Solved

How can I block URLs with SBS 2003 if I do not have ISA installed?

Posted on 2011-02-24
13
543 Views
Last Modified: 2012-05-11
I would like to block some of these social websites from the users.
How can I block it on the network with SBS 2003 without using ISA.
I used to have ISA but it was unstable, so I can to re-install SBS because when I uninstalled ISA I ran into many problems.  Anyways.
Also, can I allow only certain users to access those sites or just restrict certain users?
0
Comment
Question by:j_rameses
  • 6
  • 3
  • 2
  • +1
13 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 34972847
ISA should not be unstable and would be the answer to your problems - you need some form of proxy server to acomplish what you want and as you already have ISA, that would seem to obvious solution
0
 

Author Comment

by:j_rameses
ID: 34972869
Is there any other way to at least just block the sites entirely?
0
 

Author Comment

by:j_rameses
ID: 34972876
Without ISA.
I read somewhere it can be dones in DNS but they don't say how.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 34972907
you can enter 'dummy records' in DNS - ie a name that points ot an invalid IP - but is not selective - it will apply to all users
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34972917
It would be hard to call ISA unstable but it is not for everyone. You either know how to configure and use it or you don't.
As you say... Anyways.....

Without ISA to do the job for you through gui's and applications, you will need to do it manually. It becomes much more admin-intensive if you want to do it by user.
To do it centrally you could have a hosts file on the server but to do it by user you would need to have a hosts file on each user's workstation.

The alternative is to:

a) Buy an alternative to ISA that you might find easier to administrate or even use Squid on a small Linux box.
b) Use a hosted or Cloud-based service to host the service and you can admin it locally.
c) Put ISA back in and use the products you have already paid for but with a good administration book.

Keith
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 34973567
The only way to *EFFECTIVELY* block sites is to do so at the edge. Attempting to use DNS is a work-around (a bad one) and easily circumvented. Whether your edge is ISA, a 3rd party such as untangle, or a feature built into your edge device (a UTM router such as a sonicwall, watchguard, etc) is up to you, but if you don't have a good edge device already, you should. I consider this a *neceesary* business tool.

-Cliff
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:j_rameses
ID: 34973615
Sorry for the late response had to pick up some lunch.

The users here do not know anything about computers, so if I use a DNS method I do not have to worry about them trying to make changes or getting around it. We are upgrading our hardware/software in a couple of months but some of our users are spending too much time on those sites.
How do I do it in DNS?
Please provide details.
0
 

Author Comment

by:j_rameses
ID: 34973630
keith_alabaster, how do I do it for user and server for hosts files?
Please explain.
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 34973667
Honestly, it isn't about users trying to get around it. It is trying to implement security by obscurity. It'd be a business buying Macs to avoid the cost of antivirus software. Its like using dial-up modems to avoid an always-on connection. IT just isn't the right way to address the problem.

More importantly, if you don't have an edge device capable fo doing this already then you have bigger security concerns. Your network *needs* to be protected at the edge, and *every* edge device capable of providing network protection is also capable of performing URL filtering. I haven't seen one in 8 years that can't. If you can't do URL filtering then it usually means your network is behind whatever router your cable/DSL/ISP gave you and is wide open to any hacker that decides to start probing for open ports. This is far worse than users inside your network going to youtube without permission.

I realize it isn't a direct answer to your new question about fixing this via DNS, but DNS isn't a fix to your larger issue...it just hides it. Bad news.

-Cliff
0
 

Author Comment

by:j_rameses
ID: 34973734
We have a Cisco firewall installed.  But the GUI for it got glitchy.  We are getting new firewalls in a couple of months.  When you refer to an "edge" are you referring to a firewall?  I am wondering if my router acts as an "edge".  You mentioned that some routers act as an "edge".
What exactly is an "edge", this is the first time I heard of it.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 34973824
IT is a common network terminology term. Any connection between your LAN(s) and another network, whether that other network is a private one, a public one, or the internet, is considered the edge of your network. To properly communicate with another network, you need sometihng at the edge, hence an "edge device."

That can be a router, a so-called firewall, or any number of hybrid devices, "unified threat management" (UTM) devices, or similar. IT is one of those things that people get picky about and argue whether it is a firewall or a UTM, so I (and many others) have started using the generic "edge device" as a catch-all to avoid any confusion.

But yes, your internet connectoin should be protected by some sort of advanced security device (firewall, UTM, etc) and as I said, all of the ones I've seen in the market that I'd trust to protect any business are also capable of URL filtering.

-Cliff
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34973927
Not much point - now I have been corrected by 'a true expert' with obviously more skills and knowledge than someone such as myself who cannot possibly know anything in the areas of networking, DNS and firewalls. Would hate to carry on with a 'bad idea'.
0
 

Author Comment

by:j_rameses
ID: 34974033
cqaliher,

I guess I should just wait till we upgrade to our new system so I can start blocking URLs.
Unless, I go through the manuals to see on how to do it from the "edge device".  New term to my vocabulary.  Maybe I should start using it.

Others,  thank you for your responses.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Introduction At 19:33 (UST) on Tuesday 21st September the long awaited email arrived with the subject title of “ANNOUNCING THE AVAILABILITY OF WINDOWS SBS 7 PREVIEW”.  It was time to drop whatever I was doing and dedicate as much bandwidth as possi…
The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
This video discusses moving either the default database or any database to a new volume.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now