Need Info on Firewall or Internet Security Program

Posted on 2004-11-19
Last Modified: 2013-12-04

I work in a small company with 25 to 30 computers. We have windows 2000 single domain network with one exchange server and one file server. We use Integrated T1 line for phone system and Internet connection. T1 line comes out of router that is maintained by ISP. We use Norton Anti-Virus Enterprise Edition for protection against viruses.

Since last few months I have been spending more and more time in supporting desktop. Even though all of the users in organization have restricted access, everyday bunch of spyware get installed on these desktops. I also noticed that every employees uses either windows media player or RealPlayer to listen to live music that takes up lot of bandwidth.

Is there any program or hardware firewall that can take care of Spyware, Viruses and Spam all together?  


If we have to buy separate solution for each task (Virus, Spyware and Spam) than which programs do you recommend?

My company wont spend lot of money but I can convince our management team to spend 2 to 3 thousands dollars. What would be the best solution that can fit our budget?

I appreciate your help regarding this issue.


Question by:rajan99
    LVL 5

    Accepted Solution

    Does the T1 connection connect to a single server or is it directly into a LAN switch that all clients/servers are connected to?

    Preferred solution would be:

    T1------------>ISA Server computer------>Switch---->>>clients

    ISA Server can be installed on an existing Windows 2000 Server. It can be used to prevent access or control bandwidth for the multimedia players and you can specify which Domain users and groups can do what and when.

    You can use Group Policy to remotely install a standard anti-spyware scanner and use login scripts to make sure it's run every time a user logs in or out.

    You can also use it to tighten the security permissions on the registry key that lists Browser Helper Objects that are the mechanism that many spyware programs link themselves silently into Internet Explorer.

    I highly recommend BHO Daemon v2 for identifying and disabling spyware that plugs into Internet Explorer.

    Before you tighten permissions make sure you'e scanned and cleaned all the workstations and have their BHOs set as you want.

    The key is

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

    and you should change the permissions so that only Domain Admins have write permissions, everyone else just read-execute permissions. As long as your users don't have Domain Administration permissions on their local workstations that will prevent malicious installs of BHOs.

    See my response to this question for how to add a registry key into the Group Policy.

    But instead of setting the value, in Group Policy Editor you would navigate instead to

    Computer Configuration>Windows Settings>Security Settings>Registry

    then right-click "Registry" and choose "Add key..." from the context menu.

    Navigate the registry keys until you've selected the key you want to enforce the permissions for then press the OK button.

    In the "Database Security" dialog change the default settings for "Everyone" to Allow Read, Execute and Deny  Write, Delete.

    Add the Domain Admins group to the security with full permissions.

    Press "Add..." and then select "Domain Admins", press OK. Set permissions to Allow Full Control.

    Press the OK button and in the "Template Security Policy Setting" dialog

    select "Configure this key"
    select "Propagate inheritable permissions to subkeys"

    Press the OK button.

    Next time the group policy is updated your users will be a little safer.
    LVL 5

    Expert Comment

    I meant to add that using Symantec Norton Antirus Corporate Editions especially with the Exchange Server protection is quite sufficient. If you set up your only internal Live Update server and configure the local server to distribute virus definitions you'll have an optimum configuration.

    Set the server on a schedule to get its own live updates every night and just keep an eye on the reports from the server and network.

    In the SAV for Exchange Mail Server you can also configure some basic anti-spam rules but we've had a lot of success with two other products that are plugged into Exchange itself.

    The first is an Open Relay Blocker called ORF Enterprise.

    The second is an anti-spam filter called Block & Tackle.

    See my response to this question for more details.

    Author Comment

    Thank you TJWorld for your suggestions. I appreciate it. My last question regarding this topic.

    Some of my friends are advising me for Hardware Firewall (Wachgurd, Nokia, etc...) . So I am little confuse.

    In your opinion, which firewall is better option.

    Windows ISA or Hardware based firewall?

    Please let me know.


    LVL 5

    Expert Comment

    For your scenario I really don't see why. Introduce another piece of hardware with it's own way of being configured, especially in a small organisation, and you add to the administrative burden without significant performance or usability benefits.

    I fact you'll often make the network less responsive to Users needs because the other device is less easy to understand and manage.

    You might as well use all that spare processing power on the server too. No point investing in the hardware for the server and then having it spend most of its time idling! ISA Server will give it something to do :-)

    You wouldn't have major corporations delpoying ISA Server to protect their Enterprises if it weren't secure.

    Author Comment

    Thanks TJWorld,

    I agree with you. No point in spending money on hardware when you can use your existing infrastructure.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Article by: btan
    The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
    As a Mac user and former AppleCare AHA & Senior Advisor, I'm constantly bombarded with questions about Macs and if they need Antivirus. This short article is my response to those questions.
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now