|
I have two Windows 2003 enterprise servers. One is front-end DNS, front-end exchange, and IIS. The other is a DHCP, back-end DNS, back-end exchange and local resource share server.
My goal is to block certain sites to keep employee's children from coming to the office and killing bandwidth with P2P downloaders and blogging sites.
I wish to do all this using no 3rd party software. I did this at home using nothing more than DNS and IIS but with Windows 2003 they have hardened security and moved things around from when I did it on Windows 2000 Advanced Server.
Thanks for all the help!
|
|
|
|
|
If you know the names of the sites you want to block then you can do it with a simple hosts file. You can push a new hosts file to people at login time to maintain it.
If you want to block specific P2P apps then you can use a firewall rule to block the ports needed.
Th biggest thing here though is that you seem to have a BIG lack of physical security and policy. If you have to worry about what your employees kids do then you have a management issue. Put a hard policy in place that makes the employee accountable for what gets done on their PCs and I bet you fix the 'issue' real fast. No matter what the employees kids should not have free use of the work PCs.
|
|
|
|
|
Actually, management in my company couldn't be much better. I'm not taking offence although I need to explain my company. My company is a home building company. I encourage my employees to bring their kids to work as it promotes my company. My office is actually themed as a house to match the company.
With the websites, I just wish to block the ones that require high bandwidth. Picture sites, video sites, and one is example is myspace.com.
Above you said I have a lack of security and policy. Policy was referencing the employees bringing thier kids, which I have explained as allowed. Security scares me though, I worked for Microsoft for 10 years and have a deep seated understanding of computers. I was the Head of the Exchange Center of Excellence and even spoke to Bill Gates himself, only once sadly. But as far as I know the only security I lack is an ISA server, do you see something else?
The only way to speed up a Macintosh computer is at 9.8 m/sec/sec.
|
|
|
|
|
ExpertComing wrote: With the websites, I just wish to block the ones that require high bandwidth. Picture sites, video sites, and one is example is myspace.com.
Then again you can do this by simply administering a hosts file that routes these sights to 127.0.0.1 and your problem is gone.
With respect to your situation, I fully understand the way you are running the company (giving it a home type feeling) and I like that. No worries there.
My only concern is that just allowing the children at the work place does not mean that you have to allow them access to machines that are used for work. If you want something slightly more manageable then why not supply a set of PCs just for the kids when they are there and manage them more tightly.
ISA would be a good idea but I have not found a simple way to block access to specific sites without buying some kind of add-on product. I run ISA in my house (SBS2000 system) and this is what I do. Weekly I run through the ISA web logs and take a look at the sites my kid if going to. I then decide what is OK and what is a no-no. I take the no-no sites and add then to a hosts file stored on the server. His log-in script is set to pull that file down when he logs on and form that point forward that site is blocked.
|
|
|
|
|
I forgot to mention that the computers the kids play on are thiers, or thier parents personal, self owned laptops. My problem isn't that the kids are online using the web, just certain web sites kill bandwidth, I have plenty it is just I want to keep it that way.
Also, alot of it is just I want to learn how...
The only way to speed up a Macintosh computer is at 9.8 m/sec/sec.
|
|
|
|
|
Since those laptops don't belong to you, its not a good idea to modify them. You're only other (and best) option is a firewall, and block those sites and ports.
Dave Kreskowiak
Microsoft MVP - Visual Basic
|
|
|
|
|
ExpertComing wrote: the computers the kids play on are thiers, or thier parents personal, self owned laptops.
In that case you really shouldn't be letting them onto the same LAN as your machines. Get a separate network for people with their own machines.
|
|
|
|
|
|
I don't want to modify those laptops, there is a way to do it on my server. I have done it before on my Windows 2000 Advanced Server just using DNS, but it isn't that simple in Windows 2003. I don't want to modify the host files either. DNS is the way to do it, the right way at least. I think I figured it out thinking more deeply in how DNS and the whole picture works. Give me a while to try it.
The only way to speed up a Macintosh computer is at 9.8 m/sec/sec.
|
|
|
|
|
I figured it out, this is what I did (and what I thought I did the first time.):
Create a forward DNS zone for the domain you are blocking.
Create just a CNAME for your server.
OPTIONAL: Create an IIS entry to say some sort of blocked page message.
The only way to speed up a Macintosh computer is at 9.8 m/sec/sec.
|
|
|
|
|
ExpertComing wrote: DNS is the way to do it, the right way at least.
No, it's not. Your internal DNS should not care about any addresses that it's not an authority for. You're turning your DNS server into a poor firewall that's difficult to maintain.
The "right way" is a firewall that can respond to blocking sites by both IP address or domain and other methods such as content ratings, keywords, ...
Dave Kreskowiak
Microsoft MVP - Visual Basic
|
|
|
|
|
I am unsure if this is the correct forum, and I am not much of a scripter.
I am trying to script changing the XP LPT port number from LPT1 to LPT3. I have been able to do this in a vbscript by changing the port details in the PNP0401 registry component. This is not a fail safe solution as some systems such as VM's use PNP0400 instead.
I have another script where I am trying to use WMI components to change the device but I am having no luck.
The script is either to run as a Windows Startup script or to be included as part of a MSI installtion.
