Internet access for all employees 8

[thegirlofsteel]

I am having problems with SPAM - I mean tons of spam. Our GFI mail essentials report says out of all the emails daily 75% are spam!! Anyway, I know the culprit has to be because we give all our staff free access to the internet. I have been on a campaign for over 10 years to go to a standardized desktop to no avail (we're a union shop).

Well, now with the SPAM and virus problems, I am just going to do it. Is there someone out there that has gone through the same type of change. I know I am going to get a back lash from the union but are there any laws that I can use in my favor to do this. Also, is there a way to only grant certain people internet access to certain sites??

Thank You!

 

[sleipnir214]

Also, is there a way to only grant certain people internet access to certain sites??

It sounds like you need a content filter. There are a number to chose from -- take a look around and see what suits your needs.

but are there any laws that I can use in my favor to do this

Insufficient data for a meaningful answer. Where are you?

Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[jrbarnett]

Legally, it will depend on:
1. The geographical area you are based in.
2. Any email and web acceptable usage policies in place that employees agreed to as part of their terms and conditions of employment when they joined your organisation.

With answers to these two, perhaps we can help more. Whatever the case, you will need to sell your reasonings for the implementation of such a policy to senior management so that you (or other IT staff) can legitimately say it was not just IT that implemented it. Such reasons could be the extra email server capacity required by these junk emails, CPU usage in running background virus scans on incoming email slowing it down etc.

Depending on how your network is configured, it is possible to only allow certain people to access external websites. Probably the easiest way is to use a NAT proxy server tied into a windows domain, and only allow external access to members of a certain security group. How this fits into your network configuration I've no idea though and is more suitable for the technical fora here relating to your server operating systems.

John

 

[thegirlofsteel]

Hi,

Thank you for the responses. We are in the State of California. Our policies are that of any other agency where Internet access is granted for only work related purposes. Unfortunately the locked desktop approach may cause a rukus at our company since the onset of internet usage was that everyone can have it. We only had a few computers then. Now everyone has access to the internet over 200 of us. Everyone is downloading spywear programs without knowing and its driving us nuts!!! So thus the need for a locked desktop.

TGOS

 

[fredericofonseca]

A locked desktop does not mean that Internet access is restricted.

If your existing policies (which should follow all legal requirements there, both in terms of content and of how/when employees took knowledge of them) say that Internet usage is only for Business usage, and that all other usage is either not allowed, or should be occasional, then you can do pretty much what you need.

These would be
1- Locked desktop. This has nothing to do with internet access. Should be done regardless, as it will prevent some of the spyware from installing in the first place.

2- Internet access
Proper firewall inplace, with site blocking active, with rules that can be set from common "restricted" places and others based on content. (e.g. no gaming related, no sex, and so on.).


Neither of the above will prevent your users from accessing the internet, neither from using their computer. it may create some issues with people that wish to change certain computer settings, but this can normally be worked around.

If a user complains that he can not access a particular website, then see if access should be granted on a CASE BY CASE basis.

All type of internet browser settings should also be locked down, and activeX and other stuff be blocked whenever possible.

Plenty of stuff you can do.


Regards

Frederico Fonseca
SysSoft Integrated Ltd

http://www.syssoft-int.com

 

[lionelhill]

... just the usual warning (I'm sure you don't need it)...

Be careful of assuming that because someone gets a lot of spam they've obviously been using the internet for a purpose connected with the subject of the spam. I never used to get much spam until my name appeared, in the course of proper work, on my employer's website (and it wasn't even me that put it there!). Thereafter the whole world seemed to think I want to enlarge different parts of my body. Curiously there's little consensus on my gender. I certainly didn't ask for this spam and wouldn't consider myself a 'culprit', even though I'm pretty sure 75% of my mail is probably spam now, too.

 

[lgarner]

Being a union shop isn't relevant; restrincting Internet access to work-related sites is fine. I can't see how anyone would object to that unless they're wasting a lot of time on personal business.

A content filter is a good idea. We use Websense and it works pretty well. There are certainly a lot of others.

My usual approach to email is to block all email traffic between all workstations and the Internet, and allow only the Exchange server to send & receive. This cuts down on personal email use by a lot. Common web-based mail services are usually included in the content filter.

