cgru2
asked on
Application and Web Access Control over a network
Hi,
I am looking for a product to offer me Application Control and Web Access Control over a network of 40-50 users.
I am currently running Windows Server 2003 SBS with MS Exchange.
I am also currently using Sophos Anti-virus and Client Firewall on all machines. Unfortunatelly the Sophos Firewall does not allow me to block certain apps or http access or certain ports.
Basically what I'm looking to block is MSN Messenger, Skype, Yahoo Messenger. Also block access to websites like myspace.com, etc.
Any ideas?
Thanks
I am looking for a product to offer me Application Control and Web Access Control over a network of 40-50 users.
I am currently running Windows Server 2003 SBS with MS Exchange.
I am also currently using Sophos Anti-virus and Client Firewall on all machines. Unfortunatelly the Sophos Firewall does not allow me to block certain apps or http access or certain ports.
Basically what I'm looking to block is MSN Messenger, Skype, Yahoo Messenger. Also block access to websites like myspace.com, etc.
Any ideas?
Thanks
I would look at a router that will let be block all that stuff... You could block URLs of websites, protocols (block msn always), and IP ranges/domains (of the protocol servers). Go to D-Link and select a random router and look at it's emulator... you'll see all those types of filters available. Similarly for Linksys and other companies.
You should already be able to do some of this with your existing router if you have one. For instance a DI-604 is ancient (and cheapo) but it filters URLs, Protocols, and Domains easier/better than newers...
http://support.dlink.com/emulators/di604_reve/adv_filters.html
Your router may be similar.
Rather than modifying hosts individual hosts, I would just configure the addresses in the local dns server and create bogus domains. killing *.myspace.com webmessenger.msn.com and any number of other URLs network wide really simply. You can even go in DNS and look at the DNS Cache to see what people are using to know out what to create -- (oh, lots of stuff there, no better to go to individual machine ipconfig /flushdns then start messenger or yahoo and use ipconfig /displaydns to see what domains they use).
AD group policies can be used to restrict some programs and ports on machines too by configuring the windows firewall and software policies.
You should already be able to do some of this with your existing router if you have one. For instance a DI-604 is ancient (and cheapo) but it filters URLs, Protocols, and Domains easier/better than newers...
http://support.dlink.com/emulators/di604_reve/adv_filters.html
Your router may be similar.
Rather than modifying hosts individual hosts, I would just configure the addresses in the local dns server and create bogus domains. killing *.myspace.com webmessenger.msn.com and any number of other URLs network wide really simply. You can even go in DNS and look at the DNS Cache to see what people are using to know out what to create -- (oh, lots of stuff there, no better to go to individual machine ipconfig /flushdns then start messenger or yahoo and use ipconfig /displaydns to see what domains they use).
AD group policies can be used to restrict some programs and ports on machines too by configuring the windows firewall and software policies.
ASKER
Well I've got a CISCO 878 router for our internet access
ASKER
Phadke_hemant I've tested your solution on a workstation and it works fine. But the only issue is that I need to do that on each workstation. And everytime a new computer arrives in the offices, I will have to modify its hosts file.
Is there anyway I can do this via the domain controler, using ad or even a logon script to check or modify the hosts file entry?
Is there anyway I can do this via the domain controler, using ad or even a logon script to check or modify the hosts file entry?
yes you have to replace hosts file on all machines
you can use a logon script also
Do you have ISA server?? its a best way to block the contents on internet including programs/ websites/ messengers/ ports etc
you can use a logon script also
Do you have ISA server?? its a best way to block the contents on internet including programs/ websites/ messengers/ ports etc
Like I said rather than modifying the hosts, you can just create entries in your AD's DNS server which all the machines should be using... as long as they don't use any other DNS servers it would be equivilant to putting it in the host files... in fact it's even better because you do have the option of using wild cards and block entire domains and subdomains....
ASKER
OK that sounds like a good idea. So how do I go about actually doing this? I'm a newbie to AD
ASKER
I went to Start-Administrative Tools-DNS
Then in the DNS tree i opened my domain controller then went to Forward Lookup zones and selected my domain.
There, is a list with all the computer names on my network of Type Host(A) and their IP address.
Then in the DNS tree i opened my domain controller then went to Forward Lookup zones and selected my domain.
There, is a list with all the computer names on my network of Type Host(A) and their IP address.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for that. Works great!
add following entry to your hosts files on all client machines
127.0.0.1 myspace.com
you'll find the hosts file here-
c:\windows\system32\driver
if you are using win 2000, windows directory will be replaced by winnt
is your firewall allows port blocking? if yes, you can block messengers using the port numbers they are using