Hello Everyone,
I am an network admin for a high school, and we have a serious problem with Kazaa and other types of applications being downloaded and installed by students. Does anyone know of a way to block the downloading of certain file types, like .exe, .mp3, .zip within IE, or through a croup policy? I thought I found a way to do it, but cannot remember where I saw it, or if it was something all together different. I run a windows NT domain, but I am migrating to AD this summer. Currently we have Microsoft Proxy Server 2, and we won't be upgrading to ISA server. Any help would be appreciated.
Thanks,
Justin
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
censor the ports. discipline the students. a privilege is not a right, abuse it and lose it.
Depending on needs, why let them have write access at all? (Why let them download at all?) Workaround - give them only a little space to write in, if they use it up, abuse it, then they are out (at least of space)
For port censorship, you should first block all ports, then only enable the exact ones you know you need, such as port 80 for html/web
Ok, so I can set up IE to disaloow downloads, but still allow access to the internet based on group membership, or based on a profile?
Using Microsoft Proxy Server 2 (2 actually, one on my site and one in the parent domain), also behind a Pix firewall (I believe) that I have no access to.
Thanks guys, any help is hugely appreciated, as I am swamped and don't get a lot of time to research this type of stuff as much as I would like.
Justin
SunBow's comment about discipline is right on. YOU are responsible for the activities on your network. Disable the account for a month. Kick out of school, whatever. Be merciless and stick to it. YOU can go to jail. Use logs to find the culprits. Make them write 5000 words essay on why piracy is wrong.
Sorry but you touched a sensitive spot. They're playing with the food on your table, don't forget that.
Thanks everyone,
I cannot describe to you how difficult it is to be in my position, because I cannot set policy, i can only inforce it. You have to remember that this is a high school, not a corporation, and I have 130 to 140 teachers, who all think they are the most important person, or that they teach the most important class, and 2600 students.
There is too much work for one person, but unfortunately, I'm all they can afford. I have made great strides already, but with huge resistance from the powers that be (politics and teachers).
I cannot approach it from the perspective that Sunbow mentions, I've tried that (accountability, restrict access), but this is public school, so if a kid needs a pencil, we have to supply it, and if a kid is in a class that requires PC access, he/she gets it. It also really sucks that a lot of the teachers don't manage the PCs that are in their rooms. In any event, we are covering ground that is already covered. I told a teacher that I foind downloaded games on his machines, his answer: "They are easy to uninstal". Missing the point entirely...
All ports are blocked except 80 for http. I am not that familiar with Proxy server, and the person who was here before me was good with PCs, but horrible at network administration, so things are pretty screwed up.
I appreciate the assistance, maybe this gives you a clearer picture about where I am.
Thanks,
Justin
If you have a PIX firewall, shutting down Kazaa is fairly simple, just block TCP port 1214 both directions. Same with Gnutella, just block the ports.
Preventing .zip, .exe downloads from web sites is extremely difficult without some type of content filter. I don't think Proxy server will do this for you. If you can get the funding, Websense is really the way to go. It works hand-in-hand with your PIX firewall.
See me answer this article http://www.experts-exchang
>some teachers have made a case for downloading uncopywritten material from the net
These teachers are setting a fine example for their young charges. This is the most ridiculous excuse I've seen for keeping the Kazaa ports open, when this is the only application that uses this particular port.
>it isn't worth the fight
If you can't beat them, join them.
You could ask if they have a legal defense fund? because it seems that according to this artical ...... that may be something they might look at setting up.
http://sg.news.yahoo.com/0
So when the school gets its legal notice :) you can wave that artical around ;)
> .. want to prevent the downloading and installation of any exe, and the
> downloading of any type of file, except .pdf, and other such
> documents.
simple answer: impossible, except you block writing to any device
and it's even worth than that: if the browser is IE, then it wastes bandwidth with downloading the files 'til it (IE) realizes that it cannot write to anywhere
I know this comment is more than a day late and more than a dollar short, but for whatever it's worth... :-)
What OS are the individual workstations running? If it is NT, or 2000, or XP Pro, you can set up the user policies so that installing new software is prohibited.
Users who are part of your "power users" group (or higher authority) could still be permitted to install software.
If you can accomplish this, you'll still have to go from machine to machine and clean off KaZaa and other offending items.
Of course, even if you can do this, you still have to have someone in your organization backing you up with policy.
If you have nothing backing you up (policy, or an authority figure who is your "sponsor"), then you should seriously consider dusting off the old resume and beginning a job search in your off-time. Expert 'esmogen' is right: you can end up being held responsible for the irresponsibility of others. Don't allow others to put you in an untenable position. (But -- in this economy -- don't leap off the ship until you have a solid offer to go to!)
Maybe a principled departure will cause the others to wake up?
Oh, hey, I *did* think of one other possibility...
Where is the PIX firewall located? You said you don't have access to it, and I assumed this meant "logical access."
If it is NOT located onsite (i.e. maybe you have someplace where several schools have their networking concentrated before being passed onto the internet), then you *might* try the following tactic:
Get a cheap appliance firewall and put it at your school's access/egress point! (Or, if you can't get the $400-600 but you have a spare PC, then build out an OpenBSD box and run an Open Source firewall.)
