Controlling Web Access in the Workplace
When I took my current position, part of my mandate was to find a way to stop the field users from accessing web sites that could be the source of malware or viruses. (By the way, it should be virii, but what the heck.)
I found a way to do that by creating a white list in Internet Explorer. What I did was point all connections to a proxy server of 127.0.0.1 with the exception of the domain names and IP addresses of sites that the user needed to perform their duties. It worked.
But it wasn’t ideal. If a site changed any of the URL’s or IP’s then that also had to be changed on each and every field computer and had to be done hands-on by me. You can see the problem with that.
My methodolgy turned from one of whitelisting on the computer, to blacklisting on the server. Instead of the connections being set to use the home IP of 127.0.0.1, I changed that to our server’s IP. Then, on that server I installed a proxy server application. From there I used regular expression to create rules to filter out unacceptable web sites. From there I realized that just wasn’t going to work since there about 4 billion web sites in the world. But I had it half right. The proxy server was a good idea.
The particular proxy server I installed had a little-known, little-documented whitelist feature. Yay! I spent a fair bit of time researching it and now have it tuned so that the user actually has some flexibilty in what sites they can access, I have central control to add, remove or edit the sites and everybody seems to be pretty happy. Especially me.
So, now your thinking, what’s to stop the user from circumventing the proxy by changing those settings? Well, if you’re not scared of working in the registry, there are keys you can alter to lock out users from accessing or changing the Internet Connection options.
But couldn’t they just import a new registry setting to overwrite that?
Assuming they got that far in the thought process, no. Because I also set the default action for .reg files to edit as well as locked out any registry editing tools available to the user. So if they try to merge a .reg file, all that it will do is open up as a text file in Notepad.
But couldn’t they just throw in a U3 drive and use another browser like Firefox or TorPark or something? No, you see I also found a way to prevent users from running .msi and .exe files from removable media. See my post Restrict running programs from a USB Drive.
Is this method infallable? No, I don’t believe any security is infallable. Locks only keep out honest people. The more locks you have though, the more honest people you keep out.
I’d like to document the full process for you, but it’s a bit of a trade secret. But I’ll break it down a bit further for you as to what I did:
- Installed Proxy Server on server.
- Created whitelist of acceptable sites.
- Manipulated Internet Connections to all point to the Proxy Server
- Locked out access to the connections and as many ways of changing the connections that I could find.
- Locked out access to as many USB borne applications that could circumvent the Proxy as I could find.
- Let users know if there is a site that is of particular use or interest to them to e-mail me the site. I’ll check it out and if it conforms to our IAUP, I’ll add it and call them back when it is done.
I’ve had quite a few calls for things like adding a hotel finding site, or a brokerage site. These are definitely acceptable in our company’s line of business, since a user can be in the field for weeks. So I added them. I’ve also added special community sites since some of our employees also have other seasonal jobs, like raising bulls or rodeo. If the site isn’t a haven for malware, why not add it? It keeps the users happy and keeps the computers safe. That’s all I care about.
