none
Questions on Content Filtering and Management. RRS feed

  • Question

  • Hello,

    My name is Terry and I am a new IT manager for a small company that has some unique needs. We run a Tax Server and have around 100 offices spread across 4 states. Each offices has between 2 and 10 computers, many of which are over 5 years old. The company has had several previous Techs and there has never been real uniformity to how things were done. I am working hard to correct this.

    My question is regarding methods for content filtering. I have a lot of computers spread over a large distance. I need to allow access to a small range of websites and block the rest. I am looking for a software solution that will allow me to control website access from a central location rather then setting each computer individually. The previous IT managers used software called K9 web protection but I have found this software to be very easy to bypass. Are there any better options out there?

    I hope I have posted this question in the right place. Thank you for what ever information you can provide.

    • Edited by Coyabbit Saturday, January 15, 2011 5:31 AM Spelling Error
    Saturday, January 15, 2011 5:15 AM

Answers

  • Save yourself a ton of hassle and cash by using the free version of opendns.com.  Content filtering via dns redirection is SO MUCH EASIER than even using the filter on a firewall or client-side apps.  Just ensure you setup a firewall that only allows DNS queries out to 2 opendns IP addresses and then they can't bypass you by changing their dns to 8.8.8.8.

    Once you setup all of your sites you can have either a single policy that manages all sites or individual policies.  If you need to include a single URL it's as easy as adding it and checking the add to all sites box.

    So long as you only need to block the websites that people have access to, there's really no reason to using anything other than opendns.

    Saturday, January 15, 2011 10:23 PM

All replies

  • Save yourself a ton of hassle and cash by using the free version of opendns.com.  Content filtering via dns redirection is SO MUCH EASIER than even using the filter on a firewall or client-side apps.  Just ensure you setup a firewall that only allows DNS queries out to 2 opendns IP addresses and then they can't bypass you by changing their dns to 8.8.8.8.

    Once you setup all of your sites you can have either a single policy that manages all sites or individual policies.  If you need to include a single URL it's as easy as adding it and checking the add to all sites box.

    So long as you only need to block the websites that people have access to, there's really no reason to using anything other than opendns.

    Saturday, January 15, 2011 10:23 PM
  • That might work. It will take some times to implement on each of the systems but once it is set I shouldn't have any issues. My one concern is people figuring it out and changing their DNS servers. You mentioned using a firewall that will only allow the two OpenDNS addresses. Many of my locations have basic DSL service and use standard off the shelf broadband routers. I might be able to set their firewalls to only allow OpenDNS but I am not sure, Dlink and Linksys don't have the greatest variety of options. Then there is the issue all the locations having dynamic addresses...

     

    Are there others ways of preventing users from changing their DNS settings?


    Terry, IT Manager for CK Ventures Inc.
    Sunday, January 16, 2011 4:19 AM
  • Hey I apologize for missing your additional question.  Another way to prevent users from changing their DNS setting is to simply not give them Administrator privileges on their workstations.  If you issue IP addresses with DHCP, then you could put the DNS setting in the DHCP scope and have it apply automatically.  Most users won't even think to setup a static IP and static DNS.  Or, you could setup a login script that sets their IP information every time they login.  If they ever change it, it will change itself back.  Don't tell them about the login script.  DNS settings are ultimately stored in the registry.  I've never tried it, but you could change the permissions level on that location in the registry.  Where it lives in the registry depends on how the settings are applied: System\CurrentControlSet\Services\TCPip\parameters\Interfaces\guid or HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSclient or similar.

    Monday, February 14, 2011 1:33 AM
  • Thank you for the extra info. I figured this post had gotten lost for good. The answers gave me will be helpful. As I may have mentioned, I inharited this network from previous people that really didn't know what they were doing. Right now everyone has admin access and that is something I need to change. The problem is the company software requires admin access to run correctly. Because we are in our peak season right now I don't have time to test other configurations to make sure they will be stable....

    Sorry, didn't mean to blather on. Thank you again for the help!


    Terry, IT Manager for CK Ventures Inc.
    Monday, February 14, 2011 5:03 PM