GrayStrickland
asked on
Restricting Users' Access to Outside Email (via POP, SMTP, IMAP or Webmail) and Tracking Web Browsing
I have the following goals:
1. Deny users on my lan the ability to receive email from any pop mail server other than our local mailserver.
2. Deny users on my lan the ability to send email to any smtp mail server other than our local mail server.
3. Deny users on my lan the ability to access any webmail, such as hotmail.com, mail.yahoo.com, etc.
4. Track and provide statistical reporting on the the websites which employees visit.
5. Deny users on my lan the ability to visit certain websites.
I want this to be able to achieve these goals in a way which does not require setting up restrictions on the individual workstations. I'm happy to give users administrative privileges to his/her own workstation and don't want to stop doing that. I need to implement these restrictions at the bottle neck (server level). I give each user two mail accounts: one for work and one for personal use, but I also ask that each user limit his/her personal email activity to a reasonable level (say... a half dozen or so a day to/from your mother, college roommate, spouse, etc.). I'm trying to deal with the employees who can't seem to resist the temptation to send/receive 40-50 personal emails a day -- every day. These are good employees whom I don't want to fire. However, if let them all know that I can see their usage patterns, then they'll just start using outside email to circumvent. That's why I want to plug the alternative holes before I start laying do the law. As for web addresses visited, I don't care if someone spends a reasonable amount of time at landsend.com, etc., but I need to know if they're spending 30 min a day surfing porn, playing games, etc.
We are running a Win2000 Adv. Server. We do not have a proxy server. Our router is a Netopia running Network Address Translation using a dynamic IP aDSL connection. If I have to install something (proxy, firewall ?), I would lean to a linux based solution.
If you need more information to make a recommendation, let me know.
1. Deny users on my lan the ability to receive email from any pop mail server other than our local mailserver.
2. Deny users on my lan the ability to send email to any smtp mail server other than our local mail server.
3. Deny users on my lan the ability to access any webmail, such as hotmail.com, mail.yahoo.com, etc.
4. Track and provide statistical reporting on the the websites which employees visit.
5. Deny users on my lan the ability to visit certain websites.
I want this to be able to achieve these goals in a way which does not require setting up restrictions on the individual workstations. I'm happy to give users administrative privileges to his/her own workstation and don't want to stop doing that. I need to implement these restrictions at the bottle neck (server level). I give each user two mail accounts: one for work and one for personal use, but I also ask that each user limit his/her personal email activity to a reasonable level (say... a half dozen or so a day to/from your mother, college roommate, spouse, etc.). I'm trying to deal with the employees who can't seem to resist the temptation to send/receive 40-50 personal emails a day -- every day. These are good employees whom I don't want to fire. However, if let them all know that I can see their usage patterns, then they'll just start using outside email to circumvent. That's why I want to plug the alternative holes before I start laying do the law. As for web addresses visited, I don't care if someone spends a reasonable amount of time at landsend.com, etc., but I need to know if they're spending 30 min a day surfing porn, playing games, etc.
We are running a Win2000 Adv. Server. We do not have a proxy server. Our router is a Netopia running Network Address Translation using a dynamic IP aDSL connection. If I have to install something (proxy, firewall ?), I would lean to a linux based solution.
If you need more information to make a recommendation, let me know.
Just an addition to my previous post it used to produce some nifty reports and it even emails them to you.
It was a while back when I used it but I think you could set trigger levels that would let you know when someone was starting to abuse their privilidges.
D.
It was a while back when I used it but I think you could set trigger levels that would let you know when someone was starting to abuse their privilidges.
D.
Numbers 1 and 2 are done at the firewall.
Numbers 3 and 5 are done through a web proxy.
Number 4 can be done using Webtrends and a proxy server.
Numbers 3 and 5 are done through a web proxy.
Number 4 can be done using Webtrends and a proxy server.
Come to think of it, this is a networking question, not security or eMail:
https://www.experts-exchange.com/Networking/
https://www.experts-exchange.com/Networking/WinNT_Networking/
https://www.experts-exchange.com/Security/Firewalls/
Your "deny" requests all involve blocking of addresses, ports, protocols using network devices (unless you really want to gumshoe to each and every terminal). better I think to reduce the points to ask more individual questions IMO.
The number one blocker for a network is the firewall.
