What's a good way to prevent users from accessing specific sites? This is a AD domain with about 20 desktop machines. I thought about using the Web Content Filtering option in OpenDNS, but it appears they've removed that feature from Basic accounts. Also, anybody know how much an OpenDNS Enterprise account costs?
Blocking Specific Sites on the Network
- Thread starter owensdj
- Start date
Fardringle
Diamond Member
- Oct 23, 2000
- 9,200
- 765
- 126
HOSTS file is easy to use, but also very easy to bypass.
What type of router/firewall are you using on the network? Most firewalls have the ability to block access to specific sites. Users won't be able to get around the restrictions and you only have to update the restricted/allowed list in one location instead of on each computer individually.
OpenDNS or something similar would also work well. You'll have to contact their sales department to find out what an Enterprise account will cost since I believe that the cost varies depending on how many clients you have and what services you use.
What type of router/firewall are you using on the network? Most firewalls have the ability to block access to specific sites. Users won't be able to get around the restrictions and you only have to update the restricted/allowed list in one location instead of on each computer individually.
OpenDNS or something similar would also work well. You'll have to contact their sales department to find out what an Enterprise account will cost since I believe that the cost varies depending on how many clients you have and what services you use.
Fardringle the network has a Trendnet WG-BRF114 router. It has an URL Blocking feature, but it doesn't work because it doesn't know about any of the PCs on the network. I think this is because the router isn't being used as the DHCP server on the network.
MtnMan
Diamond Member
- Jul 27, 2004
- 9,418
- 8,818
- 136
Well yeah if users have administrator rights........... Everyone sets up all users in AD as administrators.................. right
DHCP has nothing to do with blocking HTTP requests, 2 separate processes...is the trendnet the default gateway of your PCs?
check for the newest firmware version and look through the User Guide, p55
http://www.trendnet.com/downloads/list_subcategory.asp?SUBTYPE_ID=1173
Fardringle
Diamond Member
- Oct 23, 2000
- 9,200
- 765
- 126
Well yeah if users have administrator rights........... Everyone sets up all users in AD as administrators.................. right
Small businesses frequently do set up everyone as administrators on their local machines. Not necessarily a good idea but it happens a lot. It's also possible to edit the HOSTS file even without admin rights from the domain if the person knows what they are doing.
I'm not saying that you are wrong. Using the HOSTS file can work for this, particularly if the users aren't savvy and don't know how to modify the file (or even know what/where it is). There are just better ways to do it such as on the router/proxy server where control is centralized so it's easy to make changes and users can't bypass the restrictions.
seriously. changing a hosts file on 3 pcs in a small office is one thing, doing it on 20 is not the way to handle this.
opendns should have prices on their website, or a way to get a quote for X number of users/machines/whatever
as for settings users as admins...ive seen a couple of places set all users to be admins. a community college i went to was like that, and so is the hospital i work at. it's unbelievable.
MtnMan
Diamond Member
- Jul 27, 2004
- 9,418
- 8,818
- 136
Ding...ding... Ding.... we have a winner, we are talking about security and assuming that users have admin rights............
my head hurts now And they could also bring in a copy of ophcrack live cd.
Fardringle
Diamond Member
- Oct 23, 2000
- 9,200
- 765
- 126
Nice try, MtnMan. Picking out the most irrelevant piece of information to move the topic away from a resolution. I suppose you'll call me a troll now and delete all of your posts because I disagree with you?
It's perfectly possible for users to have admin rights on their computers but still have limitations on what they are allowed to do with the computers (i.e. web page restrictions). I'm not saying I would do it that way, or that it SHOULD be done, but you implied that nobody ever sets up users on a domain with admin rights. I simply said that it can and does happen.
Back on topic, whether or not users have admin rights, or can use security cracking software, or just know how to use a boot disk and a command prompt to edit/change anything they want to on the PC, the point is that centralized management tools are always better when they are available. The router that owensdj is using is capable of web page blocking and content filtering, therefore he should do it there (or on OpenDNS if he prefers) and not in the HOSTS file. It's easier to set up for his 20 computers, easier to update, and when set up properly cannot be bypassed by the users even if they are computer literate.
It's perfectly possible for users to have admin rights on their computers but still have limitations on what they are allowed to do with the computers (i.e. web page restrictions). I'm not saying I would do it that way, or that it SHOULD be done, but you implied that nobody ever sets up users on a domain with admin rights. I simply said that it can and does happen.
Back on topic, whether or not users have admin rights, or can use security cracking software, or just know how to use a boot disk and a command prompt to edit/change anything they want to on the PC, the point is that centralized management tools are always better when they are available. The router that owensdj is using is capable of web page blocking and content filtering, therefore he should do it there (or on OpenDNS if he prefers) and not in the HOSTS file. It's easier to set up for his 20 computers, easier to update, and when set up properly cannot be bypassed by the users even if they are computer literate.