Does anyone have any information on how best to control system devices, typically changes you can make manually in the Device Manager. I can't find any information on the internet.
Cheers
Darren Kimber
|
|
|
|
|
Why do you need to do this?
The registry entries are really more up to what the PNP detection system put in place when it ran and detected the ports. Personally I would not mess around with them.
Maybe if we know why you need this we could point out a better way.
|
|
|
|
|
Sorry I should have mentioned that.
We have an old DOS program, Hiport (yes still exist in a big way in a finance company) that typical reports have to print to LPT1. We have removed admin rights from users (bad legacy environment we are trying to clean up) and they can no longer assign LPT1 to a net use printer. If I change physical Parallel port to LPT3 then users are able to assign network printers to LPT1. I could disable the parallel port all together but of course there are users with local printers.
Regards
Darren
cheers
Darren
|
|
|
|
|
I have a requirement to find that which bluetooth stack is present(currently active) on the system(Windows XP)? can anyone help me??
|
|
|
|
|
I have one web site under the linux hosting, i write asp.net page but I can view in browser. Please help me
Socheat
................
|
|
|
|
|
ASP.NET is a server-sider technology. Does your Linux Host have the ability to server up ASP.NET pages? Probably not...
Dave Kreskowiak
Microsoft MVP - Visual Basic
|
|
|
|
|
Hi all
i have 10 computer. in this have 3 computer have win2003 Server and remain is XP pro
and now i set up a Server Domain and join 10 computer to that domain
but when join domain with 3 computer have "win 2003 Server" have error Domain is N/A
Some body help me
Can u send for me ebook to WinServer 2003
|
|
|
|
|
When creating an Active Directory domain it is critical that all workstations and member servers have DNS configured to point to, and only to, DNS servers that contain the domain's DNS zone. I'd take a guess that you've got the correct settings in your DHCP server configuration, that the XP workstations are set to use DHCP and therefore are getting the correct DNS settings, but that you've set static IP addresses for your members servers and have not configured DNS correctly.
You should install the support tools from the Windows Server 2003 CD-ROM on the member servers that you can't connect to the domain, and run dcdiag with the /s switch to confirm that you've got connectivity to a domain controller and that it's functioning correctly, and netdiag to confirm that other networking facilities are working correctly.
|
|
|
|
|
AnhTin wrote: but when join domain with 3 computer have "win 2003 Server" have error Domain is N/A
How about your windows xp computer? Is it join domain successful or not? If you could join it successful, try to check your windows xp setting and find the reason why you can't join your windows 2003 to a domain controller. As I suggest, try to check your DNS setting on your domain controller and your client.
|
|
|
|
|
thanks
with computer have Windows XP PRO join domain successful but with WinDows Server 2003 SP1 join domain and now successful but
when i create user for computer have Windows Server 2003 SP1
i dont permission for that user have permission admin in that computer have Windows Server 2003 SP1, login is susscessful but havent permission admin
When i login "that computer" load all user in Server eliminate user loging so i dont permission for this user
i try create a user have Account same user on Server after that permission is admin
but when login with that user still havent admin
Some body help me
|
|
|
|
|
Hi, what is the difference between Local Security Policy and Group Policy in windows XP?
|
|
|
|
|
I believe the two snap-ins affect the same settings, but that the settings from Group Policy will override any settings made locally. Only if all of the Group Policy Objects have '(not set)' as the value for a setting will the local setting take effect.
|
|
|
|
|
Mike Dimmick wrote: I believe the two snap-ins affect the same settings
Yes, I already check the group policies and local security setting one by one. I found that the local security setting is part of group policies in the section of Computer configuration -> windows setting -> Security settings.
Mike Dimmick wrote: but that the settings from Group Policy will override any settings made locally. Only if all of the Group Policy Objects
May be I need to test it first. Because I found that, when I configure the setting of auditing policies in local security setting, the setting in group policies also change too.
Thank you for your comment
|
|
|
|
|
Hi, I have some problem with assign a logon script in windows xp. Please read read my below activities and suggest me if you found any error:
1. My computer name is Net1 . I log on as a local administrator account.
2. I create a user account name User1 with blank password.
3. Create a folder name Welcome and create some file in it. Then make a Make a network share with "Welcome " as a share name and define permission for Everyone group in Share tab to Full control and Everyone group in security tab to read , read and execute and list folder content .
4. Log off Administrator account and logon with User1 account.
5. Log off User1 account and logon as Administrator account again. (I do this because i want user1 has it own profile).
6. In Administrative mode, I create a folder name Logon Script in the root drive C: and share it and put LS as a share name. I define the permission for both Share tab and security tab as step 3.
7. I create a batch file name MappedNetworkDrive.bat and the content of the file is mapped the network drive for welcome folder. The content of the file is:
net use y: \\net1\welcome
8. I assign the logon script to User1 in computer management and put the below path in Logon script text box: LS\MappedNetworkDrive.bat
9. I try to log off administrator account and log on as User1 account but i couldn't see the mapped network drive appear in windows explorer. I try to log off and logon many time but the network drive didn't map for me. But when I still in User1 mode and double click on the batch file directly, the drive is mapped successful but I don't want to to do. I want to mapped it automatically.
Does anyone see any problem with my above activities?
|
|
|
|