Hi ,
We have network of 20 computer under one domain. Operating systems are
W2K Server and W2K Pro. We have one T1 line coming in through some
kind of router (I don't have access to this router. ISP maintain it)
and all of the computers are connected to router through the switch
with 25 ports.

Recently my manager asked me to block 'hotmail' and 'yahoo' website.
He doesn't want anyone to use any kind of messengers (yahoo, MSN, ICQ,
AOL) service too. He also want me  to configure one computer on
network which can be used to access all of the blocked websites
(hotmail and yahoo) and messenger services.

What would be the best way to handle this? We don't want to spend any
money buying new software or hardware to accomplish this task. We just
want to use our existing software (Win 2000 Advance Server and Windows
2000 Pro) to achieve this goal.

I already started discussion thread regarding this issue and following
is the link to the site.

http://www.tek-tips.com/gviewthread.cfm/lev2/3/lev3/19/pid/96/qid/583565


Thank you,
RS

---

Request for Question Clarification by techtor-ga on 24 Jun 2003 00:15 PDT

I once handled a question wherein someone was looking for software
that can allow the administrator to spy on users in his company's
computer network and block certain sites. Would you consider using
third-party software as a solution?

---

Clarification of Question by rajan99-ga on 24 Jun 2003 05:47 PDT

Hi techtor, 

Thank you for showing your interest in my question. Unfortunately, my
company is not willing to spend any extra money for this. Somehow, my
manager believes  Windows 2000 Advance Server should be enough to
handle this kind of issues. We have Windows 2000 Advance Server with
Active Directory.

RS

---

Request for Question Clarification by techtor-ga on 24 Jun 2003 09:24 PDT

Would the manager allow blocking total Internet access for any one or
few computers on the network? That would mean any sort of site could
not be accessed, and messenger programs will not connect.

Perhaps the manager can have you uninstall messenger programs on all
the computers of the network, and the manager can enact a rule to
prohibit the use of such software. It wouldn't work for web-based
email though.

---

Request for Question Clarification by techtor-ga on 24 Jun 2003 09:29 PDT

By the way, how does the Internet for the network go in? Is it used
through a broadband router?

---

Request for Question Clarification by shiva777-ga on 24 Jun 2003 15:56 PDT

It is fairly easy to block certain web sites with Internet Explorer.
Simply go to Tools->Options->Content->Approved Sites. You can add
sites that are not allowed and password protect the blocking. You
would have to do this on each machine and of course it will not work
if employees use Mozilla, Opera or other browser.

Blocking different messenger systems is trickier. There is a third
party software called TerminatorX, but to do it yourself I could only
find this guide:
http://nscsysop.hypermart.net/no_chat.html
I can't say as I could follow it, but perhaps you can. 
If this is acceptable as an answer let me know and I will post it as
such.
Thanks. -shiva777

---

Clarification of Question by rajan99-ga on 25 Jun 2003 10:44 PDT

Hi All, 

Thank you again for showing your constant interest my post.
'techtor-ga' we don't want to restrict entire internet. We just want
to block all kind of chatting services and yahoo and hotmail web-site.
Our ISP is Cbeyond Communication. We have T1 line coming from Cisco
Router but we don't have any access to the Router.

'Shiva777', solution that you came up with is a good solution but it
does not work in every cases. It blocks internet sites based on domain
name only. After blocking www.hotmail.com, you can still go to hotmail
inbox by going  through www.msn.com. After 30 minutes of my testing I
found out couple of other ways  for breaking this level of security. I
also went to the link for blocking Messenger but It did not work
either (New version of hotmail and yahoo is significantly diffrent
than the one discussed in that article). Thanks for your help though.

I think, It is not possible to achieve this goal using W2K server
only. I have  to convince my manager on this.

Thank You, 
RS

---

Request for Question Clarification by sycophant-ga on 09 Jul 2003 02:23 PDT

What are the network settings of each of the client PCs? Do they use
the router as a gateway, or the Win2K Server?

If they all go through the router directly then the only point at
which you can block them is the router. However if they use the Win2K
server as a gateway, which then in turn routes traffic through the
router, then there are probably a few ways  you can block access.

Or, if they use the Win2K machine as a DNS server, then you can create
local DNS entries that resolve addresses like hotmail.com to
localhost, or perhaps the server.

But as someone else said, your boss may be over estimating the power
of Win2K Advanced Server - it isn't really routing or network control
software.

Perhaps you could ask your ISP if they will add blocking rules to your
router for you.

