Project Management optimize

Yes, I am the Web surfing police


One of the duties that long ago fell upon me as the IT Manager in a small company is the responsibility to monitor and report on the Web surfing activities of my co-workers. Yes, I am the Web surfing police in my company. It is not a job that I relish. It sometimes causes friction between me and the other employees, even if in jest, because they know that I know all about their web surfing habits, at least at work.

My first experience with surf monitoring

When I first was asked by management to report on Web sites that employees were visiting, I evaluated a few choices like SurfControl and WebSense. Of course, WebSense has now acquired SurfControl. Websense was still new so I chose SurfControl in the earlier company, put it on a server and on a hub so I could see all the traffic in the enterprise and began the monitoring process. I loved the awesome reporting features of SurfControl.

My boss, the CFO, did not tell his boss, the CEO that he had asked me to start monitoring and reporting on Web surfing activities of everyone in the company. I was a little shocked one day when summarizing my weekly report to discover visits by the CEO to Web sites that were against the company policy. I discreetly advised my boss. He asked me to print the reports, seal them up, give them to him but continue the monitoring process.

I should not have been, but a few months later, I was surprised when the CEO was removed from his position by the board of directors. I knew the real reason for what had happened. I also knew how it had happened that someone in such a position of power like that could be toppled by a lowly IT Manager and CFO. I did not intend to be the cause his demise and of course, I wasn't. He shot himself in the foot by his indiscriminate Web surfing.

Some Web monitoring software is spyware

When I came to my present company and was again asked to implement employee Web activity monitoring software, I recommended WebSense. The CEO balked at the price so we came up with an alternative from a little company that you have probably never heard of. It is called Track4Win from Sepama Software. It is a great product and has worked well for us. Symantec calls it Spyware, so I had to exclude it from my AV system.

I suppose it can be considered Spyware. In the professional version, the client is installed on each workstation, disguises itself with some innocuous sounding name, and promptly hides itself from the task manager upon startup. It not only tracks every web site visited, but also reports on which programs the employee uses and which files are opened locally or on a server. It has some bugs but for the most part it is a great little product.

Since the request had come directly from the CEO, I did not tell anyone that I had installed the client software, not even my immediate supervisor. He was sharp enough to figure it out and promptly removed it. Nobody else in the company is tech savvy enough to know how to monitor programs in the startup section of the registry let alone know how to remove them. However, everyone in the company knows that it is there.

I have had very few occasions where I have had to advise a supervisor of inappropriate Web surfing by members of their department. I think it has happened once or twice in the past year. The offense is usually committed by a new employee who did not read the employee handbook or believe that anybody could possibly know what web sites they were visiting, especially late at night when nobody else is around.

Monitoring of Web surfing is volatile topic

I know this is a volatile topic which incites strong reactions. Nobody likes to be spied upon and there have been several lawsuits about employer monitoring of Web site visits by employees. The monitoring and enforcement protect the employer from sexual harassment lawsuits. I can't tell you how many times I have gone to work on a user's computer and found porn stashed away or even openly displayed in a minimized browser or history.

This is not a comment about porn. Alright, maybe it is. As an IT Manager I hate porn Web sites because so many of them are filled with malicious Trojans and other nasties. It is such a waste of time for me to have to clean up after my road warriors bring in their laptops and sheepishly say that something has infected it.

I used to tell employees that if they wanted to surf porn to do it on their home computers. I don't say that anymore because so many of them now connect to our network via a VPN and Remote Desktop. I am responsible for the security of my network and I don't want any crap getting in from their home computers.

37 comments
reportguy
reportguy

You are not alone. This is becoming less and less taboo, and widely accepted practice. Especially with today's economy and the need to gain visibility into productivity. Many of my friends in IT positions use less invasive tools that can access and report by utilizing devices already in place like firewalls with products like www.webspy.com

catseverywhere
catseverywhere

You say: "Nobody else in the company is tech savvy enough to know how to monitor programs in the startup section of the registry let alone know how to remove them." Pray tell, how? I have never had to hide something running on a machine. I've also not ad occasion to figure out if something is running behind the scenes on a Windows machine, though it'd probably be a good idea to know how. What were you specifically thinking when you wrote this? As for the browsers in the lunchroom, you should set up a minimal Linux distribution on them. With all the different hands there'd be on a public" machine, not to mention the potential to hit a dangerous site, Linux will prevent anyone from breaking the OS. Not that the goal would be to allow "illegal" browsing...

pblasi
pblasi

I used to do it using watchguard firewall with web blocker, but now i set up an MPLS network at the new office and everything is done by the ISP. I have a block of IP's that are unblocked assigned to the office top tier and the rest is only opened for normal use (email, google, etc) If a particular website is blocked and an employee needs access then they have to submit a request, get it approved by Office Manager then fwd to ISP to whitelist. We open the firewall for all during lunch hours, it is pretty silly to see all these companies treating their employees as slaves instead of realizing that the money they get in is because of them. We have pool tables, HD tv, happy hour, etc at our office. Keep them happy, they will work better hence they will get more money in...

