none
How do I block a website like "facebook" on select PC's using SBS without blocking other PC's?

    Question

  • I need to block facebook.com on select PC's on our network without blocking facebook on others PC's.  Our boss wants our sales staff to stay focused during working hours without blocking our AV gear (Samsung, googleTv, Sony Smart TV) from accessing the site.  Also, we have a business profile that our sales manager needs to use to update our activities on his PC.  I was told the redirecting PC's to a loop back (127.0.0.1) would work but how?  Thanks, JC
    Saturday, April 23, 2011 7:12 PM

Answers

  • A common solution for blocking web sites is to use services by http://www.opendns.com/ 

    You can set up a free account and then use their DNS servers as forwarders in SBS. Within the service you can restrict access to various sites, however this blocks access for all users. Though I haven't tried it, I understand the paid service will allow you granular control by user, and also provides reporting. 


    Rob Williams
    Sunday, April 24, 2011 4:22 AM
  • The IP change of what you are talking about I would not recommend.
    (Mostly because of Administration issues, if you forget you've done this it's a nightmare)

    The Redirect that you mention is Editing of the "HOSTS" file located on EACH PC.
    The HOSTS File is  located on each PC
    C:\Windows\System32\drivers\etc\HOSTS

    (You can edit this file with Notepad.exe and save it with "NO" extention.)

    If you open this file you will find.
    ----------------------------------------------------------------------------------------
    # Copyright (c) 1993-2009 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    #      102.54.94.97     rhino.acme.com          # source server
    #       38.25.63.10     x.acme.com              # x client host
    # localhost name resolution is handled within DNS itself.
    # 127.0.0.1       localhost
    # ::1             localhost
    -----------------------------------------------------------------------------------------------------

    If you add
    127.0.0.1               www.facebook.com
    127.0.0.1               facebook.com

    To the end of the file that computer will not be able to access Facebook via DNS name
    (Host people  won't type the IP in)

    Like I said, I would "NOT" recommend that. (It can bite you in the butt later.)

    An Easier Solution would be to use a Product Like "Trend Micro Worry Free Business Security Advanced"
    on the SBS server and PC's it will cover all PC's and Server with AV and have the ability to Manage What type of sites a PC can Connect to.

    And even times they can do, it Example Facebook is OK Before and After work and During Lunch but not during Work.
    (this is Great for Those that like to spend all day on EBAY...

    There is a 30 Day trial on Trend WFBSA and most of us here are Resellers, and it's pretty easy to set up.

    I hope this helps
    Russ

    Russell Grover - SBITS.Biz [SBS-MVP] MCP, MCPS, MCNPS, SBSC
    Remote Small Business Server/Computer Support - www.SBITS.Biz
    Redirect to Microsoft's SBS Public Forum - www.SBSrepair.com
    Redirect to Microsoft's SBS Esssentials Support - www.SBSErepair.com

    Sunday, April 24, 2011 4:39 AM
    Moderator

All replies

  • Hi:

    Um, John... you got a minute?  Come into the office for a second please.

    John, we have a policy here that asks the staff to abide by the company rules, such as:  Come to work on time, don't take too long breaks, and don't spend company time on personal business... that is what lunch and breaks are for.  Now, I hate to put it to you like this, but we must insist that you follow the rules, just like everyone else.  I hope that was clear... can I have your word on this?  Thanks.

    Sally,, you got a minute?  Come into the office for a second please......

    About a week later, circulate the company computer usage policy manual with a cover sheet for each employee to sign. 

    Not every staff issue has, or should have, a techie solution.

    BTW, it is possilbe to do this with AD aware firewalls, such as the better WatchGuards, Calyptix Access Enforcer and such.  But it should not be necessary.

     


    Larry Struckmeyer

    Please post the resolution to your issue so that everyone can benefit

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Saturday, April 23, 2011 9:51 PM
    Moderator
  • That would work if we had a boss that would tell them they are in the wrong.  He would be much happier not to deal with them directly and just make the changes forcing them to either say they can't get on and reveal their usage or not bother him at all.

     

    JC.

