Web Development

Five tips for managing employee Internet access

When it comes to Internet usage, you don't want to be too restrictive -- but you may need to exercise some level of control over your users' activities. These suggestions can help you find a balance that suits your organization's needs.

There's a fine line between being Big Brother and keeping employees from wasting too much time on the Internet. And as we all know, there are plenty of ways to waste time on the 'net: Facebook, Twitter, chatting, shopping, scores... you name it. But how do you manage control of your employees -- and what type of control do you extend over them? Everything gets even more complicated if your business also depends upon the type of PR and marketing to be had from the likes of Facebook and Twitter. As more and more companies and businesses resort to these outlets for free advertising, different levels of control must be put into place.

Here are a few suggestions for tools you can use to manage this control, policies to implement, and ways to keep your employees from revolting.

1: Try Packetfence

Packetfence is one of the most powerful network access control tools available. It's an open source tool that can easily be installed and administered on either Red Hat Enterprise Linux or CentOS. You can also install on Ubuntu or Debian, but it's not nearly as easy. With this tool, you can manage who has access to what, what time they have access, and how much they have access to. Packetfence helps keep unwanted users/devices from accessing your network, too. If you are serious about controlling your network, this tool should be at the top of the list of those you want to test.

2: Try OpenDNS

OpenDNS is an industry-leading Web content/security/DNS tool that is completely Web based. With OpenDNS, you can filter content, prevent phishing, block page bypass (Enterprise only), protect against malware (Enterprise only), delegate administration (Enterprise only), and much more. You will have detailed daily reports as well as archived logs and statistics. With content filtering, you can select from more than 50 categories and prevent the use of proxies for bypassing filters. There are different plans, ranging from Free to Enterprise. Pricing can be found on the OpenDNS Web site.

3: Monitor network usage

If you are less inclined to do a catch-all prevention of certain Web traffic, you might want to look into tools that will monitor network usage. With tools of this nature, you can keep tabs on what your users are viewing online and then act accordingly. This is a much less Big Brother approach to managing what your employees are viewing. By handling this task this way, you are more inclined to have a lower attrition rate from employees not wanting to work in a controlling environment. A tool like Net Spy Pro allows you to monitor employee Web usage from a single desktop. This particular tool even allows the administrator to view employee bookmarks and favorites. Although some think this a better approach than implementing policies and preventing access to certain (or all) Web sites, many people view this quite the opposite. As I said earlier, it's a very fine line.

4: Make sure you have a clear access policy

Instead of employing controlling software, it might better suit your environment and employees to have clear policies in place that prevent the usage of certain Web sites during work hours. This method does call upon the honor system (unless you are using a monitoring tool), which gives your work environment a more relaxed feel. The problem with this method arises when you discover an employee abusing the policies and you do not react. If you lay out a clear policy and do not punish those ignoring it, you may as well throw that policy out the door and forget about having any control whatsoever.

5: Give a little now and then

Along with having clear policies, you have to be willing to offer some flexibility. During the holiday season, employees are going to shop online. During March Madness, employees are going to check basketball scores. You must be willing to give or you will find yourself with some upset employees. If you are never willing to bend on your policies, the attrition rate may rise during certain times of the year or with certain cross sections of employees. (Older employees may be less apt to take issue with such policies than younger employees.)

Finding the balance

The saying "Everything is relative" applies here -- as does "Everything in moderation." The real problem with employees surfing the Web happens when it interferes with actual work. This could be too much browsing or browsing to unsafe or inappropriate sites. You, as an employer (or manager) must tread that fine line between too much and too little control over what employees can do with their Web browsing.

Take our poll

What measures does your organization rely on to manage employee Internet activity? If your approach isn't one of the options, explain your strategy in the discussion below.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

35 comments
sandiemill
sandiemill

I was reading through the thread and I could somehow relate with the fact that I also want to monitor my employees who are working from home. That is because the tendency to become more unproductive is high since they are working at their own time and pace. Maybe you also need something like this one mentioned in this review: http://reorg.co/timedoctor-review-2012-04/ I think that was designed for this setup. I think I would also start using it for my remote employees.

cer4
cer4

I heard ActyMac DutyWatch ( www.actymac.com ) is a good monitoring software, anybody used it?

sue
sue

BrowseControl has been very effective for managing Internet access at our workplace. Easy to install, then define the Allowed List (White List). Can also block chat or other applications. Also use BrowseReporter for monitoring Internet browsing on users systems.

chaz15
chaz15

to say older employees will accept control of browsing more than younger employees. I am approaching 60 and I find restrictive Internet access VERY interferential and a most unnecessary restrictive regime. PLEASE avoid further AGIST comments.