> If I have to install something (proxy, firewall ?), I would lean to a linux based solution
Yes, these are essential. Do firewall prior to all else before connecting to any network. Begin by blocking ALL ports, then enable the ones you require.
> 1. Deny users on my lan the ability to receive email from any pop mail server other than our local mailserver.
Ans: Block ports.
> 2. Deny users on my lan the ability to send email to any smtp mail server other than our local mail server.
Ans: block ports
> 3. Deny users on my lan the ability to access any webmail, such as hotmail.com, mail.yahoo.com, etc.
Ans: Block addresses
> 4. Track and provide statistical reporting on the the websites which employees visit.
Ans: get robust firewall or better, proxy solution that maintains records (and address to employee mappings)
> 5. Deny users on my lan the ability to visit certain websites.
Ans: Block addresses
> I'm happy to give users administrative privileges to his/her own workstation and don't want to stop doing that
Excellent!
> I need to implement these restrictions at the bottle neck (server level).
rather, the firewall should be the neck of the bottle
> I give each user two mail accounts: one for work and one for personal use
OK. Also deal with permission levels, and user authentication (beware of relays and spoofs)
> but I also ask that each user limit his/her personal email activity to a reasonable level (say... a half dozen or so a day to/from your mother, college roommate, spouse, etc.).
Oops, you just shot self in foot, it being easier to be either open system or closed, not some intuitive inclusions of each. Supposing that all users get to access internet for both web and eMail, may I suggest increasing the complexity of hardware? Since you'll distinguish between corporate use and personal, one way to isolate this is using separate eMail servers, one for each class. Business usage has to be more professional in appearance, and therefor more regulated. The personal end is more flexible and vulnerable, and in need of a higher degree of isolation.
Also, since you are willing to spend lots of important points, in a security topic, I suggest two other approaches. First, while spending more on hardware, do not neglect to spend well also for talent in security area. Maybe not top dollar salary until you learn more about security (lest you be conned) but we recognize that security is often given short-shrift in business, leading to great increases in vulnerabilites being exposed to, far worse than simple abuse of hitting porn sites frequently. Get staff of similar philosophy with a work ethic you can check on, and be free with service rewards. Consider increasing education on network topologies, I think a look at DMZ is in order (see networking links above, consider search engine as well).
For firewall, the hardware solution provides the better security, but for reporting, I think your linux idea would pan out better. Proprietary reporting systems may provide a lot of info, but leave a lot to be desired concernind their usefulness too you. With a SW solution, you get benefit of tweaking an existing reporting system, or writing your own. The volume of data is unmanageable, and filters are essential and must suit your needs. Some sites (such as porn) may have numerous addresses, and change addresses, so monitoring can be difficult if you do not embed flexibility.
> These are good employees whom I don't want to fire. However, if let them all know that I can see their usage patterns
I applaud that. Better to fire for not performing their regular duties. An employee who hits on porn 7 of 8 hours can still be more productive than one who never hits on porn. Doing their expected job is paramount. The dangers lie more in the vulnerabilities they may expose the corporation to when abusing privileges. Many compnies do not bother to show lists of network access, they just tell their people that they are subject to monitoring, and that monitoring is in place.
A real good step would be to be very clear, in writing, what the policies are, the definitions that will be used concerning abuse. As long as employees believe they are being treated fairly, they will be likely to accomodate your policies.
https://www.experts-exchange.com/Networking/
https://www.experts-exchange.com/Networking/WinNT_Networking/
https://www.experts-exchange.com/Security/Firewalls/
Your "deny" requests all involve blocking of addresses, ports, protocols using network devices (unless you really want to gumshoe to each and every terminal). better I think to reduce the points to ask more individual questions IMO.
The number one blocker for a network is the firewall.
> If I have to install something (proxy, firewall ?), I would lean to a linux based solution
Yes, these are essential. Do firewall prior to all else before connecting to any network. Begin by blocking ALL ports, then enable the ones you require.
> 1. Deny users on my lan the ability to receive email from any pop mail server other than our local mailserver.
Ans: Block ports.
> 2. Deny users on my lan the ability to send email to any smtp mail server other than our local mail server.
Ans: block ports
> 3. Deny users on my lan the ability to access any webmail, such as hotmail.com, mail.yahoo.com, etc.
