Need Info on Firewall or Internet Security Program


I work in a small company with 25 to 30 computers. We have windows 2000 single domain network with one exchange server and one file server. We use Integrated T1 line for phone system and Internet connection. T1 line comes out of router that is maintained by ISP. We use Norton Anti-Virus Enterprise Edition for protection against viruses.

Since last few months I have been spending more and more time in supporting desktop. Even though all of the users in organization have restricted access, everyday bunch of spyware get installed on these desktops. I also noticed that every employees uses either windows media player or RealPlayer to listen to live music that takes up lot of bandwidth.

Is there any program or hardware firewall that can take care of Spyware, Viruses and Spam all together?  


If we have to buy separate solution for each task (Virus, Spyware and Spam) than which programs do you recommend?

My company wont spend lot of money but I can convince our management team to spend 2 to 3 thousands dollars. What would be the best solution that can fit our budget?

I appreciate your help regarding this issue.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Does the T1 connection connect to a single server or is it directly into a LAN switch that all clients/servers are connected to?

Preferred solution would be:

T1------------>ISA Server computer------>Switch---->>>clients

ISA Server can be installed on an existing Windows 2000 Server. It can be used to prevent access or control bandwidth for the multimedia players and you can specify which Domain users and groups can do what and when.

You can use Group Policy to remotely install a standard anti-spyware scanner and use login scripts to make sure it's run every time a user logs in or out.

You can also use it to tighten the security permissions on the registry key that lists Browser Helper Objects that are the mechanism that many spyware programs link themselves silently into Internet Explorer.

I highly recommend BHO Daemon v2 for identifying and disabling spyware that plugs into Internet Explorer.

Before you tighten permissions make sure you'e scanned and cleaned all the workstations and have their BHOs set as you want.

The key is

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

and you should change the permissions so that only Domain Admins have write permissions, everyone else just read-execute permissions. As long as your users don't have Domain Administration permissions on their local workstations that will prevent malicious installs of BHOs.

See my response to this question for how to add a registry key into the Group Policy.

But instead of setting the value, in Group Policy Editor you would navigate instead to

Computer Configuration>Windows Settings>Security Settings>Registry

then right-click "Registry" and choose "Add key..." from the context menu.

Navigate the registry keys until you've selected the key you want to enforce the permissions for then press the OK button.

In the "Database Security" dialog change the default settings for "Everyone" to Allow Read, Execute and Deny  Write, Delete.

Add the Domain Admins group to the security with full permissions.

Press "Add..." and then select "Domain Admins", press OK. Set permissions to Allow Full Control.

Press the OK button and in the "Template Security Policy Setting" dialog

select "Configure this key"
select "Propagate inheritable permissions to subkeys"

Press the OK button.

Next time the group policy is updated your users will be a little safer.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I meant to add that using Symantec Norton Antirus Corporate Editions especially with the Exchange Server protection is quite sufficient. If you set up your only internal Live Update server and configure the local server to distribute virus definitions you'll have an optimum configuration.

Set the server on a schedule to get its own live updates every night and just keep an eye on the reports from the server and network.

In the SAV for Exchange Mail Server you can also configure some basic anti-spam rules but we've had a lot of success with two other products that are plugged into Exchange itself.

The first is an Open Relay Blocker called ORF Enterprise.

The second is an anti-spam filter called Block & Tackle.

See my response to this question for more details.
rajan99Author Commented:
Thank you TJWorld for your suggestions. I appreciate it. My last question regarding this topic.

Some of my friends are advising me for Hardware Firewall (Wachgurd, Nokia, etc...) . So I am little confuse.

In your opinion, which firewall is better option.

Windows ISA or Hardware based firewall?

Please let me know.


For your scenario I really don't see why. Introduce another piece of hardware with it's own way of being configured, especially in a small organisation, and you add to the administrative burden without significant performance or usability benefits.

I fact you'll often make the network less responsive to Users needs because the other device is less easy to understand and manage.

You might as well use all that spare processing power on the server too. No point investing in the hardware for the server and then having it spend most of its time idling! ISA Server will give it something to do :-)

You wouldn't have major corporations delpoying ISA Server to protect their Enterprises if it weren't secure.
rajan99Author Commented:
Thanks TJWorld,

I agree with you. No point in spending money on hardware when you can use your existing infrastructure.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.