 

[svanels]

Union shop?? Free access to internet?? I do not see the link with spam.

Spammers send to who-ever they want (automatically). I gues they already received tons of earth-spam in a galaxy far away
You know that posting a question on tek-tips years ago made you vulnerable to spam? That is why e-mail adresses are not allowed anymore...

But I am interested in the Union case, Do the inmates run the asylum?

Steven

 

[thegirlofsteel]

Our problem lies in all the computers having free reign to the internet where they visit sites that either give them a virus and/or load programs such as SaveNow or Weatherbug that put the darn spywear on their machine. Then with that, you know your email gets out to the world. I am well aware that spam can't be stopped but at least it can be minimized.

The correlation to union shop vs. spam. They will not allow me to restrict access and/or lock their desktop so they can't download these programs. Reason being - WE ARE A UNION SHOP. Everytime I try to implement these types of restrictions, I get slack from the union and it gets lifted again. In a way, the prisoners are running the asylum. I am in management but our directors won't back me up on this.

 

[fredericofonseca]

They will not allow me to restrict access and/or lock their desktop so they can't download these programs. Reason being - WE ARE A UNION SHOP.

that is b***t.


There are ways of locking the desktop and web access restrictions that even on a place where no policies are in-force, you would still be able to do them without facing any legal "constraint".

being a unionshop you will most probably have a legal adviser team/person. Ask them about this.




Regards

Frederico Fonseca
SysSoft Integrated Ltd

http://www.syssoft-int.com

 

[lgarner]

I agree, but I sympathize with you. If higher management won't back up basic security measures, I'd be very worried.

My point about the union is that I highly doubt that their contract includes being able to view porn and install spyware. But it takes a moderately strong manager to implement unpopular security policies, with or without a union.

 

[strongm]

> If higher management won't back up basic security measures

It is interesting how often higher management feels that it should be exempt from such security measures ...

 

[svanels]

If higher management won't back you up in preventing that their assets are attacked by some outside lunatic with a virus, causing damage to their business, they get what they deserve!!

We also have a union, a very strong one, but the union will be the first one to jump when it comes to continuity of the business.

It takes guts to implement unpopular counter measures, but I would love to work at your place . It must be a workers paradise, does the boss also brings coffee for everyone?
I would start a net Doom tournament in boss's time.

Steven

 

[zarkon4]

We use Surfcontrol to keep users out of various websites.
It is updated weekly and rates sites. Occasionally a site will be rated incorrectly. We also have a Internet usage document that everyone signs upon employment. Individuals are given their lunch time and 30 min. to view websites that are not business related. We do get a lot of backlash when they are blocked. It also tracks usage and maintains a history of websites that have been visited.
As far as SPAM goes, we have implemented a Barracuda Spam Firewall and it is working great! I have not had more than 5 spam emails since we installed it over a year ago!

 

[phuzzy42]

The correlation to union shop vs. spam. They will not allow me to restrict access and/or lock their desktop so they can't download these programs. Reason being - WE ARE A UNION SHOP. Everytime I try to implement these types of restrictions, I get slack from the union and it gets lifted again. In a way, the prisoners are running the asylum. I am in management but our directors won't back me up on this.

Word to the wise - make management put their directive to you about giving everyone free rein in writing. I will guarantee you that when (not if) your network is trashed because of all the crap you're being forced to allow, you will be blamed for it, not management, or even the users.

Even if they won't put it in writing, you can send them emails, interoffice memos, etc. You do this in a very non-confrontational way, spelling out the standard "best practices" of the industry and asking them for "clarification" on their directives (quote them if possible) that are different from the standard so you don't "inadvertently" go against their wishes. This is an out-and-out CYA, and management knows it too, but it's a lot harder for them to dump the blame on you when the business grinds to a halt because all the computers are infected. Management might or might not reply to you, but you've got dated emails, memos, whatever showing you were duly dilligent in performing your duties. And keep copies of everything.

You should also attack this from the other direction - user "education". Put out a helpful interoffice memo (and date it) warning people about the viruses, spyware, and other "bad guys" out there and telling what the users can do to avoid being infected. You're just doing your job, trying to help the users, right? But it's in writing now - CYA.

