Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 305
  • Last Modified:

STOPPING PROGRAM INSTALLS AND BLOCKING CERTAIN SITES

Ok guys, her is my issue...

I have 3 computers running windows xp that I have in my business (T-Mobile phone store). My employees are on those computers on a regular basis and pretty much do all their work online. I'm not at the location most of the day so I can't monitor what sites are being visited and what programs are being installed but there is a strict policy against that. Of course since I am not at the location most of the day, plus I don't really have the time, I cant figure out what sites were visited or what programs were installed and which employee caused the issue.

I do know that when I do my regular anti-virus check up once a week, I do find tons of tracing cookies and ad ware/viruses here and there. I do know that the performance of the PC usually slows down and I believe this is because of the viruses.

Instead of trying to go back and forth and trying to figure this out. I need a way in windows xp where I can stop my employees from downloading and installing all the programs (bear share, lime wire, poker stars and god knows what else) that are going to keep them from their work and introduce security threats to the business computers. I also need to block certain sites like myspace.com and facebook.com from the browsers as well.

I was told that creating a "limited" status account in XP should be able to stop this but I tried and it still lets me install programs without any issues.

Please give me your best advice on the situation above.

Thanks much in advance guys. I hope you guys can help me with a solution to this problem as it has become a serious time/money consuming issue.

Good luck and take care
Jamal
0
jshussain
Asked:
jshussain
  • 4
  • 3
  • 3
  • +1
3 Solutions
 
TolomirAdministratorCommented:
You could use Zonealarm Internet Suite

After you configured what can go out and what not, set a password to fix the settings. So p2p would be dead.
It also allows you to block certain websites (after a list like: gaming, social sites etc...) to keep your employees busy.

Al it requires is to change their possible administrator accounts back into restricted user accounts. Otherwise they can easily unload zonealarm, as any security software, with Administrator rights.


List of features:
http://www.zonealarm.com/store/content/catalog/products/sku_list.jsp?dc=12bms

Here is the 15 days trial (1 full version is valid for 3 computers btw.)
http://www.zonealarm.com/store/content/catalog/products/trial_zaFamily/trial_zaFamily.jsp

Tolomir




0
 
TolomirAdministratorCommented:
Btw. for a full systemscan of all these affected computers either Zonealarm will do the job, but you might also find

prevx useful:

PREVX 2.0 is the most powerful security solution in the World.It safeguards your PC and personal information from theft and attack by Spyware, Rootkits, Trojans, Viruses, Bots, Adware and all other forms of Malware and Crimeware.

http://www.prevx.com/

I use it besides zonealarm as a second opinion on programs I download from the internet, before they can start it checks them against an internet database for being possible malware, then quarantining that troublemaker.



0
 
benhansonCommented:
I'm assuming this is XP pro, as XP home doesn't have all of the fine grained controls in place.  If it is XP Pro then you can modify the local security policy:Software Restriction Policy to only allow specific apps to run.  Then to block sites, you can modify c:\windows\system32\drivers\etc\hosts to point www.myspace.com to 127.0.0.1, then change permissions on the hosts file so that no one else can modify it.

Ideally, you would push out a restriction policy via Group Policy, but if you just have a few systems you can do it at each one.  You would basically be doing a 'disallow all' then defining allowed applications.  If you don't start with disallowing all apps not explicitly allowed, it is way too easy to get around these kind of restrictions.Using Software Restriction policy to block apps from being run:

http://technet.microsoft.com/en-us/library/bb457006.aspx

If you do have Active Directory set up, you can do it a bit differently using group policy.


0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
myin68Commented:
You could create a "Guest Account" for the employees to use.  I use this setup at home to ensure no one can install programs on the PC.  They'll be able to download a file/application, but won't be able to install unless the can "Run As" with Administrator priviledge.  The "Guest Account" doesn't have the priviledge/permissions needed to install applications.  This will prevent applications, viruses and malware from installing on the PC.

To control what sites they surf to you could use a filter like BsafeOnline http://www.bsafehome.com/
This filter blocks adult sites, chat, and others.  I use this at home also and it's very effective.
0
 
jshussainAuthor Commented:
hey guys, thanks for all your help.

Tolomir: - i already got zone alarm and will try it out. also the PREVX 2.0 program.

benhanson - Do you think you can supply me with some links that easier instructions than the Microsoft link. Tha one is way to complex and confusing for someone with my computer knowledge.

myin68: - i found this def stopped the program install. thanks, going to try zone alarm for stopping the sites. thanks
0
 
benhansonCommented:
Would you be trying to apply a group policy via active directory, or trying to create a Software Restriction Policy on each PC?
0
 
jshussainAuthor Commented:
"Would you be trying to apply a group policy via active directory, or trying to create a Software Restriction Policy on each PC?"

I don't really have any programs that I use under admin that I don't want my employees using so I don't really need software restriction.

I'm not sure what you mean by group policy via active directory, but im assuming thats what i need.

I basically have two accounts... a admin account and employee account and the employee account is a limited account under windows XP. I want the employee account to not be able to go to certain sites (myspace.com) but I don't want it to be blocked in the admin account. I would also like it if the employee account could not install any programs.

let me know what you think is best. thanks.
0
 
benhansonCommented:
It's the last statement that you made, "I would also like it if the employee account could not install any programs", that I keep keying in on.  Generally a restricted account can still execute any application that doesn't:
1. modify system files
2. modify registry keys outside of HKEY_CURRENT_USER
3. modify other files it doesn't have permission to.

So to keep people from downloading standalone apps that don't violate the above rules, you have to actively block everything, then specifically allow the apps you want to run.  It should be noted that many developers take special care to make sure there apps will still run under restricted user accounts, specifically because it is becoming more and more recommended that users not run as admin.
0
 
jshussainAuthor Commented:
Ben, I know exactly what you mean now.

Instead of having a restricted account and going through the trouble of disabling all and then any allowing a few programs, do you think its better i just have a guest account for the employee. From what i was told about the guest account, it stops ANY and ALL installs.

let me know what you think please.
thanks
0
 
jshussainAuthor Commented:
any thoughts on my last comment ben?
0
 
TolomirAdministratorCommented:
You have to test if they are still able to create & safe documents... (I mean it depends on their work)
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 4
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now