Results 1 to 7 of 7
  1. #1
    New Lounger
    Join Date
    May 2010
    Location
    Northern Illinois
    Posts
    23
    Thanks
    2
    Thanked 0 Times in 0 Posts

    Need SBS 2003 to restrict most of Internet

    Small business server, 10 users. We all need to get antivirus updates and occasionally send email from yahoo.com account and sometimes google someones's address / phone number.

    The rest of internet for 4 users needs to be blocked totally. Is there a way to create a policy in 2003 server? Or, is there a software package anyone knows of that can do the same thing. Cost is an object - boss doesn't want to invest in something he thinks can be configured for free.

    Thanks.

  2. Subscribe to our Windows Secrets Newsletter - It's Free!

    Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

    Excel 2013: The Missing Manual

    + Get this BONUS — free!

    Get the most of Excel! Learn about new features, basics of creating a new spreadsheet and using the infamous Ribbon in the first chapter of Excel 2013: The Missing Manual - Subscribe and download Chapter 1 for free!

  3. #2
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    I think you are going to have a hard time achieving that goal cheaply and at the same time exactly as specified.

    The AV stuff should be a given. Install a managed AV suite on the server and push out AV updates to the clients from the server component. Configure the clients correctly so no client needs access the Internet for it's updates - they come from the server.

    However, everyone accessing yahoo.com webmail or googling phone numbers implies internet access on all users machines. It's going to be difficult then to restrict access to the degree that you wish.

    Consider you look up Joe Blogs phone number on Google from one of the "blocked machines". You are presented with a plethora of sites and links. How are you going to restrict the user from going elsewhere, what about google image searches or other stuff? You could do this on the server, but that would involving whitelisting specific sites; only to find that one set of data you are looking for are on a site not in the whitelist.......

    Instead, perhaps consider a content filtering service such as Open DNS that will restrict access to type of sites, or even blacklist specific sites. It won't lock down the internet to only yahoo and google, but it would be more usable and might get past the boss.

  4. The Following User Says Thank You to Tinto Tech For This Useful Post:

    busterp (2011-06-28)

  5. #3
    Gold Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,463
    Thanks
    7
    Thanked 214 Times in 203 Posts
    If you are using a DSL router you can often configure these to block all sorts of things, but you would probably need to restrict it by IP address, not by user.

    cheers, Paul

  6. The Following User Says Thank You to Paul T For This Useful Post:

    busterp (2011-06-28)

  7. #4
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Milwaukee, WI
    Posts
    737
    Thanks
    23
    Thanked 63 Times in 51 Posts
    I'm not sure you'll get away with doing this for free. But there are low cost solutions. Unfortunately most of these are home user oriented and don't have "enterprise" type features. SentryPC is one that has some very powerful features. Its also attractively priced. If I'm reading thier web site correctly, you can protect all 10 of your PCs for $220 with an online reporting and monitoring feature. That coupled with OpenDNS and I think you'd have a good solution.
    Chuck

  8. #5
    5 Star Lounger
    Join Date
    Dec 2003
    Location
    Burrton, KS, USA
    Posts
    833
    Thanks
    0
    Thanked 2 Times in 2 Posts
    If you are willing to run another box to do this, www.untangle.com has many or all of the features you need.

    (the software is free but you do need to run it on a dedicated computer)

  9. #6
    3 Star Lounger
    Join Date
    Dec 2009
    Location
    Sydney, Australia
    Posts
    254
    Thanks
    0
    Thanked 5 Times in 5 Posts
    Quote Originally Posted by busterp View Post
    Cost is an object - boss doesn't want to invest in something he thinks can be configured for free.
    Aren't management so cliché? Many things including this can be achieved at $0 software cost but what about other costs such "TIME / LEARNING" costs to implement this "free" solution. This is why there are technical solutions out there that do cost a reasonable amount of money because an unskilled person can have it setup in minimal time and outlay and get the result they want.

    Anyway moving on to the technical side of things: the 4 users can be blocked from the internet easily using an IPSEC GPO which can be forced on any XP Pro and up based Windows workstation. Block everything except the local subnet which will allow you to get to local resources including the SBS server.

    Now for grey area which some people have addressed with OPEN DNS and I would agree this is generally quite easy to setup but it's not really strict. Another alternate is using something like a linux based gateway with url filtering which works on the white-listing scheme. IP-Cop for example is quite easy to setup for someone with some technical knowledge with linux and general networking. Runs on just about any hardware which includes that old Pentium 1 desktop in the corner of the office.

    You have to ask your boss how valuable are you to him? Is he happy for you to dedicate time to this task to implement the "free solution" that may take you 2 weeks to get setup? (I am not questioning your skill set just continuing to make a point). If the business doesn't have the required knowledge in house to get this sorted out then the boss may have to fork out some money to get a solution that works in a reasonable fashion and time manner.
    Last edited by JDB1984; 2011-07-15 at 08:10.

  10. #7
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    Just back from vacation this weekend and thought I'd chip in again on this thread.

    The OP wants every user to have access to the Internet to occasionally search google for things. He also wants every user to have access to a yahoo.com webmail account. He then wants a subset of 4 users to be locked down to only that, while the others have free access to anywhere.

    As I noted at the top, that is a hard implementation to achieve: given every user can have access to Google something, means they can pretty much go anywhere unless a whitelist implementation is deployed as per JDB1984 and others. Even then, if the OP uses a whitelist, what then when the restricted users find something in Google they need that isn't on the whitelist? It's difficult to predict using a whitelist what the restricted users might be looking for, and I suspect the Boss would be annoyed if users can't do their jobs.

    I feel the solution to this is to formulate a developed internet security policy within the IT team (even if that is only one person) and constructively present a business case for that. The key is to develop a policy and present it in a way that tells the Boss you have listened and understood his concerns and wishes; that you have technical issues with meeting those goals precisely as described, but that there may be better, more elegant solutions. If the Boss says "no, do it my way", I would record my concerns and accept the situation.

    At the end of the day, the Boss is the Boss........

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •