Company Needs to stop employees surfing and gettin

[bashy]

Company I work with was contacted today with email stating

The logs are indicating

SUBSTANTIALLY malicious activity originating from your network. You'll need

to get this cleared up ASAP as it is a cause of network congestion at our

level and is potentially compromising company/client information at your

end.

Company system consists of 20+ xp workstations running with one PDC Windows 2000 server, . No Virus protection at network or client level what so ever. There is ALSO a MUST need to stop access to porn, sports etc.. sites as much as possible. I have advised Norton Corp Antivirus which can be deployed via the Server to every client on the network.

I have also advised them of setting up a firewall (application level) to prevent activity, but I'm now wondering about the best solution to prevent access based on site content. Along with everything else I will be setting up User policies as there are NONE right now on the server. I've read of some nice commercial policy applications that can assist me in that filed, so any input on that would also be great. For now i will be handling cleaning the network via public tools and others but prevention is what im not up to date on. Any Input would help

[agent_smudge]

Hi bashy,

There's lots of ways I suppose you could go about this, depending on how your network is set up to access the Internet.

Are your PCs set up to access via a single router/gateway or are they all on seperate links? I know of a few routers that have keyword/URL filtering that would achieve parts of what you are after.

Are you looking at changing that configuration at all to route it through some form of proxy? Maybe ISA might be beneficial in this case?

A quick fix (if yr users aren't too Windows savvy, and you know which sites they are visiting), is to place entries in the 'hosts' file to block access to those specific sites.

Sorry if I went a bit off target there, but hopefully that might give you some ideas.

Smudge

[bashy]

Right Now the network runs off a Catalyst 2100 Switch as the WAN access everything else is based behind the Switch.

[agent_smudge]

I think your best bet in this case then is to use some form of proxy. This will cover yr 'dodgy' websites. Personally I'm a fan of ISA, although I'm sure there's people here who will give you details of many others which will do as good if not better job.

Smudge

[agent_smudge]

Oh, and I nearly forgot the one that our 'sister company' uses, which is a suite of products bundled together from Webwasher. (www.webwasher.com)

They include the URL filter, Antivirus, Content Protection and Content Reporter. I think they have also recently implemented Instant Message Filter.

Regards

Smudge

P.S. Sorry, don't know pricing on these. I'm tech, not fiscal

[neosapience]

Don't take this the wrong way but, I don't think you're going to get the help you need from an internet forum. Hire yourself a security specialist and have them lock down your network.

I'm sure you're a quite capable tech, but if you don't know exactly what you're doing, it's very easy to leave a nice big security hole that almost anyone can get through.

[agent_smudge]

it's very easy to leave a nice big security hole that almost anyone can get through.

I totally agree with you there, part of my job is locking down workstations and setting security policies for network machines, and there are so many places to look and things to set that it's incredibly easy to miss something.

I'm presuming that you are running Windows 2000 environment, so if I could suggest a little 'light reading', the Microsoft guide to securing Windows 2000 server should be of some assistance, more from a security point of view than from 'big brother' content filtering one.

And if you've got the money, and if you can find one, maybe you could hire........the security consultants!!!!!

Smudge

[neosapience]

part of my job is locking down workstations and setting security policies for network machines, and there are so many places to look and things to set that it's incredibly easy to miss something.

This is why it's imperative to have a good written security policy. Keeping track of all the security patches, tweaks, programs, settings, etc... can be a huge task, but it's well worth it in the long run.

bashy -

If you don't have any alternatives and need to secure your network yourself, I'd suggest you start by heading over to Labmice.net and reading their security guides (particularly this one and this one.)

[psyko]

Right Now the network runs off a Catalyst 2100 Switch as the WAN access everything else is based behind the Switch.

You can write an ACL, which could deny certain hosts or whole networks from being able to access other hosts, or even the Internet. If you want help writing an ACL, PM me. I'm a CCNA and I could surely assist you with it.

[qlclarke]

I'm pretty sure that the text of that email msg you quote indicates that there is a trojan payload attached

[oioldman]

I'd have to agree with agent_smudge, in that a proxy server will do pretty much everything in way of blocking people accessing unwanted sites and also if configured well can stop most trojans and the like getting through.

I can't believe you have NO anti-virus installed as this will certainly open you up to kinds of problems. There are numerous about and most also now contain ad-aware equivalents in them.

If all this is to much, (don't mean to offend as no idea of your technical skills), then best thing is to get the consultants in.

You could also implement an Acceptable User Policy, that employees sign saying about if you misuse the PC or Net we have right to discipline you etc...

[prathapml]

A written set of policies, which all employees are required to adhere to, failing which they are liable to action - that's got to help to _some_ distance atleast.

[GeneralMandible]

I would add a hardware firewall at your internet gateway. On that, you could set all the excluded sites. I believe with some firewalls you can get a default list, and then add to it. As far as antivirus, I recommend using TrendMicro's solution. ServerProtect on every server, and OfficeScan 6.5 on every workstation. The new 6.5 version is great. It has antivirus, firewall, and a repair tool that removes malware and malicious code. The firewall is policy based. You can create several policies, and give people different access.

As far as free tools, Spybot use the Immunize feature. That should help a little. They also recommend Spyware Blaster, which prevents a lot of Spyware from getting on your machine.

Another thing to look at is email policies (if you use Outlook, GroupWise, etc.). I would filter out executables and attachments that could contain malicious code.

The biggest danger on a network is an uneducated user.