    Saturday, April 23, 2011 11:40 PM
  • A common solution for blocking web sites is to use services by http://www.opendns.com/ 

    You can set up a free account and then use their DNS servers as forwarders in SBS. Within the service you can restrict access to various sites, however this blocks access for all users. Though I haven't tried it, I understand the paid service will allow you granular control by user, and also provides reporting. 


    Rob Williams
    Sunday, April 24, 2011 4:22 AM
  • The IP change of what you are talking about I would not recommend.
    (Mostly because of Administration issues, if you forget you've done this it's a nightmare)

    The Redirect that you mention is Editing of the "HOSTS" file located on EACH PC.
    The HOSTS File is  located on each PC
    C:\Windows\System32\drivers\etc\HOSTS

    (You can edit this file with Notepad.exe and save it with "NO" extention.)

    If you open this file you will find.
    ----------------------------------------------------------------------------------------
    # Copyright (c) 1993-2009 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    #      102.54.94.97     rhino.acme.com          # source server
    #       38.25.63.10     x.acme.com              # x client host
    # localhost name resolution is handled within DNS itself.
    # 127.0.0.1       localhost
    # ::1             localhost
    -----------------------------------------------------------------------------------------------------

    If you add
    127.0.0.1               www.facebook.com
    127.0.0.1               facebook.com

    To the end of the file that computer will not be able to access Facebook via DNS name
    (Host people  won't type the IP in)

    Like I said, I would "NOT" recommend that. (It can bite you in the butt later.)

    An Easier Solution would be to use a Product Like "Trend Micro Worry Free Business Security Advanced"
    on the SBS server and PC's it will cover all PC's and Server with AV and have the ability to Manage What type of sites a PC can Connect to.

    And even times they can do, it Example Facebook is OK Before and After work and During Lunch but not during Work.
    (this is Great for Those that like to spend all day on EBAY...

    There is a 30 Day trial on Trend WFBSA and most of us here are Resellers, and it's pretty easy to set up.

    I hope this helps
    Russ

    Russell Grover - SBITS.Biz [SBS-MVP] MCP, MCPS, MCNPS, SBSC
    Remote Small Business Server/Computer Support - www.SBITS.Biz
    Redirect to Microsoft's SBS Public Forum - www.SBSrepair.com
    Redirect to Microsoft's SBS Esssentials Support - www.SBSErepair.com

    Sunday, April 24, 2011 4:39 AM
    Moderator
  • Trying to block things by messing with DNS is an ineffectual was to prohibit access to content on the internet. Since DNS just resolves to an IP address, if the user makes the request to the IP address without going through the DNS system, they can still retrieve content. The proper way to block web sites would be at the company firewall at the router and block things by IP address rather than domain name. (Some sites, such as facebook appear to redirect to a domain name when requested by IP address, so DNS blocking will work on some sites some of the time.)

    Even blocking by IP address isn't going to stop someone who goes through an external proxy server. You can put in some technological blocks, but it then becomes a cat and mouse game with technically savvy users. Even if you could completely block them from facebook on the company network, how are you going to stop them using their smart phone to get there. So company policy, as Larry suggested, is the right approach.

    Sunday, May 15, 2011 9:50 AM
  • For the most part however, people who are in sales are not there because of their 'technical savvy'. OpenDNS works fine for all of our clients -obviously the boss has to expect a certain amount of responsibility from his workers. Anyone who spends time figuring out how to get around OpenDNS as opposed to just saying 'well i'm obviously not supposed to be here' and going back to work should probably be fired. To suggest that block by IP isn't good enough either because of a proxy server is just ludicrous because of the same thing. Anyone who spends the time figuring out how to configure a proxy, and spends the time finding (or paying!?) for a proxy just to get around company policy has become more useless then useful in my book and gets let go. OpenDNS is great however because if we're working on a machine and we need to bypass it for whatever reason its simple to do and takes less than 15 seconds. I'm with Rob and Russ (although I agree the hosts file will cause a massive headache down the road).
    Sunday, May 15, 2011 1:41 PM
  • Try installing an untangle gateway, works great filtering all kinds of contents
    Thursday, March 29, 2012 3:00 AM