Blocking social networking facilities

[Philip Herlihy]

I've been asked to block access to a range of social networking websites
like facebook, MySpace, bebo, etc, and also to prevent users running
Windows Messenger, MSN Messenger and Windows Live Messenger.

I'm finding this hard! The firewall I'm using (Netgear FVS338) will
block keywords but not URLs (so a mention of facebook on an otherwise
respectable site will mean it's blocked). Otherwise I have to block
individual IP addresses, and some of these sites have quite a few
(according to nslookup, anyway). I suspect these IP addresses will be
subject to change.

I've looked at using registry keys eg: DisallowRun in
HKLM\Software\Policies\Microsoft\Messenger\Client\
... but I can't find a definitive account of this, and some of the PCs
are running XP Home, which may make it difficult perhaps. Ideally, I'd
want a scripted solution.

Time to ask for advice! Any suggestions?

Phil, London

Nb cross-posted, as I wasn't sure which group to ask. Followups to
microsoft.public.win2000.networking.

 

[Meinolf Weber]

Hello Philip,

Do you talk about a single computer or a workgroup with more machines or
a domain?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

 

[Philip Herlihy]

Hello Philip,

Do you talk about a single computer or a workgroup with more machines or
a domain?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Hi Meinolf - yes, I should have said that these are a group of
standalone PCs, mostly running XP Home, and loosely networked peer-peer
using ad-hoc shared folders in a single workgroup.

Phil

 

[Phillip Windell]

This is not something that you can "just do" because someone asked for it.

The people who want it done need to be willing the spend $$$$ on the
products that it takes to accomplish it.

I use MS ISA Server 2006. But even with a solid indepth product such as ISA
Server it may still require more third-party "add-ons" ($$$$) for ISA
depending how detailed and how "carried away" with the idea you want to get.

You are not asking for some "simple thing" and you are not going to
accomplish it very well with "home-user" products like Netgear.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx

 

[Philip Herlihy]

Thanks for the comment. I note what you say, although the device I'm
using is sold as a business router - I can't imagine why a domestic user
might want 50 VPN tunnels, for example.

From my experiments I've certainly learned that it isn't easy.
However, by looking up the IP addresses associated with (eg)
www.facebook.com and blocking those (laborious as it was) then I've
managed to block the three main sites. I wouldn't expect this to be
proof against a well-informed attempt to circumvent these provisions but
the environment doesn't have any technically savvy people. Similarly,
I've managed to block Windows Live Messenger from running through the
use of gpedit.msc on an XP Pro machine, although this isn't available on
the XP Home machines (but see this:
http://www.dougknox.com/xp/utils/xp_securityconsole.htm)

Phil H

 

[Phil Cartwright]

I've been asked to block access to a range of social networking websites
like facebook, MySpace, bebo, etc, and also to prevent users running
Windows Messenger, MSN Messenger and Windows Live Messenger.

I'm finding this hard! The firewall I'm using (Netgear FVS338) will
block keywords but not URLs (so a mention of facebook on an otherwise
respectable site will mean it's blocked). Otherwise I have to block
individual IP addresses, and some of these sites have quite a few
(according to nslookup, anyway). I suspect these IP addresses will be
subject to change.

I've looked at using registry keys eg: DisallowRun in
HKLM\Software\Policies\Microsoft\Messenger\Client\
.. but I can't find a definitive account of this, and some of the PCs
are running XP Home, which may make it difficult perhaps. Ideally, I'd
want a scripted solution.

Time to ask for advice! Any suggestions?

Stop being a net nazi?

 

[Philip Herlihy]

Stop being a net nazi?

My advice was to appraise people's work based on what they achieved, and
if they were pulling their weight,turn a blind eye to what else they
might be doing at odd moments. However, this office has several young
workers who seem unable to resist these facilities and despite
discussion and eventually warnings continue to fall behind in their
work. Your comment suggest you may be content to be a drone in an
organisation too large to care, but this is a very small family business
and it matters, not least to the people concerned who might end up
losing their jobs if a solution isn't found.

Meanwhile, the Party knows where you live, and you can expect a visit
very early one morning for your "re-education". This may involve
extended travel, so have a toothbrush ready.

