[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Need Info on Firewall or Internet Security Program

Posted on 2004-11-19
Medium Priority
Last Modified: 2013-12-04

I work in a small company with 25 to 30 computers. We have windows 2000 single domain network with one exchange server and one file server. We use Integrated T1 line for phone system and Internet connection. T1 line comes out of router that is maintained by ISP. We use Norton Anti-Virus Enterprise Edition for protection against viruses.

Since last few months I have been spending more and more time in supporting desktop. Even though all of the users in organization have restricted access, everyday bunch of spyware get installed on these desktops. I also noticed that every employees uses either windows media player or RealPlayer to listen to live music that takes up lot of bandwidth.

Is there any program or hardware firewall that can take care of Spyware, Viruses and Spam all together?  


If we have to buy separate solution for each task (Virus, Spyware and Spam) than which programs do you recommend?

My company wont spend lot of money but I can convince our management team to spend 2 to 3 thousands dollars. What would be the best solution that can fit our budget?

I appreciate your help regarding this issue.


Question by:rajan99
  • 3
  • 2

Accepted Solution

TJworld earned 2000 total points
ID: 12633612
Does the T1 connection connect to a single server or is it directly into a LAN switch that all clients/servers are connected to?

Preferred solution would be:

T1------------>ISA Server computer------>Switch---->>>clients

ISA Server can be installed on an existing Windows 2000 Server. It can be used to prevent access or control bandwidth for the multimedia players and you can specify which Domain users and groups can do what and when.

You can use Group Policy to remotely install a standard anti-spyware scanner and use login scripts to make sure it's run every time a user logs in or out.

You can also use it to tighten the security permissions on the registry key that lists Browser Helper Objects that are the mechanism that many spyware programs link themselves silently into Internet Explorer.

I highly recommend BHO Daemon v2 for identifying and disabling spyware that plugs into Internet Explorer.


Before you tighten permissions make sure you'e scanned and cleaned all the workstations and have their BHOs set as you want.

The key is

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

and you should change the permissions so that only Domain Admins have write permissions, everyone else just read-execute permissions. As long as your users don't have Domain Administration permissions on their local workstations that will prevent malicious installs of BHOs.

See my response to this question for how to add a registry key into the Group Policy.


But instead of setting the value, in Group Policy Editor you would navigate instead to

Computer Configuration>Windows Settings>Security Settings>Registry

then right-click "Registry" and choose "Add key..." from the context menu.

Navigate the registry keys until you've selected the key you want to enforce the permissions for then press the OK button.

In the "Database Security" dialog change the default settings for "Everyone" to Allow Read, Execute and Deny  Write, Delete.

Add the Domain Admins group to the security with full permissions.

Press "Add..." and then select "Domain Admins", press OK. Set permissions to Allow Full Control.

Press the OK button and in the "Template Security Policy Setting" dialog

select "Configure this key"
select "Propagate inheritable permissions to subkeys"

Press the OK button.

Next time the group policy is updated your users will be a little safer.

Expert Comment

ID: 12633653
I meant to add that using Symantec Norton Antirus Corporate Editions especially with the Exchange Server protection is quite sufficient. If you set up your only internal Live Update server and configure the local server to distribute virus definitions you'll have an optimum configuration.

Set the server on a schedule to get its own live updates every night and just keep an eye on the reports from the server and network.

In the SAV for Exchange Mail Server you can also configure some basic anti-spam rules but we've had a lot of success with two other products that are plugged into Exchange itself.

The first is an Open Relay Blocker called ORF Enterprise.

The second is an anti-spam filter called Block & Tackle.

See my response to this question for more details.


Author Comment

ID: 12656074
Thank you TJWorld for your suggestions. I appreciate it. My last question regarding this topic.

Some of my friends are advising me for Hardware Firewall (Wachgurd, Nokia, etc...) . So I am little confuse.

In your opinion, which firewall is better option.

Windows ISA or Hardware based firewall?

Please let me know.



Expert Comment

ID: 12656486
For your scenario I really don't see why. Introduce another piece of hardware with it's own way of being configured, especially in a small organisation, and you add to the administrative burden without significant performance or usability benefits.

I fact you'll often make the network less responsive to Users needs because the other device is less easy to understand and manage.

You might as well use all that spare processing power on the server too. No point investing in the hardware for the server and then having it spend most of its time idling! ISA Server will give it something to do :-)

You wouldn't have major corporations delpoying ISA Server to protect their Enterprises if it weren't secure.

Author Comment

ID: 12656551
Thanks TJWorld,

I agree with you. No point in spending money on hardware when you can use your existing infrastructure.


Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses
Course of the Month18 days, 15 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question