to:

    1. Add the sites to the list of restricted sites in IE
    2. Lock down the Internet Options controls to prevent changes
    3. Not allow users to install software or change local policy on their own machines.

    I'd add blocking any portable apps from running too, and restricting a whole load of file types from downloading. Staff in that scenario could just put a portable apps launcher and some browsers on a USB stick - either by putting the USB stick into a computer, or just downloading a portable browser directly to a computer.


  • Registered Users, Registered Users 2 Posts: 60 ✭✭2 Hell and Back


    seamus wrote: »
    The assignment specifically says that a router can't be used to block them, which no doubt includes any kind of proxy server.

    Which makes it a ridiculous question because that's what you would do in a real-world scenario.

    I suspect the answer they're looking for is to use group policy to:

    1. Add the sites to the list of restricted sites in IE
    2. Lock down the Internet Options controls to prevent changes
    3. Not allow users to install software or change local policy on their own machines.

    Thanks,

    Ill probably go with the group policy, and provide the other options as an alternative.

    Should I block the users from accessing the command prompt? Would a tech-savie user be able to override these settings via the command prompt?


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    You would need to test it. The settings aren't stored in simple text files, so can't be readily edited. If the user does not have administrative access, then they will be prevented from launching the registry editor or local policy editor, which will prevent 99.99% of users from finding a way around it.
    So in the vast majority of cases, having the command prompt is fairly innocuous. Though I would block them from launching powershell or powershell scripts.

    This is basically why you use a proxy server. When an end-user has logon access to the OS, if they're determined enough they will find ways around whatever roadblocks you put up. The proxy acts as the only doorway to the internet and the end-user has no OS access, so they cannot find ways around it.

    It would be worth asking the professor straight up if "not using the router" also excludes using a proxy server.


  • Registered Users, Registered Users 2 Posts: 5,150 ✭✭✭homer911


    We use Bluecoat http://www.bluecoat.com/ with a proxy server for enterprise wide website control. On some Internet Cafe PCs in breakout areas, which are off the company network, we just use Windows Family Safety


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,596 Mod ✭✭✭✭Capt'n Midnight


    no hosts
    no proxy

    http://www.schooner.com/~loverso/no-ads/

    all resolved web addresses requests can be sent DIRECT , (to any number of proxies) or to a localhost / null / blackhole proxy

    so split between DIRECT and 127.0.0.1



    Since it's for college if you use any help from here you must reference it. :p


  • Registered Users, Registered Users 2 Posts: 5,150 ✭✭✭homer911


    no hosts
    no proxy

    http://www.schooner.com/~loverso/no-ads/

    all resolved web addresses requests can be sent DIRECT , (to any number of proxies) or to a localhost / null / blackhole proxy

    so split between DIRECT and 127.0.0.1



    Since it's for college if you use any help from here you must reference it. :p

    This looks interesting - I will give it a go on my home PC


  • Moderators, Arts Moderators, Regional Abroad Moderators Posts: 11,107 Mod ✭✭✭✭Fysh


    While I understand that part of the goal is to learn how to lock down Windows 7, any corporate solution that didn't also consider a proxy for the various reasons stated upthread would be a solution designed by a fool. Proxy servers are an excellent solution to this exact problem, and can be elegantly combined with a desktop configuration which is secured via group policy.


  • Registered Users, Registered Users 2 Posts: 1,040 ✭✭✭McG


    if the staff in question aren't too technically proficient you could use set up an opendns account (free) and change their dns entries. Works a treat as long as they don't know how to change their dns (though group policy could ensure that they can't even if they knew how to)


  • Registered Users, Registered Users 2 Posts: 909 ✭✭✭Tazium


    Use of proxy can be fuddled by adding another gateway such as a USB midband stick, or mifi router and a static route, or as mentioned already a portable browser.

    If you want to restrict any bit of the OS use policies. It's what they are for. You can turn the PC into a locked down machine with access to just notepad and microsoft.com if you are so inclined.

    Is the client PC connected to a Windows Domain? That makes central administration of policies more effective.


  • Moderators, Arts Moderators, Regional Abroad Moderators Posts: 11,107 Mod ✭✭✭✭Fysh


    Tazium wrote: »
    Use of proxy can be fuddled by adding another gateway such as a USB midband stick, or mifi router and a static route, or as mentioned already a portable browser.

    If you want to restrict any bit of the OS use policies. It's what they are for. You can turn the PC into a locked down machine with access to just notepad and microsoft.com if you are so inclined.

    Is the client PC connected to a Windows Domain? That makes central administration of policies more effective.

    Using a proxy doesn't mean give the end user root, it means forcibly channeling network traffic on certain ports associated with internet access through a proxy server which can be used to enforce network access policies and log access to facilities in a non-intrusive way which is compliant with the DPA.

    Group Policies are very useful for locking down a machine, but there's absolutely no sane reason for refusing to let your network administrator install and deploy a proxy server for internet-facing network traffic as an additional safeguard. It also offers other benefits for network administration.


  • Registered Users, Registered Users 2 Posts: 909 ✭✭✭Tazium


    ^Agreed.

    We don't know the exact specifics of the college assignment though. Important things like, network size, bandwidth, device types, designs and methodologies, strategies and budget.

    Going on what we do know, the presented options so far meet the criteria.


  • Registered Users, Registered Users 2 Posts: 60 ✭✭2 Hell and Back


    Just to clear up any confusion,

    According to the Assignment the computer is a single machine with multiple users. Now this would not happen in a real computer since each user would have their own machine... but I`m guessing the single machine could be a server machine.

    We are using a virtual machine to set up the system.

    Still can`t decide whats the best option to block the websites but will do some more research on the options alot of you have provided, thanks for that. :)


  • Advertisement
Advertisement