cloakedrun2001
cloakedrun2001

A while back we had an "issue" with one employee's accessing the internet. After a little Googling, I found, and downloaded the open source IP Cop, and a few of the add-ins. I built an additional "router" which I configured to work behind our outbound router / firewall. The analogy here is basically that of a railroad siding. I simply modified the users machine's DHCP reservation so that his machine's gateway was the IP Cop box. Voila! Worked like a charm. Now, using DHCP from our Active Directory I can route the traffic of any given machine I want through the "filtering" aforded by IP Cop - all for virtually no cost. It does not interefere with "trusted" users, it does not affect the attack surface privided by our hardware firewall, it was a snap to install and set up, and is totally flexible! I really am warming up to linux / open source these days! (fed up with pouring money into the black hole of ongoing license fees!). :)

pmolina
pmolina

Checking Scores for March Madness might be bad, but.. One of the most addicting events I have found on the internet is the Tour de France. The coverage of it at LeTour.fr is very good. I am not a bike race fan. At all. But I have to tip my hat to these guys, they make the internet work for them. I'll go out on a limb and say that what tv is for football, the internet COULD (note the qualifier please) be for bicycle racing.

ndveitch
ndveitch

I have a different situation to most network admins. When I took over the network where I'm working, I got strict instructions from a few of the Directors that should any employee not be able to get onto facebook or youtube I would have to find myself other work. It sounds great, but here in South Africa where we have limits on our bandwidth usage. It gets kind of tricky trying to explain to the bosses that the more they watch youtube and other online videos, the more bandwidth they use and the more it will cost. The other thing is trying to get them to understand that if everyone is on youtube then the connection is going to be a lot slower than they want it to be. Oh well, just thought I would throw that in.

mail2ri
mail2ri

I have not seen any CIO brave enough to tackle this issue head-on. While most of them are happy policing their own staff in IT Depts, most CIOs develop cold feet when it comes to imposing restrictions on end-users. CIOs only provide lip-service to their carefully drafted corporate Internet Usage Policy, but rarely resort to imposing the sanctions mentioned therein. If a corporate has well-defined Internet access & usage policy, there is no reason why lower-level staff should grapple with such back-room manoeuvres.

chris_thamm
chris_thamm

We've solved our Internet (ab)use problem by blocking all UDP traffic that attempts traverse our firewall. Our firewall forwards DNS requests/responses to/from our ISP's DNS servers. So far, no enmployee has come up with a valid reason for needing UDP for work-related Internet access. If they want to surf, we let them. It will be obvious if they're wasting working hours on the Internet by the amount of work that gets done. Those that waste too many working hours, lose Internet entirely.

paul
paul

In a real world Windows based environment ... right... Someone needs to wake up and smell the roses...

alistair.k
alistair.k

Is to set meaningful goals for the staff who report to you and mange them against those goals and objectives. This has the added benefit of managing their smoke breaks, chats with coworkers, long-lunches, newspaper reading, etc. etc. I'm not advocating giving your staff so much to do they are buckling under with it, but if you have a well managed work force they won't have time to be slacking off. Any downtime they have when meeting expected targets is just part of the natural eb and flow of working patterns. None of us get through the day without chatting to a friendly coworker, checking the scores, whatever it is we are interested in. If you have a company where a significant % of your staff are slacking off routinely then you have a badly managed workforce. The problem is not internet access, facebook, monitoring tools, etc. it is the management of the business. Even if you ban it right off your network people can use smartphones, iPads, whatever to access Facebook, Twitter, LinkedIn, WebMail, IM, etc. without you ever tracking that. other than lead lining the walls of your office you can't stop it either. OK, there is a different take on this if you are talking about the security of your network and risks through malware, data leakage, all that which may be percieved via social networking et al. That is where the IT part of this comes it. Managing workforce productivity is the job of business unit managers.

ElTel
ElTel

..which I implement internally and at one of my customers is Untangle server. It is by far and away the best solution for managing who can do what on the internet. Best of all, it's open source and for the most part free.

Tony Hopkinson
Tony Hopkinson

Don't have a lot of time for it personally, but they seem to think it helps. Sites are blocked on types of content, but the bulk of the "management" is employing responsible professionals... When it gets down to it, particularly if your people ae techs, it's the only viable solution. The policies are clear and strong, but the main thrust is try and shield employees from ending up on a high risk sites through some hidden or misleading link, or javascript twiddle.

Daniel Breslauer
Daniel Breslauer

How would the others here restrict internet access on laptops for home workers? This is my big problem... I support some 35 analysts who are only allowed access to specific sites (that may change infrequently). Previously we used Group Policy (proxy set to 127.0.0.1, Internet Options Connection tab disabled, exceptions listed in GP Proxy Settings). Now I actually use a free software that was made for a quite different public - Windows Live Family Safety. (Together with Windows Live Mesh for remote access.) It allows me to add and remove websites for viewing for all users in two clicks, to make exceptions for specific employees - anything I want, fast and without even needing to remotely access their laptop. Any thoughts?

ariyano
ariyano

Well, I let my users use the net, it's all open for them, But they can only download stuff and surf, they are restricted to Upload any kind of attachments, weather it's via their email, upload sharing sites or AIM. I also have restricted download to a max size of 2mb and all extensions like .exe/.rar/.zip are on the blacklist. Aj.