PH

 

[Bob I]

Stop being a net nazi?

Wasn't his decision

 

[f/fgeorge]

My advice was to appraise people's work based on what they achieved, and
if they were pulling their weight,turn a blind eye to what else they
might be doing at odd moments. However, this office has several young
workers who seem unable to resist these facilities and despite
discussion and eventually warnings continue to fall behind in their
work. Your comment suggest you may be content to be a drone in an
organisation too large to care, but this is a very small family business
and it matters, not least to the people concerned who might end up
losing their jobs if a solution isn't found.

Meanwhile, the Party knows where you live, and you can expect a visit
very early one morning for your "re-education". This may involve
extended travel, so have a toothbrush ready.

PH

My 'company' has almost 30,000 users and we have similar problems.
There is almost one pc per worker, some have several pc's some have
none. But what we do is the same thing as you do but have also added
the ability to remote control desktops. That means they can also
record that users desktop remotely. In a couple of instances they have
done that and the user has changed their ways. In a couple of
instances the user was fired because of how little work they were
actually doing. It only took a few times before EVERYONE was aware of
what was possible, the old "big brother is watching" scenario and most
people now do what they were hired to do. In ALL cases the person was
reported, and warned, before the IT people setup the recording. One
person actually had a blog on his work computer and thought that it
was 'cool' to do that all day instead of work. He is gone! He actually
said "you can't fire me because it doesn't specifically say I can't
host a blog". As I said he was fired for doing non work related stuff
at work and the list of things prohibited at work was expanded to say
no blogging at work allowed. We also block all streaming websites as
they are found. Streaming, even radio sites, consumes a huge amount of
bandwidth and as such slows down the people trying to work. Skype is
another thing you may want to block. It loads wherever it can, no
amount of admin rights can stop it, and uses huge amounts of
bandwidth. We blocked the skype website itself and that seems to have
stopped it. We are also progressively blocking all the internet sex
sites as we find them. That seems to be another huge time waster for
some people.

 

[Phillip Windell]

Thanks for the comment. I note what you say, although the device I'm
using is sold as a business router - I can't imagine why a domestic user
might want 50 VPN tunnels, for example.

There are "middle ground" devices that are just slightly more than home user
boxes. Generally they are around the $400-$500 dollar range. There is too
much variety in that area for me to comment on.

From my experiments I've certainly learned that it isn't easy. However,
by looking up the IP addresses associated with (eg) www.facebook.com and
blocking those (laborious as it was) then I've managed to block the three
main sites.

That is fine. You can do a lookup on their domain name to find the subnet
they own and block the whole subnet, as long as your firewall device can
identify by subnet.

I wouldn't expect this to be proof against a well-informed attempt to
circumvent these provisions but

There isn't much way around blocking the IP#s,...well informed or not.
It pretty much stops it dead in its tracks as long as the destination
doesn't change their IP#s. That isn't the problem,...the problem is the
labor that goes into maintaining your restrictions over long periods of
time.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

 

[Philip Herlihy]

My 'company' has almost 30,000 users and we have similar problems.
There is almost one pc per worker, some have several pc's some have
none. But what we do is the same thing as you do but have also added
the ability to remote control desktops. That means they can also
record that users desktop remotely. In a couple of instances they have
done that and the user has changed their ways. In a couple of
instances the user was fired because of how little work they were
actually doing. It only took a few times before EVERYONE was aware of
what was possible, the old "big brother is watching" scenario and most
people now do what they were hired to do. In ALL cases the person was
reported, and warned, before the IT people setup the recording. One
person actually had a blog on his work computer and thought that it
was 'cool' to do that all day instead of work. He is gone! He actually
said "you can't fire me because it doesn't specifically say I can't
host a blog". As I said he was fired for doing non work related stuff
at work and the list of things prohibited at work was expanded to say
no blogging at work allowed. We also block all streaming websites as
they are found. Streaming, even radio sites, consumes a huge amount of
bandwidth and as such slows down the people trying to work. Skype is
another thing you may want to block. It loads wherever it can, no
amount of admin rights can stop it, and uses huge amounts of
bandwidth. We blocked the skype website itself and that seems to have
stopped it. We are also progressively blocking all the internet sex
sites as we find them. That seems to be another huge time waster for
some people.