BALTHOR
BALTHOR

And have them on the Internet.You'll avoid "Does anybody know why the system crashed"?You could also warn them that surfing for iPorn will freeze up your system.Using your company work computer to iSurf is disdain.

alex.a
alex.a

>> I did not tell anyone that I had installed the client software, not even my immediate supervisor. He was sharp enough to figure it out and promptly removed it.

The Listed 'G MAN'
The Listed 'G MAN'

I set up and configure the system - the actual policing happens when others read the reports. My surfing habits along with everybody else is reported on. What I use: I take a modified ipcop install, with additions to create a proxy server installed on a VM within the LAN. All web requests go through the proxy and hence blocking / logging / scanning happens. There is another ipcop proxy on the DMZ that requests are passed to, configured to report on a different set of stats & blocks and has the firewall section turned on. Why two? Snort on the DMZ Servers are not configured for LAN proxy (SMTP reasons), only DMZ. Cost was around 0. Wow - every post I read has you in some debuckle or another, normally due to somebody telling you to do something and you blindly following (or that is how it comes over). Now that you are in a position of power, do you expect others to blindly follow you, or not? It it a case of 'stop talking and resume the liva bean harvest' around your place of work?

AV .
AV .

And the email police. Its a dirty job, Tim, but someone has to do it. It really should fall more under the HR umbrella though, in my opinion. I used Websense and thought it was very good as far as enforcing policies, but the administrator module was complicated to configure and the reports misleading unless you really customized them. I would still recommend it as an excellent product, but you need to spend time with it. The company I worked for, a law firm, had a very detailed policy in place for the use of Internet, email, computers and other electronic devices. People had to read and sign that they received the policy and understood it. What your boss did is really unethical because he did it stealthily. It sounds like your boss really wanted the CEO out, probably knew about his activities already and needed proof. You became an unwitting part of his sting operation. Did they have a policy in place at that company that would legally protect YOU as the web police? Thanks for the Track4Win link. I tried to get Websense too, but its cost prohibitive right now where I work. Web monitoring is always controversial, but the bottom line is that there is a limit to what you should do online at work. AV

tech.hirak
tech.hirak

Yes, I am the web surfing police

tmalonemcse
tmalonemcse

Part of my job is to monitor and report on the web sites visited by my co-workers. Management is trying to avoid lawsuits and improve productivity. It is not a part of my job that I enjoy. Read the original post: http://blogs.techrepublic.com.com/techofalltrades/?p=136 There are several items there that you might enjoy discussing. 1) Is it OK for employers to monitor the web sites you and other employees visit? 2) Do you monitor web surfing in your organization? What software do you use? 3) Does you job require you to monitor and report on you co-workers in this way?

tmalonemcse
tmalonemcse

There are three or four areas to look when you want to know what is running in the background on Windows: 1. The Processes tab in the Task Manager. be sure to click on "show processes from all users." If you don't recognize something running in there, Google it. Beware of all the stupid people trying to tell you that it is spyware and you need to buy their software to remove it. 2. Services under Administrative Tools. The same thing applies here. If you are not familiar with the common and usual services that run on your workstation, you should be. This is a great way to find hidden spyware. 3. The Startup tab on MSconfig. You run that from Start->Run This shows all the stuff that is in the Run section of the registry, which I erroneously labeled "Startup" in my post. Be careful disabling stuff here. 4. The "Run" key in the registry. Use "regedit". The location in Windows XP is: My Computer\HKEY_LOCAL_MACHINE\ Microsoft\Windows\CurrentVersion\Run The application I referred to in my post is very ingenious in that you cannot see it running in the task manager. The only way yon can tell it is there is if you look in the Run section of the registry. It renames itself as a different name on each computer. Edited to correct dyslexic word.

tmalonemcse
tmalonemcse

Hey! I like it. We have ping-pong tables, old broken TVs and bottled water. You open the firewall for all during lunch hour? You mean unlimited port 80 only, right? Glad to hear that MPLS is working for you. We have been considering it. Company web access policy allows personal banking, web email and other basics like that. It's rare that anybody hits the no-no list. Yes, we are slaves, but not unhappy slaves, just well-monitored.

tmalonemcse
tmalonemcse

And you know what? That's a great suggestion about the Internet surfing computers in the lunchroom. Warning people that iSurfing for iPorn causes iCrashes is also a good iDea.