MtnMan
Diamond Member
- Jul 27, 2004
- 9,418
- 8,818
- 136
Thus based on your obviously hurt feelings I can assume that you condone making the average joe user the local admin, free to download and install any damn thing they want?Nice try, MtnMan. Picking out the most irrelevant piece of information to move the topic away from a resolution. I suppose you'll call me a troll now and delete all of your posts because I disagree with you?
It's perfectly possible for users to have admin rights on their computers but still have limitations on what they are allowed to do with the computers (i.e. web page restrictions). I'm not saying I would do it that way, or that it SHOULD be done, but you implied that nobody ever sets up users on a domain with admin rights. I simply said that it can and does happen.
Back on topic, whether or not users have admin rights, or can use security cracking software, or just know how to use a boot disk and a command prompt to edit/change anything they want to on the PC, the point is that centralized management tools are always better when they are available. The router that owensdj is using is capable of web page blocking and content filtering, therefore he should do it there (or on OpenDNS if he prefers) and not in the HOSTS file. It's easier to set up for his 20 computers, easier to update, and when set up properly cannot be bypassed by the users even if they are computer literate.
You go on about the ease of subverting the hosts file, changing the DNS is even easier....... ah but that too would require the rights to do so.....
Last edited:
jlazzaro, I tried setting up the TrendNet router to do URL Filtering, but it's not working. It's the default gateway for the network, but it's not the DHCP server for it. A Windows Server does that. I don't know if that's the reason why it's not working.
I may have to look at buying a new router that has good URL/domain filtering. That seems to be a better way to go than paying for OpenDNS Enterprise. Any recommendations? Ideally the router would let us block those sites on specific machines, and would still do it even if we don't use the router as the DHCP or DNS server.
I may have to look at buying a new router that has good URL/domain filtering. That seems to be a better way to go than paying for OpenDNS Enterprise. Any recommendations? Ideally the router would let us block those sites on specific machines, and would still do it even if we don't use the router as the DHCP or DNS server.
I'm supposing you are looking to "keep the honest, honest". Else you would have something more than a internet gateway device in place. So pretty much any socks proxy, or https requests are not going to be filtered. Using DNS to achieve this is a way to go, but you are right on when it comes to changing the router. However it still suffers the same fate - IP address isn't filtered, neither is anything via a proxy that is let through or ssh tunneled.
If you have a spare machine with a couple nics you can set up untangle, or ESXi and set up untangle as a host under it, and use the machine for other stuff too. It has a very very versatile and comprehensive layer 7 filter and firewall and protocol filter.
If you have a spare machine with a couple nics you can set up untangle, or ESXi and set up untangle as a host under it, and use the machine for other stuff too. It has a very very versatile and comprehensive layer 7 filter and firewall and protocol filter.
Modelworks
Lifer
- Feb 22, 2007
- 16,240
- 7
- 76
Another way to do it that works if you only want to let people access specific sites is to not provide a dns server to the pc. Instead you put the allowed sites in the hosts file with their ip. Done sometimes with business that need to allow users to access specific sites but not just any site. If a user wants to get to a site there really is nothing you can do about it if they want to bad enough. There are so many ways to proxy to another site that it is near impossible to block 100%.
For example a user could set up a server on their home pc that can be accessed from work . The home server can fetch and display pages for the work user inside a java based app and the work environment would not notice it.
For example a user could set up a server on their home pc that can be accessed from work . The home server can fetch and display pages for the work user inside a java based app and the work environment would not notice it.
Last edited:
bruceb I've never worked with a Proxy Server. Do you have any recommendations for one that works on Windows Server 2008, or does Server have a built-in proxy service? Thanks.
Modelworks, good idea, but it wouldn't work in this situation. This is an Active Directory domain, so all computers must use the Window Server DNS or it will break AD.
Modelworks, good idea, but it wouldn't work in this situation. This is an Active Directory domain, so all computers must use the Window Server DNS or it will break AD.
bruceb
Diamond Member
- Aug 20, 2004
- 8,874
- 111
- 106
This link should get you started
http://msmvps.com/blogs/ad/archive/2008/09/18/admin-s-guide-to-server-core-commands.aspx
From what I read, Server 2008 has a Proxy Server feature built in or as a MMC Plug In
http://msmvps.com/blogs/ad/archive/2008/09/18/admin-s-guide-to-server-core-commands.aspx
From what I read, Server 2008 has a Proxy Server feature built in or as a MMC Plug In
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 23K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter