In a large enterprise environment, there are apt to be sophisticated (and expensive) controls in place to prevent misuse or abuse of your company's computers and network by users. But small and mid-sized organizations may not have the budget or the IT expertise to implement such controls. Nonetheless, it's just as important for you to get a handle on what your users are doing. In fact, it may be more important for the SMB, who is less likely to have protections such as liability insurance to cover damage that might be done by a wayward user.
Your user access policies exist to protect the best interests of the company. But in today's connected business world, violation of those policies can result in much more than just the lost productivity of an employee wasting company time. Going to unauthorized Web sites, using prohibited software (such as chat programs or peer to peer file sharing programs), installing games and other such activities can expose your entire network to significant security risks. And if such security breaches result in dissemination or access by unauthorized persons to client/customer data, the organization could be put at risk of lawsuits or even--if your business belongs to a regulated industry such as health care or financial services--governmental scrutiny or criminal charges.
It’s not enough just to "lay down the law" about what employees are and aren’t allowed to do with their company-owned computers (or, for that matter, their own laptops, handhelds or home computers when connected to the company network either on-site or via remote access). It’s important to also have a mechanism for technological enforcement of those rules. Let’s take a look at some solutions SMBs can use to keep users on the straight and narrow.
Monitoring and controlling Web access
The World Wide Web is a wonderful source of information that can be useful to employees in doing their jobs. But it also has the potential to be a big source of trouble when employees visit the wrong sites from company computers. Some of the possibilities are obvious:
- If pornographic sites are displayed on company computers or the images are downloaded and subsequently viewed by other employees, the company could be subjected to a sexual harassment lawsuit under Title VII of the Civil Rights Act of 1964 for creating a "hostile work environment."
- If child pornography is viewed or downloaded to company computers, this could result in a criminal investigation and seizure of the computers in question, as well as arrest of one or more persons and negative news media attention for the company.
- Many questionable sites, including porn sites, music download sites, hacker sites and "warez" (illegal software) sites, contain active content that can download viruses or other malicious software to the user’s computer with his/her knowledge. Viruses that are downloaded this way can be spread throughout the company network or even beyond the local network, or the system can become an entry point for attacks on the network or be taken over to act as a "zombie" to be used in attacks on other networks.
These are only a few of the dangers presented by uncontrolled access to the Web. But how can you address the problem without taking away Web access completely? Here are some solutions:
- Many firewalls have the capability of monitoring users’ Web access, so that you can see who visited what sites, and when.
- Web content filtering software, such as Websense (www.websense.com) and SurfControl (www.surfcontrol.com) can block Web sites based on lists of reported offensive sites in many categories, by IP address/domain name, or by keywords.
- Browsers can be configured not to allow download of executables, to block Active X, Java and other active technologies, to help prevent "drive-by downloads" from sites that may not be blocked by filtering software. Administrators can use Group Policy on Windows machines to apply browser security settings and prevent users from changing those settings.
Keeping e-mail "clean"
Malware is also brought into the LAN (and sent out) via e-mail attachments. Administrators can configure the mail server and/or client software to prohibit attachments of certain file types, over a certain file size, or even all attachments. Exchange Server doesn’t do this natively, but there are third party add-ons available such as Mail Essentials for Exchange that will give you this capability. Outlook and Outlook Web Access support attachment blocking, which can be configured by editing the registry.
Anti-virus software (server and/or client based) can help protect against viruses that make it onto the network.
It’s not just viruses and attachments that you have to worry about with e-mail. Problems can also be caused by employees sending or receiving improper messages or divulging company information. In this case, Mail Essentials and other solutions can block e-mail messages with specific words or phrases in the subject line or body of the message.
Preventing installation or use of prohibited software
On a Windows network, administrators can prevent users from installing or running specific software programs (or limit them to running only specified programs). This can be done via Group Policy or by editing the registry.
Windows Server 2003 and Windows XP/Vista include a feature called Software Restriction Policies by which administrators can control the ability of installed programs to run.
Creating user access policies to control what users can and can’t do on your network is essential in an Internet-connected business world. You shouldn’t rely on users to comply with the rules, though--instead, you should use technological enforcement mechanisms when possible. Preventing users from surfing to frivolous or even dangerous Web sites, sending and receiving e-mail with inappropriate content or dangerous attachments, and installing or running unauthorized software can protect your company from civil liability, criminal investigations and a negative impact on the bottom line due to time wasted on non-business-related activities.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.