12

We have a few users here who are using Facebook during working hours and their productivity is through the floor, as a temporary measure I have remotely edited their hosts files to point facebook.com and its various subdomains to point to the loopback address and then manually comment out at lunch time so they can use it.

This is obviously a bit tiresome doing this for a number of users every day.

I am looking at trying to find something that can do this blocking automatically on schedule.

I was thinking some kind of proxy server which i can add to the proxy settings on their browser via group policy.

Does anyone know of any free or cheapish software solution for windows that will do this? Or maybe something standalone I can install on a PC/VM?

I guess I could always write and schedule some batch files to switch a blocked hosts file with a non blocked one.

Network is Windows 2003 SBS server, Windows XP sp3 workstations, single interface on server Netgear DG834 router which whilst it does have some scheduling it doesn't allow setting of a window only single block window - for example 9-5pm, but I would want to open it in the middle.

splattne
  • 28,348
  • 19
  • 97
  • 147
Ben Gillam
  • 407
  • 4
  • 11
  • 18
    This honestly sounds like a management problem, not a technical one. Maybe it's time to write up an acceptable use policy? – DanBig Apr 14 '11 at 15:37
  • 2
    that is very true, but policy or not users will still do it, its wether the get caught or not. I could write one but the management and users would ignore it :/ - Though the management do want me to do something to prevent it – Ben Gillam Apr 14 '11 at 15:40
  • 6
    @Ben - Tell management that if they don't want to fire people, then people will continue to do whatever they want. If they're management, they should already know that. – MDMarra Apr 14 '11 at 15:44
  • 3
    If they can't be trusted to behave, and use the internet like responsible adults, then perhaps their contract should be terminated, rather than their TCP connections. – Tom O'Connor Apr 14 '11 at 15:45
  • 1
    Is your environment managed using Active Directory? If so you could try deploying GPO to add sites to IE's blocked list and a distribute changes to DNS. – Ishmael Apr 14 '11 at 15:47
  • Ishmael, please post that as an answer! Best one here (next to squillman) – Ziplin Apr 14 '11 at 22:35
  • Thanks Ishmal, that is an option but as per original question it looks like its an on or off thing, not something i can time switch. - I appriciate all the comments with reards to a Useage Policy, That can and will be done, but it wont stop those who stray, and without constant monitoring they wont be caught – Ben Gillam Apr 15 '11 at 12:23

10 Answers10

26

As someone who used to be responsible for the proxies, firewalls, and web filters I very much agree with @DanBig's comment and urge you to politely tell management "I don't care" and let them deal with it. Babysitting is a management / HR issue and should not be left to working level IT. If you have resource contention to the point where someone's Facebook activities are causing performance issues on your network and you don't already have filtering software in place, block their switch port or something and get management involved. Then work with management / HR on an acceptable use policy, which could also include a proxy / web filter to help enforce said policy. IT can help to define the policy, but HR should be the owner of the policy.

You do NOT want to get in the middle of legal battles or other conflicts with disgruntled [former] employees if / when they start coming down the pipe. It's not a long decline from exuberant Facebook usage to other questionable uses of the Internet.

squillman
  • 37,618
  • 10
  • 90
  • 145
  • 4
    +1, Management issue all the way. Let employees do whatever they want; if they aren't producing get rid of them; if they face-space all day and *still get the job done* then who cares. – Chris S Apr 14 '11 at 15:54
  • 4
    Totally agree. Management issue all the way. Now I myself have no problem with the use of technology to *support* management but blocking sites without management support/enforcement turns this into a game and to paraphrase wargames, the only way to win that particular game is not to play. – Rob Moir Apr 14 '11 at 18:15
  • 1
    I personally have no issue with a blanket ban on facebook at work. It's not work related (unless your company has a facebook page?) so nobody should be using it. I've worked for organisation where all web based mail sites are blocked, ebay, carsales, realestate, facebook, etc. Seems harsh, but I could still do my job. – xXhRQ8sD2L7Z Apr 15 '11 at 01:34
  • 1
    While I totally agree that it's primarily a management issue, for those of us working in small companies the borders and rules are a bit more fluid. As the OP uses SBS I'm guessing it's a very small company. In such cases the IT person is rarely just an IT person and has greater responsibility for the human side of things. In simple terms, some of us can't just dump it back on management and have to deal with it as best we can. – John Gardeniers Apr 15 '11 at 04:50
  • @John I totally respect where you're coming from re: the small business aspect, don't get me wrong. I admittedly have not worked full time for a small business, I've only done consulting for them, but given my experience with this I would still be loathe to implement something without the owner's (or whoever has a big stake in things) partnership in the deal. I would also push for that person calling the shots. Personally for me, I wouldn't have it any other way. The phone calls I received from former employees simply were not worth it. – squillman Apr 15 '11 at 13:27
  • @squillman, the boss/owner should certainly be the one to make the final decision but what normally happens is that we describe the problem and he/she/they simply state something along the lines of "just fix it". From that point on it's our (IT's) problem. As an aside, I do block Facebook and similar sites. – John Gardeniers Apr 15 '11 at 22:14
11

If what you're doing right now is working but the issue that it's taking too much of your time, then scheduled tasks are you friend :)

Pop the two versions of the hosts file on the network somewhere (With FB enabled/disabled), and then set up a scheduled task, pushed out by GPO.

At lunch time (say, 11:30) it copies the "FB Enabled" hosts file, and then after lunch (say, 13:30) it copies the "FB Disabled" hosts file.

