9

In my office there are approaximately 25 systems are connected through network and all having internet accessibility.but some people are missusing this facilities like downloading films from torrent websites and accessing facebook during the work time. so iwant to block the websites like facebook,twitter and torrent websites in client systems....in our server also we are usin windows 7 ultimate 64 bit

would you please tell me a solution for this and tell me how block websites

Ali Ahmad
  • 4,784
  • 8
  • 35
  • 61
shibinlal
  • 297
  • 2
  • 3
  • 5

8 Answers8

15

Don't waste time with complex technical measures: make clear to the employees what your policy is, then simply fire the next person who torrents a film.

Graham Hill
  • 15,394
  • 37
  • 62
13

This is a bandage for a much larger issue...

When I setup networks for small offices (50 clients or less) I'll use a business-class (entry-level) wired router such as a Fortinet Fortigate 40C or a Cisco RV042. You can block traffic based on:

  • IP - Addresses and Ranges
  • FQDN - Fully Qualified Domain Names
  • Geography - You can block access to countries if you wish (Fortinet)

You can also do load balancing and you can even restrict bandwidth so employees can't take up all of your resources.

Also the Fortinets have a subscription service you can use to get AntiVirus updates and Antispam filtering as well (although be careful with these as they do have false positives).

From a managerial point of view

Blocking things like Facebook, Twitter, LinkedIn, and other social media may have their benefits from an IT standpoint, but it's much more of a managerial problem. If there is an issue with employees not working, they should be reprimanded. Since SEO on the internet is largely social, preventing your team from promoting your site through these channels sounds like a bad idea.

With many of the routers you can set aside a time-frame where the employees can do things like check their personal email and go onto their social networks. In my experience when you block these things on the network to try and get back the lost employee time, you're still going to have employees that text all day and use their cell phones for the social media. If you address the performance issue (or disregard for corporate policy) directly with the employees, they'll be much more understanding in terms of the needs of the company. If you set aside a time where they can access things they find interesting they will schedule their breaks around those times and you can see performance both in the employees and on the network itself increase.

AbsoluteƵERØ
  • 3,104
  • 17
  • 20
  • To digress with some more managerial / non-ITSEC advice; I'd add this to AbsoluteZero's advice: Other than educating the staff about the high risk aspects (such as copyright liability and trojans), simply accept it as the cost of doing business with a computer literate workforce. Any chronic slackers will cost the company *far more* than the torrent bandwidth or direct time spent on Facebook; and can be easily identified through assessment of their productivity by their peers. – LateralFractal Oct 26 '13 at 10:24
2

The first thing I would take a look at is your firewall.

Why is the common port used by torrents open for instance? Probably because your firewall has an implicit allow. You need to change this to an implicit deny and white list what you would like your users to do.

For example you could say only this proxy server may connect out to the internet over port 80 and 443. Then you would set up your clients to use that proxy server and set policies on that proxy for your users (blocking this or that website). If they tried to set their proxies settings to something else they wouldn't be able to access the internet. Why? The implicit deny.

k to the z
  • 1,115
  • 1
  • 12
  • 25
2

I would suggest that you use a free UTM such as the one from SOPHOS. it will sit at the place of your firewall and has all in one features for a small office and is free. It will give you the ability to block and monitor the website categories you want. Also, it can protect against malicious downloads.

AdnanG
  • 707
  • 2
  • 8
  • 18
2

I think that you can make use of one of these possible solutions:

  1. You can use a third party software other than Ms, like ISA server or kerio firewall prog, which is a good option depending on your needs you will have to create a set of rules for blocking ports, mostly all p2p programs use a determined bunch of port numbers.

  2. You can use the service of sies like noip.com or similar to block ports and determined sites or domains like fb or twtr. No cost, no need to install any program (search for more info on the web related on this topic).

  3. There are plenty of linux distributions that will offer you a miriad of tools to control internet access and bandwidth usage, like karoshi, very easy to install and deploy, as i said there are plenty of distros. People think that linux have to be scary and difficult to use but is not. groups of developers had thought of changing this way of thinking. Linux servers are much more secure and solid then windows based servers. No virus threads or blue screens of death. but if you dont want to deal with linux based progs, well there is still one good valid option, mac OSX server edition software. It runs flawlessly in a macmini. all set up is guided and easy to manage. No virus threads or blue screen of death.

If say Microsoft, that means virus threads alerts, constant and endless updates, blue screen of death, and antivirus updates to prevent any possibly attack.

  1. If you use a wireless router or a managed router, more than 12 LAN ports to distribute the internet among the facility, for sure you will interested on this. Most of this devices comes with some tools like access control rules for internet usage, like banning determined sites, like Facebook or any other site similar to this, you can make use of some tools that these devices comes.
    I suggest you Tp-link, with bandwidth control, series wr741nd, very nice an completely inexpensive. Most routers have just a basic function, which is share an internet connection, but just a few ones come with this feature, bandwidth control. think about that you have to control not only the usage but the bandwidth. If you can not control at all this scenario at least you will have a chance, to control bandwidth. An unequal distribution of bandwidth can produce so much problems that you will end up shutting down the server to start all over again, because some few users will literally eat whole bandwidth leaving the rest of users with no internet connection at all. and one more last thing if you can fight them join them.
Simon
  • 3,182
  • 4
  • 26
  • 38
zorlak
  • 21
  • 1
1

You can use any application layer firewall at your network to block these sites. A good open source firewall that I have previously used for managing a very small home computers setup is Untangle.

void_in
  • 5,541
  • 1
  • 20
  • 28
0

Apart from using GPO, you could use deep packet inspection appliances to automatically block this type of internet traffic. There are numerous products which can do this for you. One product which seems to be deployed quite often is http://www.bluecoat.com/.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
0

A low cost solution would be to implement a Blackhole DNS server. Only allow clients to use internal DNS by blocking all outgoing TCP53 and UDP53 (except for your internal DNS server). Then update your DNS server to not resolve the domains you wish to block. There are lots of tutorials available by searching "blackhole dns".

If you don't have an internal DNS server, OpenDNS could be used with the same approach. Block all DNS traffic at the perimeter except to the OpenDNS servers.

As everyone has suggested, layer-7 inspection is the ideal solution. My example of leveraging DNS could be easily bypassed via online proxies. However, some small businesses don't have the technical or monetary means reach layer-7 inspection thus DNS could be a great alternative.

user2320464
  • 1,802
  • 1
  • 15
  • 18