Again, being non-confrontational, you can mention to the Internet offenders what a shame it would be if their computer got infected with the xyz (make up a suitable name) virus since the only way to get rid of it is to completely wipe the computer. You sure wouldn't want to have to do that because of all the work they'd lose, but you'd have no choice because it would infect all the other computers - the person might lose their job, union or not. It's for sure they'd have to redo a lot of work.

And when PC's get infected with viruses or malware, document the heck out of it and report it to management (in writing), including your diagnosis on what caused it. Your message to them (without saying it in so many words) is:

1) You're doing a super job even with your hands tied by their bonehead policy;
2) The company is losing money right now because of downtime and work that has to be redone and will probably lose a whole lot more if management doesn't get their collective crania out of their rectal cavities;
3) The miscreant must have intentionally tried to screw the company because he/she was shown how to "surf safe" and deliberately did the opposite - if he/she is made an example of, other miscreants will get the message too;
4) I told you so,

and anything else you can think of. Throughout, you've acted in the best interests of the company while trying your best to follow management's directives, even though they clearly were wrong. CYA 100% and who knows, it might even help change things.

 

[Dollie]

Where's your firewall? Where's your server? Where's your virus protection? Why aren't you doing something on them instead of worrying about your desktops? Why do your users have the ability to install?

If you have over 200 users, and don't have a computer usage policy in place, you're really looking for trouble. A policy should be there to tell them what is and is not allowed. Policies usually cover the $Company/Employer, to not have one is a liability. What would happen if an employee blogged about the $Company and gave away all the trade secrets in a little post. With no policies protecting the company because the union said they couldn't have the policy, would the union be responsible for the losses?

And on your topic...if you are running your own mail server, you should be implementing some type of filtering software or utilizing blocklists. If the union says that those aren't allowed either, I would strongly encourage the union to realize that it is 2006, not 1906. Union workers are behind terminals and not in production lines.

Spyware isn't spam. I can't repeat that enough. Spyware isn't spam and it doesn't run out and subscribe people to spammy lists. Some spyware has the ability to SEND spam. Did it turn your mail server into a trojaned spam operation?

Spam occurs when you do many things online such as subscribing to newsletters, making an online purchase, posting to boards like this and using your real e-mail address, etc. It happens in lots of different ways, and preventing your users from browsing sites is not going to help your spam problem. You should probably read up on preventative measures that can be used against spam instead of worrying about spyware as a source of spam. (The spyware should be handled, but as a separate issue.)

Educating your users about spam and viruses is a good place to start. All my users get the basic "this is an example of spam, this is an example of a virus, this is what you don't need to do with them" speech when they start. They also receive e-mail updates from me when a new virus is making the rounds. I'm proud to have a great group of people working with me, we've been (knock on wood) virus and spyware free for almost 8 years.

I just can't see how a union can control how an administrator would run their system. I feel for you, but for the $Company to be protected, their computers must be protected.

 

[zarkon4]

If you are unable to get anything done after all of the good posts and feedback on this issue....quit.

Joking..(maybe). I look at it this way, the equipment is owned by the company and not the union.

 

[SF0751]

You don't mention what union your organization is affiliated with, but have you considered that your problems are not with "the union" but perhaps the individual local union steward that is at your organization? Explain to your directors and the union representative(s) what you need to do and WHY it needs to be done. And put it in writing, and back it up with facts & figures, if possible. There's a ton of great advise given in this thread for you to use to make your case.

Susan
"A positive attitude may not solve all your problems, but it will annoy enough people to make it worth the effort."
- Herm Albright (1876 - 1944)

 

[thegirlofsteel]

Thank you all for your posts! I am going to begin a CYA campaign. In fact I sent an informative email to all staff on how to help prevent and combat spam.

I was just told today at my management meeting with my immediate director - which I wrote down in writing - that I was going to try out our accounting dept with a demo of surf control. My response was - let me talk to our CEO since it may become a union issue. ARRRGGG!!!

BTW! In light of what I have to deal with and having hypertension - I am going to be taking a transcendental meditation class! I feel my BP going up already

 

[langleymass]

This is an important issue. I worked in an office where many people signed up for anything. The result was tons of spam. There are some web sites that people should not be going to.