TheShawnThomas
TheShawnThomas

I've setup IPCop and have it working fine but have yet figured out the monitoring addins. I tried: Banish- but it only seems to block IP's, not domains as a whole (how do I block something like sirius radio which has several IP's? many time I don't want to block a whole range as there might be other site hosted in that space.) Who Is Online- no clue Extra Graphs- no clue Any suggestions?

WiseITOne
WiseITOne

I wonder how much longer your company will be in business. Personally, I do not find the need to monitor and hand hold employees. Open the floodgates with two exceptions: 1. Traffic is effected by end users high bandwidth useage. 2. End users cause network disruption/attacks due to their internet useage habbits. Other than that. I agree with the above posts. It is up to management to monitor their employee and provide sufficient work for them to do. If an employee has time to surf then it is the manager who has failed to set goals and objectives or the company just doesn't have the workload - if this continues long term then I would question the longevity of the company or business unit. If someone has copious amounts of time to web surf they shouold look into finding another job. Some people enjoy not having work...they are called lazy workers. Seriously, the amount of resources and money used to MONITOR and TRACK from IT is stupid and a waste. Management needs to own up and start doing their job. Employees need to be their own agents, if they want to surf let them surf safely. Some days we all need a little break. Honestly, I get bored web surfing after a few minutes...sad I know. I think it is information overload. Too many sites to go to.

william.byrd
william.byrd

There is a company called eTelemetry that makes an appliance that can monitor your internet gateway and report on how much time your employees are spending doing what and at which sites, but also allows you to prioritize bandwidth usage by the person... That timewaster can get internet access but only at 56k and only to approved sites while the CEO gets full speed and can see anything he/she wants. http://www.etelemetry.com/products/metron.aspx

mfcoder-hh
mfcoder-hh

Completely agree, and I've been banging on the same drum for years, but to deaf ears. Last year my company banned access to any 'football' sites during the World Cup. Of course, rather than help productivity it hindered it, as people spent ages hunting for non-blocked sites (Top Tip: go to a 'fusball' site and get Google to translate for you). It's the easy answer - rather than correctly manage those who abuse access, try a blanket block for all (apart from the CEO of course - let him do what he likes). I feel you don't work for one large company in Nottingham with this attitude. To your credit.

bblackmoor
bblackmoor

Amen. All of this site blocking and monitoring nonsense is just a burden on the business and winds up making employees *less* productive. How many of us have had to jump through ridiculous hoops to get access to a web site that was necessary to do the job we were being paid to do? Most of us, I am certain. If you want to keep the work force productive, stop micro-managing their down time and start setting meaningful goals and objectives. This whole "monitoring internet usage" is nothing but an expensive red herring. Good post, Alistair K. Well done.

DBozym
DBozym

I couldn't agree more with your statement.

Fionnmaccumhailus
Fionnmaccumhailus

This it what I've been telling one of my customers for years (they completely restrict Internet access) and have yet to get them to see the light. This is also the same argument I use with people that don't like about having remote workers or home office workers. Managing goals, managing productivity, and mentoring obviates any need to control all aspects of an employee's day.

jasonemmg
jasonemmg

Where on the network would my 'Untangle" box sit? Does it go between my Firewall and 2003 Server or my T1 router and firewall? Thanks!

jamey123
jamey123

I have been using untangle since before version 6. It is a truly great product using a combination of os offerings, runs on debian, and is scalable. I would recommend the bare metal install though.

chaz15
chaz15

Microsoft Live Family Safety while helpful in young family situations, is pervasive to adults and applied in the way you do DICTATORIAL. If you are Jewish, shouldn't you detest ALL forms of dictatorship?

AnsuGisalas
AnsuGisalas

add the link, and I'll get to work :D

four49
four49

Why exactly do you need to control what sites people visit while working at home?

jasonemmg
jasonemmg

Your employer is paying you for work production not to sit at your PC/MAC,etc. and watch soccer, hockey, baseball or any other live sporting event... There is a difference between popping on a site to check a score and streaming a live event using the companies bandwidth. We do not always block sites at first but if we notice employees doing more score watching than work we will block the site(s) from their PC first off then take it from there in the future.

Daniel Breslauer
Daniel Breslauer

They have access to documnets via a specific application on their desktop, which our client does not want us to allow them to be able to send outside in any way. For the same reason, USB and DVD write access are disabled. If they had internet access they could send anything outside via any sort of website... Now since the content we're talking about is *public domain* legal records, I don't really understand (and personally, strongly disagree with) the website blocking also, but if that's what they want, that's what we'll have to do...

AnsuGisalas
AnsuGisalas

Why not use HOSTS? The users don't have administrative privs for the laptops, I assume - and even then editing Hosts is sorta difficult.

Editor's Picks