Anyhow, if you can answer the question about the network settings,
maybe I or another researcher can work something out.

Regards,
Sycophant-ga

I think your manager is overestimating the capabilities of Windows
2000 Advance Server.  I would try to convince him in purchasing a
Sonicwall Firewall appliance.  It will allow you to block the
aforementioned services, and will allow a computer of your choice to
access these services.  I think the increase of productivity of the
employees will warrant the cost of purcashing additional hardware. 
Good luck.

I'd just like to echo Pokerpro-ga's comments.  I do network
engineering for a living; your best bet is to purchase a firewall or
to block these items on the router.  Doing this using Windows boxes is
certainly possible, but i'm not sure how effective it would be for
Instant Messenger/Hotmail style traffic - and an important point is
that you don't usually look to Windows solutions to do comprehensive
networking solutions.  Linux, on the other hand, could be configured
in this type of environment.

arimathea-ga
Researcher

Hi Rajan

Well I do have some solutions for you without buying anything.

1. Use file security settings ether block access to the file which I
tried and work nice
and they cant run it or get online since they don’t  have access to
run the file, and since u have a domain I think if u set it up for
only the users account or guest account to have No access to it. u can
still run it on the other 2000 boxes as an administrator or what ever
account u want just restrict access only to one main account and add
that account to the rights of the user like David (guest) mike
(administrator) since they have a name profile on active directory.

1.	For the web page issue…. I would go with what u have “The router”;
yes a router is a very powerful tool that lets u put any site you want
and block access to connect to it. Since you have a domain ip setup (I
hope) or a routers gateway ip that can work with the router and give
all those site u don’t want access to the gateways ip or the DHCP
servers ip as the main one that restricts access to the others ips of
the 20 pcs so u don’t need to go and configure every pc with a
different ip or anything like that it will all done by the router.

3.  on the router put the ip of the pc u want access to every site not
block on that list its very simple if u cant get access to the router
I would try http://192.168.1.1 and the pass admin since it’s a default
things for routers that are not setup again this ip could change since
I have a linksys router and I do use a switch with it so my router
becomes the DHCP for it and I set everything up on the private ips
192.168.1.2 and .3  and so on my small network with the switch.

now the problem with messenger programs is that u don’t know what else
is out there but here is like the top ten I found that u can start
blocking access on the router and its very hard to shut them all down
any search engine can find u a copy of messenger and download it! even
if its not from where the maker has the download link to it, so this
will take u some time to master and block but free I think it works u
just need a good windows 2000 book. Also u can’t block only messenger
from running in the services settings and disable it to run if that
helps two and on local security policy settings there could be
something u can use in there to block access to some stuff.

If u need help let me know.

Good luck

John

Keep in mind that _|2oot-ga_'s will only work for certain ports and
hosts, which you must identify.  Instant messenger services these days
are getting more agile and this may not be a complete solution; you
really need something that will statefully block all instant messenger
traffic.  I do agree, however, that his solution for preventing users
from installing programs on these machines may be helpful - you could
then just remove all instant messaging software and prevent new
installations.

Arimathea_ga what will port blocking do if anything?

like im saying: If u dont have access to a file what good is port
blocking in this case?

I've never heard an aplication that would run from an open port when u
have file security settings on a domain network. If you close one port
it can shut down a complete network.

Ill tell u why?.... If messenger is sending information on port 80
dont u think shutting down port 80 would do damage to a comple network
just by doing it by ports blocking arimathea?

kris

Another thing. if anyone gets acess to the messenger online and
downloads the file. Just put on restriction on the server so that your
workers server account can't run installs.

Reason: lets say one of your workers downloaded "yahoo" instead of me
blocking and downloading every messenger on the planet on the server
and having to store all the space on messengers, i would better let
You or the network admin only have acess to installing on the
machines. cuts down time and you can configure any computer to have
access to what ever you want it to do since u need a pc that can be
able to do some of these things, just set a computer account to have
rights as the administrator or u dont need to give em that much
rights, u can give em a user account and set the level from your
active directory.

Good luck

John

You need MS Proxy and a server with 2 NICs. That is the only microsoft
only solution that is out there. Sorry to break it to ya.

nathanrice-ga

read the question again here ill do it for you...


