in message : We have been asked to restrict access to certain internet sites (porn
: etc). What is the best way to do this with our internal DNS servers?
: Is DNS the best way to accomplish this goal?
No.
You need five things to keep people off the porn, sports, gambling,
auctions, ebay, religious, personal web-based email, horoscopes, lotto,
recipes, etc. lollygagging sites.
1. Establish what is accepted use of the Internet. It is easier than saying
what they cannot do. Anything now allowed is forbidden. Pretty simple.
Write it down, put it in your Policies and Procedures handbook and have
everyone in the company sign AND date that they have HAD THE OPPORTUNITY to
review it and ACCEPT the terms of the AGREEMENT. The law does not say that
have to have read it. It says they have to have been afforded the
opportunity to have read it. In other words, you made it available.
Contracts, which this is, are based upon ACCEPTANCE and using the term
AGREEMENT is crystal clear, unlike sexual relations not being something
sexual.
It must also state what MAY happen for violations:
a. verbal/written notice
b. verbal/written notice 2nd offense - perhaps punishments i.e. bonus
loss/reduction, demotion, restrictions from Internet use
c. verbal/written notice and possible termination
The reason you use the word MAY, is it gives the company control over the
situation so they can apply each one differently so long as they do not
discriminate. Forcing the issue of no exceptions to the rules ever, means
if someone has their kid in their office on "Bring your brat to work day",
and the kid gets on the computer and violates the rules, means that person
just got a mark, perhaps their last.
You can also include possible legal troubles and suit being filed against
them for doing anything illegal which may cause harm to the company or
others there, i.e. sexual content, kiddie porn, etc. This should also cover
non-acceptance of any foreign software/hardware being introduces onto the
network or anything being removed from the network, not just for loss
prevention but for the security implications of shutting of their RTAV (Real
Time AntiVirus) and/or host-based IDS, so they can play that new network
game they brought to work.
2. Monitor or monitor/filter. I look at this from two angles:
[1] Monitor only - Track what's done. This provides better evidence and
eliminates the excuse, I accidentally went there when the log will show they
were all over the site for an hour and a half.
[2] Monitor/filter - You can usually show enough evidence that they
attempted to access known restricted sites and this will also keep the
bandwidth usage down.
This will help:
http://www.surfcontrol.com/products/web/default.aspx?origin=schp - You can
sign up for an annual service where they will provide filters for you, so
you do not have to maintain them yourself but they are customizable. You
will NEVER, I repeat, NEVER be able to block EVERYTHING but you can get
closer with the subscription. If this product got any easier, it'd sort
everything out for you in almost every way possible and write the reports so
you don't have to and notify you when there are violations. Oh wait, it
already does! (O:=
3. Put notices on ALL computers, including servers that users are aware that
they are being monitored and they agree to the terms EACH AND EVERY TIME
THEY LOGON. This also gets you past the privacy issues and the I didn't
know or I'm only a contractor, etc. You may have people come in to your
organization and use a computer on your system. You should have group
policies set on the network and you can easily create a new account and add
them to the group(s) they need access to and when they logon, it will
restrict their logon since they're using their own and will eliminate the
argument, "This was not my logon and someone logged me on. I never actually
agreed!" Been there, done that, kicked the guy out!
4. For this and more for security reasons, never allow any unknown computer
on your network for any reason no matter who asks or demands without an OK
from HR and only under protest. There should be a document that if some
bigwig wants to let some unknown on the system and has the power to do so,
then they should be required to sign a document stating they allowed the
violation of policy and will take responsibility for doing so. You will see
a lot of people speak out against this but your P&P is worthless if you
discriminate. At that point, you might was well not even have one because
forcing it on someone and not on another will cost you dearly in court.
5. Follow through. Too many times I see drastic failures in the security
infrastructure mainly because nobody enforced the policies. Your policies
and procedures are only as good as the level of enforcement you apply to
them.
Beyond this, only threats, intimidation and possibly torture can help...and
as someone mentioned to me last week or so, company sponsored beatings on
the front lawn. You gotta' love their enthusiasm and motivation!
Good luck!
--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201