Solved

Application and Web Access Control over a network

Posted on 2007-04-01
10
398 Views
Last Modified: 2010-05-18
Hi,

I am looking for a product to offer me Application Control and Web Access Control over a network of 40-50 users.

I am currently running Windows Server 2003 SBS with MS Exchange.

I am also currently using Sophos Anti-virus and Client Firewall on all machines. Unfortunatelly the Sophos Firewall does not allow me to block certain apps or http access or certain ports.

Basically what I'm looking to block is MSN Messenger, Skype, Yahoo Messenger. Also block access to websites like myspace.com, etc.

Any ideas?

Thanks
0
Comment
Question by:cgru2
  • 5
  • 3
  • 2
10 Comments
 
LVL 10

Expert Comment

by:Phadke_hemant
ID: 18834266
use hosts file to block myspace.com
add following entry to your hosts files on all client machines
127.0.0.1  myspace.com
you'll find the hosts file here-
c:\windows\system32\drivers\etc
if you are using win 2000, windows directory will be replaced by winnt

is your firewall allows port blocking? if yes, you can block messengers using the port numbers they are using
0
 
LVL 7

Expert Comment

by:tymes
ID: 18846240
I would look at a router that will let be block all that stuff...   You could block URLs of websites, protocols (block msn always), and IP ranges/domains (of the protocol servers).  Go to D-Link and select a random router and look at it's emulator... you'll see all those types of filters available.  Similarly for Linksys and other companies.

You should already be able to do some of this with your existing router if you have one.  For instance a DI-604 is ancient (and cheapo) but it filters URLs, Protocols, and Domains easier/better than newers...
http://support.dlink.com/emulators/di604_reve/adv_filters.html
Your router may be similar.

Rather than modifying hosts individual hosts, I would just configure the addresses in the local dns server and create bogus domains. killing *.myspace.com webmessenger.msn.com and any number of other URLs network wide really simply.  You can even go in DNS and look at the DNS Cache to see what people are using to know out what to create -- (oh, lots of stuff there, no better to go to individual machine ipconfig /flushdns then start messenger or yahoo and use ipconfig /displaydns to see what domains they use).

AD group policies can be used to restrict some programs and ports on machines too by configuring the windows firewall and software policies.
0
 

Author Comment

by:cgru2
ID: 18847718
Well I've got a CISCO 878 router for our internet access
0
 

Author Comment

by:cgru2
ID: 18847939
Phadke_hemant I've tested your solution on a workstation and it works fine. But the only issue is that I need to do that on each workstation. And everytime a new computer arrives in the offices, I will have to modify its hosts file.

Is there anyway I can do this via the domain controler, using ad or even a logon script to check or modify the hosts file entry?

0
 
LVL 10

Expert Comment

by:Phadke_hemant
ID: 18848195
yes  you have to replace hosts file on all machines
you can use a logon script also
Do you have ISA server?? its a best way to block the contents on internet including programs/ websites/ messengers/ ports etc
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 7

Expert Comment

by:tymes
ID: 18850120
Like I said rather than modifying the hosts, you can just create entries in your AD's DNS server which all the machines should be using... as long as they don't use any other DNS servers it would be equivilant to putting it in the host files... in fact it's even better because you do have the option of using wild cards and block entire domains and subdomains....
0
 

Author Comment

by:cgru2
ID: 18854491
OK that sounds like a good idea. So how do I go about actually doing this? I'm a newbie to AD
0
 

Author Comment

by:cgru2
ID: 18854555
I went to Start-Administrative Tools-DNS

Then in the DNS tree i opened my domain controller then went to Forward Lookup zones and selected my domain.

There, is a list with all the computer names on my network of Type Host(A) and their IP address.
0
 
LVL 7

Accepted Solution

by:
tymes earned 500 total points
ID: 18860626
No, start the DNS console.  Forward Zones, then start creating new zones (that are empty and not configured so they don't point to the corrent internet addresses).  Don't touch your own domain and you don't need to look at all your computers.

So a list of NEW zones to create to block messenger...

You may click on View Advanced and browse through all the names in the cache to find sites you want to block, look at Cached Lookups.(root).com.yahoo.msg etc and ...com.hotmail.messenger and ...com.msn etc looking for suspects.

Or to learn what names an application uses, I go to a client machine, flush the dns:
ipconfig /flushdns
start the application and log in then type in:
ipconfig /displaydns |more
and it will list all the recent addresses.... scan the list for obvious ones...  using this method I was quick to find for msn messenger:
- messenger.hotmail.com
- by2.omega.contacts.msn.com
- echo.edge.messenger.live.com
- login.live.com (maybe not block this one as other things may use it).
now there may be different alias and other things using AD creating a new domain messenger.live.com will block echo.edge.messenger.live.com and all other subdomains...

So back to the list of zones to block... Start by creating new zones:
messenger.hotmail.com
messenger.live.com
webmessenger.msn.com
contacts.msn.com
messengerfx.com
ebuddy.com
msn2go.com
messaging.aol.com
oscar.aol.com
msg.yahoo.com
...etc

So for each of those create a New Zone, Make it a Primary Zone and store it in AD to all the DNS servers in your domain so they all start faking them too.
0
 

Author Comment

by:cgru2
ID: 18886475
Thanks for that. Works great!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Wireless clients bypassing proxy, firewall instead 8 50
Migrating DHCP network settings from vlans 2 67
What is this Task? 4 87
server DNS address could not be found 22 131
Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now