Price: $free
Difficult: Easy
Effectiveness: Good
Management Overhead: Medium

For the record, squillman's answer is the one I would prefer as a sysadmin, but we all know that's not the way it works in real life

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
  • thanks, have marked this as answer for now, it will be quickest to implement and only needs to be run for certain users – Ben Gillam Apr 15 '11 at 12:34
  • +1 But for me, that's the way it's going to work in real life. People knew me as the Internet / Firewall guy and when they got slapped around for their poor browsing decisions that came back to me on a personal level. That crap doesn't fly for me at the working level where I'm not the one making the disciplinary calls. One of the key terms in my answer is "working level IT". If you have more than a working level IT responsibility then yes, things do get more involved. Also, see my comment response to John's comment on my answer. – squillman Apr 15 '11 at 13:33
7

Another alternative would be to block Facebook et al from people's work machines from 9-5 but set up an "Internet Cafe" in a communal area where they can have access to the internet for personal browsing at lunchtime.

These machines could be locked for most of the day but only open from 11 am till 2 pm (for example).

As these machines are effectively "public" people would then have to learn to log off when they've finished.

This would also help clearly delineate private and work usage of the internet.

ChrisF
  • 1,861
  • 1
  • 21
  • 28
  • thanks, this would indeed be a good idea, sadly we dont have any spare hardware, but worth considering if and when we upgrade the systems here and retire the old hardware – Ben Gillam Apr 15 '11 at 12:29
3

Wow, that is definitely the hard way.

There are a multitude of web filtering solutions out there that will do what you need. Squidguard is probably the popular/simple choice, but there is no shortage of free/cheap options (as well as ridiculously expensive ones); Untangle, DansGuardian, the free versions of some of the unified threat management appliances out there like Astaro would do the trick..

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
3

While I agree with the most here that this is a management issue and in an ideal world it would end with a new policy; however, in the world in which we live in, an enforcement arm is required in addition to policy.

Others have mentioned several packages you could purchase; I think what you've done is fine -- what you need is a way to automate it. I think a simple powershell and a pair of scheduled tasks would work just fine.

Nate
  • 2,151
  • 5
  • 25
  • 41
1

We had 3 machines with open internet access in a public area with blocked access to questionable sites through OpenDNS and sectioned off from the rest of the network. The rest of the production floor did not have internet access. Served a site with 50+ users rather well, but our business is not very web-access heavy.

Bryan Lott
  • 13
  • 4
1

The easiest(*) is to install Ubuntu on PC with 2 network cards, configure iptables + Squid + Dansguardian and block users by IPs. Proxy will be transparent, no need to configure users' browsers. In Dansguardian you will be able to create user groups and assign different sets of rules to each of them. Dansguardian supports scheduling.

Besides blocking, I would recommend to implement reporting. Reports are very important: people are much more responsible when they know that they are accountable. We used SARG which published daily reports on local website so everyone, including management, can see statistics.

I prefer agreements rather than policies and reports to the management. So, we agreed that social networking will be available during lunch time and after working hours and that is enough for 98% of staff.

* Easiest because:

  • all required resources are old PC and $15 for network card - no need to ask for a budget;
  • all the packages mentioned are available from Ubuntu repository, no need to recompile anything: customization is minor with many manuals and articles available;
  • solution is centralized;
  • rules will work for ALL the computers on the network even if PC does not belong to your AD;
  • this interim is good enough to become permanent solution so no effort will be wasted...
alexm
  • 458
  • 3
  • 11
  • +1 for dansguardian. You'd set up cron jobs to swap out the block list at various times throughout the day. –  Apr 14 '11 at 20:37
  • 4
    This is the _easiest_ way you can think of? How about a windows scheduled task to edit their hosts file? (lame, yes). Or a store bought proxy solution? – Ziplin Apr 14 '11 at 22:32
  • I agree with @Ziplin, how on earth is this *easy*? I didn't see this comment till just now, but I've posted Scheduled Tasks as an answer which I came to independantly. – Mark Henderson Apr 15 '11 at 01:07
  • @Ziplin @Mark Henderson - it sounds complicated but *is* easy because whatever is required for implementation is under your control. I do not think that editing hosts files will last for long: users will 1)find anonymizers or 2)bring notebooks from home or 3)change timezone on PC. – alexm Apr 15 '11 at 02:37
  • @Ziplin: purchase of ready solution is good option subject to budget available... – alexm Apr 15 '11 at 02:42
  • thanks will take a look at this option, with the two network card setup presumeably ubuntu box would then become a socks4/5 firewall through which people connect? and then our router would just sit on different ip range and hooked up to 2nd interface on the unbuntu box? – Ben Gillam Apr 15 '11 at 12:32
  • @Ben Gillam: I use transparent proxy, not socks 4/5. And yes, router shall be on different IP range. – alexm Apr 15 '11 at 12:42
1

We have a similar situation at my workplace. We solved it by putting the problem users all on the same subdomain and blocking that subdomain's access to Facebook, etc. through the firewall. If your firewall doesn't accept hostnames there will be some maintenance associated with changing DNS records but this seems like an acceptable solution compared to your current solution.

You could also enable time-based restrictions depending on your firewall software.

jamesbtate
  • 567
  • 2
  • 6
  • 14
1

I'm in general agreement with what alexm wrote but would tackle it slightly differently. Rather than build a system from scratch I suggest using one of the very easy to use firewall distros. I personally favour Smoothwall but there a number of others to choose from. In addition to allowing you much more flexibility for filtering than you currently have you will also gain the benefits of having a decent gateway firewall.

Most firewall distros have very good comunity support, so it's quite possible someone has already created an add-on to suit you. Otherwise, while the settings you are after may not be available in the normal management console they're easily implemented via squid and cron. With very little scripting you can have as much granularity and control as you desire.

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
0

Take a look at FortiGate firewalls. They have application level blocking.