(Once again assuming the PIX is not onsite and protects more than just YOUR school...) Your justification to your local school's administration is that you need to guard against malicious hackers with access from other schools.
Now, you'd have a firewall YOU control (inside the PIX firewall's boundaries). And you could set your little internal firewall to be able to block the ports YOU want to, and to filter or strip whatever you desire.
Hope this helps!!
I've never seen a policy which can restrict downloading and running software on any M$ mashine, except disabling write-access.
Ok, the policy can setup to allow only some executables. The question is if somebody still have got it working with such restrictions.
I also can't imagine of a firewall which prevents downloading. If you want something like that it's a adaptive, or application level, firewall which needs to parse the traffic completetly, even the encrypted one (on port 443). And most people even know how to use anonymous https proxies ...
As I was envisioning it, the policy could be set up to disallow most of the automatic installers, but you're right, you cannot totally prevent the user from transferring an .EXE onto the machine and executing it.
I can certainly envision something more elaborate that would get a litter closer... for example, if all workstations are using NTFS, then only allowing programs to be executed from certain directories where you have disabled write access (if I am remembering NTFS permissions correctly, that is). But "more elaborate" also would mean "more time consuming to administrate." :-( So such a scheme might not be practical.
I can't think of a way to *really* prevent someone from using an offsite anon proxy. Last time I checked, HS kids didn't know about those; guess the kids have now outrun us?
And yes, adaptive application level packet filtering was part of what I had in mind. Besides the obvious of blocking things like the KaZaa ports. Guess I'll have to dig out my old Microsoft Proxy Server 2 documentation to see what's possible there and how to do it.
I went back and re-read the thread, and noticed that I had really mentally glossed over the part about preventing ANYTHING from being downloaded.... nope, cannot imagine how to lock it down THAT tightly. So you're absolutely right, he's stuck.
I'm a comsultant to a number of public libraries. We have a ver similar desire to stop the patrons from downloading, etc.
My suggestion is to investigate the Opera Browser instead of IE. In version 6.05 you can set up a kiosk mode and with command line switches you can stop all downloading. It also can be set to refuse pop-ups, prevent tinkering with the settings, delete all history, etc.
Version 7 of Opera is now available but it doesn't have the kiosk features yet.
Bill
P.S. Opera's original claim to fame was that it is faster than IE or any other browser for that matter. It still is!
hmm, Opera, Mozilla can stop download and popups and much more ...
but how if the .exe is "hidden" as a .html? or the content-type is *not* "text/html" but any kind of "stream", then you get the .EXE in your browser and simply save it.
There're infinite ways to get it, if you know how.
Restrict write to disk/floppy, or you're lost in nowhere ..
The last few comments were a slight help, but unfortunaltely, the school district cannot buy hardware, we're in a deficit-to the point where they are closing schools and laying people off left and right. I'm migrating all the PCs to either XP (less than 20) or Windows 2000 (460 PCs), and need a centrally administatable browser. I've been told that I cannot block floppy/CD drive access. I can use ghost to get an image out to all the PCs, but I need it to be flixible, because so many different classes require access to different things. For example, I have a yearbook, web design, and student government group that require special access. That does'nt even include the teachers who have been there for 25 years, and think that their way is the only way. The only option I can see, is to give people enough rope to hang themselves. Meaning, If they want less restrictive access, then they'll have to deal with the crashed, slow PCs.I won't have time. We'll see how it goes. I may have to take a crash course in Linux and build a really simple box to run a Linux based firewall.
Thanks,
Justin
> The only option I can see, is to give people enough rope to hang themselves.
> Meaning, If they want less restrictive access, then they'll have to deal with the crashed, slow PCs.
Managed correctly (maintaining a paper trail so that you cover your "6 o'clock"), this can be very effective.
> I may have to take a crash course in Linux and build a
> really simple box to run a Linux based firewall.
If you're going to do the crash course and build an OpenSource firewall, consider using OpenBSD or FreeBSD. IMHO, they are more stable and more secure than any of the Linux distributions.
ahoffman,
when you buy a PC, it comes with an OS, we have 500 PCs, some of them wer purchased a year or so ago. A lot of PCs are donated. Microsoft has a "fresh start" program that gives out free licenses for donated PCs, 2 months ago, I got 100 licenses. WHen I say i am migrating the PCs over I mean I am getting rid of slow PCs, and retaining the licenses, which i can move to other machines, as well as the licenses we have for donated Pcs. I am not buying anything. I'll look into Opera...
Justin
Business Accounts
Answer for Membership
by: lrmoorePosted on 2003-04-28 at 14:41:05ID: 8415714
You could shut down the kazaa ports on the proxy server, TCP port 1214, GNUtella, UDP/TCP port 6346, etc..
Perhaps on the Proxy server you can strip downloads with .zip, .exe, .mp3 file extensions, but I'm not the expert on that. Maybe another expert can chime in on this point..
A product such as Websense will enforce that for you, but it is expensive: http://www.websense.com