[havensal]

I need to secure a workstation. It is going to be used by our shipping/recieving. I need to find a good way to allow some websites but not the rest. I also need other ideas of what to protect from. I have everything I can think of either uninstalled or the shortcuts removed. Thanks. :beer:

 

[fastvfr]

Need more info.

Is this WS tied into the main servers, or is it a standalone that logs on a couple times a day to upload data?

Is there a firewall/router between it and the servers, or between it and the Web?

Any 'NetNanny'-type of app can block all but a select group of URLs. That may work if the purpose is to block staff from surfing pr0n on the company's time...

For more security other steps will be needed also. For one thing, you could install a keystroke logger to document all inputs made on the workstation.

 

[havensal]

This workstation is connected to the server (win 2000). No firewall/router between PC and Server. We have a PIX/Firewall on the T1 coming in, but that is all. I will look into the NetNanny thing. I will have to see if I can get a keylogger past out AV/Firewall (Symantec client security). I am looking into a VNC that will allow my to annomously view the WS not control. Any suggestions? Thanks. :beer:

 

[greenlead]

Originally posted by havensal
This workstation is connected to the server (win 2000). No firewall/router between PC and Server. We have a PIX/Firewall on the T1 coming in, but that is all. I will look into the NetNanny thing. I will have to see if I can get a keylogger past out AV/Firewall (Symantec client security). I am looking into a VNC that will allow my to annomously view the WS not control. Any suggestions? Thanks. :beer:

Software can be bypassed. I would go with a firewall solution. I believe there is a add-on for the free IPCop firewall called BlockOutTraffic that can do this.

 

[Glock Bob]

We use RealVNC at work and it's free. You can view what someone else is doing by:

1. Logging in and authenticating
2. Not touching the mouse or the keyboard (it will give away that something is amiss)
3. Press Ctrl+ESC to bring up the Start menu on YOUR computer. That will take focus off of the VNC window and allow you to close it without them knowing (using the Start key will bring up their Start menu, as well).

A little white/green/blue/red icon shows up by the clock on the workstation that says "VNC". It turns black when someone is logged onto the system. If the workstation is XP you can hide the icon so they won't notice it. However, be sure to hide the white one, then log on from the server and hide the black one as they are technically two different icons and XP sees them as such.

I can email you the installer or you can download the latest version here. Beware, though, that the newest version has some security issues I believe.

 

[fastvfr]

SmoothWall has similar functionality. Since that requires a separate server box for its proper implementation, I didn't mention it.

Most people will not be able to defeat the site-blocking apps, and those that do try will leave log files telling you when the attempt took place. Correlated with timecards, those are a damning bit of evidence.

NN apps will keep most people from surfing on it, especially after one of the 'smarter ones' gets grilled or demoted for breaching company policy...

If this box has to go through the server to hit the Web, then a software blocker is the better option.

But that's -only- if there is a local HDD in that machine.

If it is on a net-boot setup, your only recourse is to firewall its connection to the server in order to block all but a few select ports and to disallow its surfing, except to chosen sites.

At that point, IPCop or SmoothWall become attractive options.

Otherwise, if you set the restrictions in the server itself you might find that NO ONE can surf to any but those selected sites. And that may work better for you; I don't know what your shop's policy is on that stuff, of course.

Good luck!

 

[HVAC-TEK]

You say you’re using windows server 2000. Then you should be using 'groups' and 'group policy' to limit employee access to important files and folders.

The problem is that you need to determine what network access you want to approve. And also what network and file access you need to limit. Then create a group with those limitations and add the employees to that group.

The thing is that there are a ton of advanced settings that you will never find on your own. Like removing the run command from the start menu, or recording access to important files.

Whatever you do, don’t buy anything! Your network most likely has a firewall that will give you the ability to completely deny internet access to whichever computer you choose. Or like some Sonicwal's, it may include an internet filter that your not using because you didn’t know it was there.

You really need to have a network technician look at it. There are things that can be done, but it all depends on your hardware and your particular setup.

If money is an issue because you’re a small company....
Call a local technical school and ask to talk to the networking instructor. He will be able to recommend a sharp student willing to help you. Usually a student he trusts and also close to graduating.

There are students like me who would be happy to drop by and configure your system. They usually work for cheap, or even free. Some students ask only that they use you as a reference for their resume. (thats how I got several references )

It’s done here in central Florida quite a bit. We have a lot of small businesses who can’t afford an IT person.

K