How SMBs can enforce user access policies

It's not enough to have a comprehensive written policy governing employees' access to your network. You also need a way to enforce the rules. You can use features built into Windows, as well as third party products, to keep unauthorized user activities from putting your network at risk.

In a large enterprise environment, there are apt to be sophisticated (and expensive) controls in place to prevent misuse or abuse of your company's computers and network by users. But small and mid-sized organizations may not have the budget or the IT expertise to implement such controls. Nonetheless, it's just as important for you to get a handle on what your users are doing. In fact, it may be more important for the SMB, who is less likely to have protections such as liability insurance to cover damage that might be done by a wayward user.

Your user access policies exist to protect the best interests of the company. But in today's connected business world, violation of those policies can result in much more than just the lost productivity of an employee wasting company time. Going to unauthorized Web sites, using prohibited software (such as chat programs or peer to peer file sharing programs), installing games and other such activities can expose your entire network to significant security risks. And if such security breaches result in dissemination or access by unauthorized persons to client/customer data, the organization could be put at risk of lawsuits or even--if your business belongs to a regulated industry such as health care or financial services--governmental scrutiny or criminal charges.

Tips in your inbox
TechRepublic's free SMB Strategies newsletter, delivered each Tuesday, covers topics such as how to structure purchasing, when to outsource, negotiating software licensing or SLAs, and budgeting for growth.
Automatically sign up today!

It’s not enough just to "lay down the law" about what employees are and aren’t allowed to do with their company-owned computers (or, for that matter, their own laptops, handhelds or home computers when connected to the company network either on-site or via remote access). It’s important to also have a mechanism for technological enforcement of those rules. Let’s take a look at some solutions SMBs can use to keep users on the straight and narrow.

Monitoring and controlling Web access

The World Wide Web is a wonderful source of information that can be useful to employees in doing their jobs. But it also has the potential to be a big source of trouble when employees visit the wrong sites from company computers. Some of the possibilities are obvious:

  • If pornographic sites are displayed on company computers or the images are downloaded and subsequently viewed by other employees, the company could be subjected to a sexual harassment lawsuit under Title VII of the Civil Rights Act of 1964 for creating a "hostile work environment."
  • If child pornography is viewed or downloaded to company computers, this could result in a criminal investigation and seizure of the computers in question, as well as arrest of one or more persons and negative news media attention for the company.
  • Many questionable sites, including porn sites, music download sites, hacker sites and "warez" (illegal software) sites, contain active content that can download viruses or other malicious software to the user’s computer with his/her knowledge. Viruses that are downloaded this way can be spread throughout the company network or even beyond the local network, or the system can become an entry point for attacks on the network or be taken over to act as a "zombie" to be used in attacks on other networks.

These are only a few of the dangers presented by uncontrolled access to the Web. But how can you address the problem without taking away Web access completely? Here are some solutions:

  • Many firewalls have the capability of monitoring users’ Web access, so that you can see who visited what sites, and when.
  • Web content filtering software, such as Websense ( and SurfControl ( can block Web sites based on lists of reported offensive sites in many categories, by IP address/domain name, or by keywords.
  • Browsers can be configured not to allow download of executables, to block Active X, Java and other active technologies, to help prevent "drive-by downloads" from sites that may not be blocked by filtering software. Administrators can use Group Policy on Windows machines to apply browser security settings and prevent users from changing those settings.

Keeping e-mail "clean"

Malware is also brought into the LAN (and sent out) via e-mail attachments. Administrators can configure the mail server and/or client software to prohibit attachments of certain file types, over a certain file size, or even all attachments. Exchange Server doesn’t do this natively, but there are third party add-ons available such as Mail Essentials for Exchange that will give you this capability. Outlook and Outlook Web Access support attachment blocking, which can be configured by editing the registry.

Anti-virus software (server and/or client based) can help protect against viruses that make it onto the network.

It’s not just viruses and attachments that you have to worry about with e-mail. Problems can also be caused by employees sending or receiving improper messages or divulging company information. In this case, Mail Essentials and other solutions can block e-mail messages with specific words or phrases in the subject line or body of the message.

Preventing installation or use of prohibited software

On a Windows network, administrators can prevent users from installing or running specific software programs (or limit them to running only specified programs). This can be done via Group Policy or by editing the registry.

Windows Server 2003 and Windows XP/Vista include a feature called Software Restriction Policies by which administrators can control the ability of installed programs to run.


Creating user access policies to control what users can and can’t do on your network is essential in an Internet-connected business world. You shouldn’t rely on users to comply with the rules, though--instead, you should use technological enforcement mechanisms when possible. Preventing users from surfing to frivolous or even dangerous Web sites, sending and receiving e-mail with inappropriate content or dangerous attachments, and installing or running unauthorized software can protect your company from civil liability, criminal investigations and a negative impact on the bottom line due to time wasted on non-business-related activities.


Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...


I managed IT for a smaller business (50 million revenue, 200 employees) and had similar technical needs for addressing problems. This company was a subsidiary of a Fortune 500 company and subject to SOX, etc. For web filtering we used Squid with Dansgaurdian on Linux in a transparent proxy setup. All browsing was forced via the filter. I setup an interface for HR via a limited webmin interface so they could adjust URLS, keywords, etc. as necessary. Dansguardian included Spanish language keywords - bonus. Low impact to budget, big impact to compliance and business benefit. We also put snort on the same system for real time alerting of really bad activities. For email filtering we used Postfix/spamassassin/amavis in the DMZ. We found open source more flexible than most vendor products that we evaluated. No impact to budget, big impact to compliance and business benefit. We used GPO to limit user's ability to do things on desktops. An excellent tool for limiting damage - Active Directory shines in this area. I'll go with the results of a GPO over user education any day. It is unfortunate that the typical user is one click away from a botnet. As the internet has turned more dangerous to businesses many employees fail to see the correlation. Our overall goal was robust solutions that didn't require constant babysitting or funding. We found these 3 solutions worked great for our environment. Thankfully we had a mixed skill set and weren't chained to one platform.


An SMB may not survive downtime, loss of reputation and/or sensitive data and customer confidence, while a larger enterprise can probably whether a hit. So it is ultimately critical for SMBs to enforce security policies. The dirth of internal controls on systems and networks generally makes this difficult and labor intensive. I am part of an R&D lab that has produced a security product that does exactly this. It can start on one box and scales to the full enterprise. This product enforces security policies, rather than just monitoring after infractions. Help is on the way. Cheers.


Programs like Pop Peeper (disclaimer: I am not employed by nor am I receiving any compensation ... I just like the program) allows a workstation to view mail in user- administered rules, such as 'To' and 'From' addresses (if the mail is 'To' and there is no Jane in your organization, pretty much bet it's spam), Subject, size and others without downloading the entire email. You can delete the message(s)off the email server without downloading onto workstation, and you can open email in plain-text form at first and then allow HTML if the mail is deemed safe. You can also 'Reply' from there (opens your email program). Users still need to be trained in what to open and what not to, but it's a handy program. Lando


Maybe even e-mail rooms.I don't think that you'd want the boss or even the secretary to catch you surfing the web for your own pleasure while on the job in the workplace.


Interesting web surfing just like any other activity has to be carried out responsibly and with the right attitude. My experience is that as network administrators/decision makers we have to take difficult decision due the actions of some of our colleagues, it is all the the attitude.

Editor's Picks