It's just too easy to look as if you're working! We have RealVNC on
most machines, but I don't think that has the capacity to record -
interesting idea. In a similar vein I'm investigating the logging
capabilities of the firewall - a smaller one (FVS114, rather
underpowered) would log every site visited, whereas its big brother
doesn't (obviously) do this. Even then, if we can block the
distractions we may be able to steer people away from being in trouble
in the first place.

Sounds like you have to invest a great deal of effort in this. :-(

Phil

 

[Philip Herlihy]

There are "middle ground" devices that are just slightly more than home user
boxes. Generally they are around the $400-$500 dollar range. There is too
much variety in that area for me to comment on.


That is fine. You can do a lookup on their domain name to find the subnet
they own and block the whole subnet, as long as your firewall device can
identify by subnet.


There isn't much way around blocking the IP#s,...well informed or not.
It pretty much stops it dead in its tracks as long as the destination
doesn't change their IP#s. That isn't the problem,...the problem is the
labor that goes into maintaining your restrictions over long periods of
time.

The firewall we use (just bought!) will block a range of addresses but
not a subnet, so if the apparently random collection of IP addresses
returned by nslookup for www.bebo.com COULD be expressed as a complex
subnet mask I'd still have to enter them one by one :-(

Where could I find definitive information on the subnet an organisation
owns?

Blocking use of Windows Messenger and its variants is proving tricky, as
they revert to port 80. You can use gpedit on XP Pro, or Doug Knox's
utility (see earlier post) on XP Home to block the executable, but a
savvy user could copy and rename the executable and evade the
restriction that way (subject to permissions to do that, of course).
There is an option to allow only listed applications, but that's going
to be hard work for yours truly, and you can also use this firewall to
allow only named IP addresses, but how many sites are all served by one IP?

I've wondered whether NTFS permissions might be an option? You can use
the cacls utility to grant or deny permissions even on XP Home (or boot
in Safe Mode and use the familiar security dialogue windows).

It is bizarre how some people regard a job as an attendance centre. I
worked in a very genteel place once where one chap spent all day on the
phone to Turkey sorting out supplies for his brother's restaurant. When
the (vast) phone bill was finally noticed, and his telephone was blocked
from making external calls (not needed for his job) he simply started
using his neighbour's phone. It was over a year before they finally
sacked him, and I don't think he'd done a stroke the whole time. (Nice
work if you can get it...).

Phil

 

[f/fgeorge]

The firewall we use (just bought!) will block a range of addresses but
not a subnet, so if the apparently random collection of IP addresses
returned by nslookup for www.bebo.com COULD be expressed as a complex
subnet mask I'd still have to enter them one by one :-(

Where could I find definitive information on the subnet an organisation
owns?

Thsi website www.samspade.org will give you that, but here is the
bebo.com info:
http://samspade.org/whois/nq3bwssslwtexap6wueqxtx53y

 

[Philip Herlihy]

On Tue, 22 Apr 2008 17:52:16 +0100, Philip Herlihy

[snip]

Where could I find definitive information on the subnet an organisation
owns?

Thsi website www.samspade.org will give you that, but here is the
bebo.com info:
http://samspade.org/whois/nq3bwssslwtexap6wueqxtx53y

Don't see anything there on the subnet, and when I use nslookup (command
line) it suggests there are loads of possible IP addresses, although
results vary, and the current two aren't the same as the one suggested
by samspade.

Confused of London....

 

[f/fgeorge]

On Tue, 22 Apr 2008 17:52:16 +0100, Philip Herlihy

[snip]

Where could I find definitive information on the subnet an organisation
owns?

Thsi website www.samspade.org will give you that, but here is the
bebo.com info:
http://samspade.org/whois/nq3bwssslwtexap6wueqxtx53y

Don't see anything there on the subnet, and when I use nslookup (command
line) it suggests there are loads of possible IP addresses, although
results vary, and the current two aren't the same as the one suggested
by samspade.

Confused of London....

Many, many companies have LOADS of ip addresses to let more people on
at the same time. Comcast, for instance, has hundreds of thousands!