Ans: Block addresses
> 4. Track and provide statistical reporting on the the websites which employees visit.
Ans: get robust firewall or better, proxy solution that maintains records (and address to employee mappings)
> 5. Deny users on my lan the ability to visit certain websites.
Ans: Block addresses
> I'm happy to give users administrative privileges to his/her own workstation and don't want to stop doing that
Excellent!
> I need to implement these restrictions at the bottle neck (server level).
rather, the firewall should be the neck of the bottle
> I give each user two mail accounts: one for work and one for personal use
OK. Also deal with permission levels, and user authentication (beware of relays and spoofs)
> but I also ask that each user limit his/her personal email activity to a reasonable level (say... a half dozen or so a day to/from your mother, college roommate, spouse, etc.).
Oops, you just shot self in foot, it being easier to be either open system or closed, not some intuitive inclusions of each. Supposing that all users get to access internet for both web and eMail, may I suggest increasing the complexity of hardware? Since you'll distinguish between corporate use and personal, one way to isolate this is using separate eMail servers, one for each class. Business usage has to be more professional in appearance, and therefor more regulated. The personal end is more flexible and vulnerable, and in need of a higher degree of isolation.
Also, since you are willing to spend lots of important points, in a security topic, I suggest two other approaches. First, while spending more on hardware, do not neglect to spend well also for talent in security area. Maybe not top dollar salary until you learn more about security (lest you be conned) but we recognize that security is often given short-shrift in business, leading to great increases in vulnerabilites being exposed to, far worse than simple abuse of hitting porn sites frequently. Get staff of similar philosophy with a work ethic you can check on, and be free with service rewards. Consider increasing education on network topologies, I think a look at DMZ is in order (see networking links above, consider search engine as well).
For firewall, the hardware solution provides the better security, but for reporting, I think your linux idea would pan out better. Proprietary reporting systems may provide a lot of info, but leave a lot to be desired concernind their usefulness too you. With a SW solution, you get benefit of tweaking an existing reporting system, or writing your own. The volume of data is unmanageable, and filters are essential and must suit your needs. Some sites (such as porn) may have numerous addresses, and change addresses, so monitoring can be difficult if you do not embed flexibility.
> These are good employees whom I don't want to fire. However, if let them all know that I can see their usage patterns
I applaud that. Better to fire for not performing their regular duties. An employee who hits on porn 7 of 8 hours can still be more productive than one who never hits on porn. Doing their expected job is paramount. The dangers lie more in the vulnerabilities they may expose the corporation to when abusing privileges. Many compnies do not bother to show lists of network access, they just tell their people that they are subject to monitoring, and that monitoring is in place.
A real good step would be to be very clear, in writing, what the policies are, the definitions that will be used concerning abuse. As long as employees believe they are being treated fairly, they will be likely to accomodate your policies.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Consider comments in this one, not too dissimilar:
Title: Outside e-mail restriction
https://www.experts-exchange.com/questions/20376654/Outside-e-mail-restriction.html
"Is there a way to restrict outside e-mail traffic for certain users with exchange? The boss only wants certain employees using the e-mail externally, but wants everyone to be able to use e-mail internally. Not sure if this is possible. Thanks in advance "
Title: Outside e-mail restriction
https://www.experts-exchange.com/questions/20376654/Outside-e-mail-restriction.html
"Is there a way to restrict outside e-mail traffic for certain users with exchange? The boss only wants certain employees using the e-mail externally, but wants everyone to be able to use e-mail internally. Not sure if this is possible. Thanks in advance "
Oh, done? Well,,, Good Luck
That would stop the mail applications.
The web based mailers it's a bit harder. You would need to force the browsers to use a proxy like ISA or Squid. On top of that you would need to tell the proxy the addresses you wnt to block and thats the hardpart.
I worked for a finance company where we would only allow email websites and internet banking between 12pm and 2 pm as a compromise. The way we achived this was with a Microsoft Proxy add on from Trend. It also checked websites for malicious code and viruses. Try their website www.trend.com.
The product is InterScan Web Manager.
http://www.trendmicro.com/en/products/gateway/iswm/evaluate/overview.htm
I'm sure there are other products out there. This one uses the Cyber Patrol list to ban sites and was preatty effective. You can also evaluate it before you buy it.
Hope it helps
D.