"Operating systems are W2K Server and W2K Pro ( Win 2000 Advance
Server and Windows 2000 Pro)"

"network of 20 computer under one domain"

"We don't want to spend any 
money buying new software or hardware to accomplish this task. We just
want to use our existing software"




I think the 2 Nics would be out of the question. since he does have a
"server". and what those this have anything to do with file
restrictions and security as free? why do u need a MS Proxy? explain
ur self better man it would sure help alot

ohhh and MS Proxy has been "discontinued" 
just to keep in mind! u prob mean an "ISA Server"

what is an ISA Server?

ISA Server is an ICSA Certified enterprise firewall and secure
application gateway designed to protect the enterprise network from
hacker intrusion and malicious worms through application-level
filtering. ISA Server provides packet filtering and stateful packet
inspections, application-level filtering, an advanced proxy
architecture, and more.

Price: Windows 2000 Advanced Server(with 25 CALs) $3,999 US per
server.

thanx

l2oot

Something that you might try that would be easier and realitively
cheap compared to ISA/Proxy server would be a broadband router. One
like this:

http://www.etw.com/ProductInfo.asp?v=F8&idProduct=12683900

You can configure it to restrict users access to the internet and use
it as a firewall. Just plug it inline between the T-line and your
switch. And then configure it how you need it. For only 36$ it might
be the right soultion for you with out spending thousands of dollars.
I have used these before and they are pretty reliable and work rather
efficiently. Let me know if this helps.

You are trying to do something at the PC level that wasn't meant to
be.  Routers and firewalls at the gateway are the devices that allow
you to control services from the outside to in, and inside to out.  If
you had access to the router that your ISP manages, simply adding
several lines of configuration would do what you are trying to do. 
Also, normally, you start from the other direction... you block
*everything* except what you want them to have access to.  That way,
they are less likely to sneak things past you!  For example, on my
cisco router, I have the following access list:

access-list 101 remark Allow ANYthing from my home computer
access-list 101 permit ip host 12.240.128.145 any log
access-list 101 remark 
access-list 101 remark Allow SSH to any host from any host
access-list 101 permit tcp any 64.62.173.128 0.0.0.127 eq 22 log
access-list 101 remark 
access-list 101 remark Allow SMTP mail to any host from any host
access-list 101 permit tcp any 64.62.173.128 0.0.0.127 eq smtp log
access-list 101 remark 
access-list 101 remark Allow DNS queries to any host from any host
access-list 101 permit tcp any 64.62.173.128 0.0.0.127 eq domain log
access-list 101 permit udp any 64.62.173.128 0.0.0.127 eq domain log
access-list 101 remark 
access-list 101 remark Allow TFTP access to any host from any host
access-list 101 permit tcp any 64.62.173.128 0.0.0.127 eq 69 log
access-list 101 permit udp any 64.62.173.128 0.0.0.127 eq tftp log
access-list 101 remark 
access-list 101 remark Allow HTTP access to any host from any host
access-list 101 permit tcp any 64.62.173.128 0.0.0.127 eq www log
access-list 101 remark 
access-list 101 remark Allow POP3 http access to any host from any
host
access-list 101 permit tcp any 64.62.173.128 0.0.0.127 eq pop3 log
access-list 101 remark 
access-list 101 remark Allow HTTPS access to any host from any host
access-list 101 permit tcp any 64.62.173.128 0.0.0.127 eq 443 log
access-list 101 remark 
access-list 101 remark Allow WEBTRENDS access to any host from any
host
access-list 101 permit tcp any 64.62.173.128 0.0.0.127 eq 1000 log
access-list 101 remark 
access-list 101 remark Allow Visual Chat access to any host from any
host
access-list 101 permit tcp any 64.62.173.128 0.0.0.127 eq 5150 log
access-list 101 remark 
access-list 101 remark Allow Visual Chat access to any host from any
host
access-list 101 permit tcp any 64.62.173.128 0.0.0.127 eq 5555 log
access-list 101 remark 
access-list 101 remark Allow ICMP access to any host from any host
access-list 101 permit icmp any 64.62.173.128 0.0.0.127 log
access-list 101 remark 
access-list 101 remark Deny everything else and log it
access-list 101 deny   ip any any log
access-list 101 remark 
access-list 101 remark Allow any inbound SSH sessions, to anywhere 
access-list 101 permit tcp any 64.62.173.128 0.0.0.127 eq 22
established log

Something like this would allow you to maintain a permission level for
each host on your network.  That's what packet/port filtering is, and
that is what you are trying to do.  So, the answer is, either get your
ISP to "manage" your router properly, or find somebody else who will. 
You can not do what you are trying to do at the host level with ease. 
It was never meant to do so.  That is the purpose of routers and
firewalls.  I hope this helps...