 

[Philip Herlihy]

On Tue, 22 Apr 2008 17:52:16 +0100, Philip Herlihy

[snip]
Where could I find definitive information on the subnet an organisation
owns?

Thsi website www.samspade.org will give you that, but here is the
bebo.com info:
http://samspade.org/whois/nq3bwssslwtexap6wueqxtx53y

Don't see anything there on the subnet, and when I use nslookup (command
line) it suggests there are loads of possible IP addresses, although
results vary, and the current two aren't the same as the one suggested
by samspade.

Confused of London....

Many, many companies have LOADS of ip addresses to let more people on
at the same time. Comcast, for instance, has hundreds of thousands!

Just so. What would be nice would be a way of figuring out the minimum
set to block!

Phil

 

[George Smith]

However, this office has several young
workers who seem unable to resist these facilities and despite
discussion and eventually warnings continue to fall behind in their
work.

How about denying such access by a particular employee for a week or
whatever as a punishment for that employee falling behind in work?
Doesn't affect anyone who avoids falling behind that way, and provides a
milder initial consequence than being fired for those who do.
(Continuing to make a habit of it would obviously have to lead to more
severe penalties, and eventually job loss.)

Consider also that some employees may simply prove not to be cut out for
the work. One that lacks self-discipline may just find other
distractions, and may never perform well.

Also, do try to determine the actual cause of the employee's behavior.
There are at least two explanations, and of those only one involves the
employee needing more self-discipline.

That explanation is, of course, that the employee is prone to
distractions and non-work activities at the expense of getting work done
on time.

An alternative is if the employee's work keeps getting stalled by
external factors, and they amuse themselves in various ways while
waiting to be able to proceed with their work again. This can happen if
their tasks sometimes have to wait for something else to have been
finished by someone else -- a coworker to have completed something, or a
supplier to have shipped something, for instance. If a shipment is late
in arriving and some work can't proceed until the stuff arrives, for
instance, depriving the employees of net access won't do much good.
Finding a better supplier might be more effective in that case.

Of course, since you haven't given many details about the jobs in
question, it's not clear whether that's even possible in this particular
case, or whether you've already determined that that isn't what's happening.

 

[Philip Herlihy]

How about denying such access by a particular employee for a week or
whatever as a punishment for that employee falling behind in work?
Doesn't affect anyone who avoids falling behind that way, and provides a
milder initial consequence than being fired for those who do.
(Continuing to make a habit of it would obviously have to lead to more
severe penalties, and eventually job loss.)

Consider also that some employees may simply prove not to be cut out for
the work. One that lacks self-discipline may just find other
distractions, and may never perform well.

Also, do try to determine the actual cause of the employee's behavior.
There are at least two explanations, and of those only one involves the
employee needing more self-discipline.

That explanation is, of course, that the employee is prone to
distractions and non-work activities at the expense of getting work done
on time.

An alternative is if the employee's work keeps getting stalled by
external factors, and they amuse themselves in various ways while
waiting to be able to proceed with their work again. This can happen if
their tasks sometimes have to wait for something else to have been
finished by someone else -- a coworker to have completed something, or a
supplier to have shipped something, for instance. If a shipment is late
in arriving and some work can't proceed until the stuff arrives, for
instance, depriving the employees of net access won't do much good.
Finding a better supplier might be more effective in that case.

Of course, since you haven't given many details about the jobs in
question, it's not clear whether that's even possible in this particular
case, or whether you've already determined that that isn't what's
happening.

Very much my own approach, as it happens - I've argued that they need to
find a way to assess whether someone is performing well, and that
involves issues such as job design, training, and connecting processes,
as you say. However, the employer concerned (an estate agent) has lost
patience with one or two of the younger staff (one of whom got fired
recently) and wants to prevent this distraction from being available.

I've now set up a (long) list of firewall rules, and will be analysing
firewall logs for signs of larking around. I hope to get the chance to
warn informally individuals so highlighted myself before passing the
information on, and have discussed this with the relevant manager.

I'll be using NTFS file permissions to deny access to Windows (live)
Messenger on a machine by machine basis, using a simple script based on
cacls.

Phil