Forum Surfer
Forum Surfer

I have several people that previous management granted "admin" rights to. They even had it in writing that they were required to be local admins. Works for me! I simply locked down the policy to the point where local admins still had the same rights as standard users. To actually work on the box you had to log on as a domain admin or a member of a group I have dedicated for pc techs.

tmalonemcse
tmalonemcse

The boss used to be the sysadmin before I came on board. There's no way he was going to let me limit his local privileges to user or power user. I also ran into too many problems with poorly written applications that threw up without explicit but unidentified folder permissions. It was easier to just make the domain user a local admin for the sake of productivity. I know, it's not a best practice and probably very easy to remedy but solved the problem in the short run. It has bitten me several times as users have installed crap that they should not have been able to do.

Dumphrey
Dumphrey

But use a standard Debian System with Squid and webmin installed. I am less concerned with the blocking of websites then I am with the bandwidth reporting. As small as our company is, it quickly becomes apparent if someone is not working to our needs.

CharlieSpencer
CharlieSpencer

1) Is it okay to monitor employee web use? Yes. The company is paying for the Internet connection and the computers. These are company resources and should be monitored the same as any other company asset (cars, apartments, tools, etc.) 2) Do you monitor web surfing? Depends on how you define 'monitor'. We record web activity but don't look at the logs in detail or on a regular basis unless... 3) Does your job require you to monitor and report? We respond to requests from supervisors to report Internet activity for individual employees. The request is first discussed with in a brief meeting with the supervisor and the Human Resources manager. I actively police e-mail. Don't call me and ask for more e-mail storage space without expecting me to first delete everything you have that isn't directly work-related. Let's see how much space you have after I've blown away all the jokes, pictures, videos, etc.

tom.marsh
tom.marsh

Does this scream "power-play" to anybody but me? Likely the CFO knew of his activities, and had you implement a monitoring solution (in secret) to help eliminate this office competitor. Did that CFO end up in the CEO post?

tom.marsh
tom.marsh

...Includes disclosure to ALL employees that they are being actively monitored. What employees hate about these technologies isn't that they exist, or even that they're used, but that some petty managers want to deploy them in secret, with little or no supporting corporate policy, to "eliminate" certain people. A better use of the technology is as a deterrent, rather than a bludgeon to kill your team's morale. Its not enough to say "We have the right to monitor these sorts of things"--we specifically enumerate WHAT we're monitoring, WHEN, and WHY. None of us just casually peruse the surfing logs, and I find doing so to be voyeuristic. We only pull logs in response to specific requests by managers--it simply isn't our job to dictate how much web-surfing is "too much"--that is for the business to decide. We block certain categories of websites, and allow others. Other than that, IS really has a minimal role in this process. We just sort of act as the report gatherers... Certainly we have the right to monitor, and we do with Barracuda Web-Filter (just dumped SurfControl,) but as a professional, I've tried to strike a balance between the need to detect inappropriate use and the privacy of the 99% of employees who aren't misusing the internet service.

Tig2
Tig2

On MY personal network that I pay for and maintain, I can do whatever I please. On my employer's network that I neither maintain nor pay for, I may only do those things that the employer deems acceptable. Period. I have signed off on enough "Terms of Acceptable Use" to know that anything I do on my employer's network is subject to review. Anything that I do that violates the Acceptable Use policy will get me fired. Most employers have no issue with people making the odd phone call or reading CNN on their lunch break. But productivity killers are not what they are paying you for and shouldn't be tolerated.

erikc_pcc
erikc_pcc

1) It is ok for employers to monitor and block specific sites of employees. Some may not care what sites are visited, but if certain one's are blocked than we know that we can help contain any malware that may get in. 2) We monitor and block websites at my organization. We use the R300IR from 8e6. It is a 1U server that sits on the network gets information from a mirrored port on my Cisco switch. This way if it goes down it does not take down the network. We use a managed VOIP service so we just monitor the PC IP addresses. We can even give individual managers the right to look at thier own employees so that they can take control in there own hand. 3) I look at websites and if I see anything that may be of an issue I report them to the VP that is over them. They can then look and then decide what they want to do. I would rather implement something that would give the power to the business. I am here to help, but it should not be my full responsibility for how the the business is run. I give tools that will help the business and let them empower themselves.

battlestartardis
battlestartardis

To answer your questions, 1)YES, it is acceptable, and needed. The employees are doing this on company property and time. If they are out on myspace or xtube when they should be doing reports or taking phone calls, or whatever there job entails, they should be working, and if WE have to monitor them to make sure they are being productive, then so be it. It is also important to know what is coming into your networks, there are a FEW nasties out there (trojans, bots, viruses,etc.), and i personally like to know where they are coming from. 2)We absolutely monitor the web surfing and general network activity. In fact, at all times we have Wireshark on, as well as Websense. Two amazing products! 3)The IT Department implemented this as a SOP, and it is reported when needed to the Department Supervisors or Executive Management. P.S... this is my opinion and a general practice that i have personally set in place.

catseverywhere
catseverywhere

Number 4 was the missing link. Thanks. Of course none of these would show a rootkit loading. :(

Dumphrey
Dumphrey

or has Apple not copy write and trade marked it yet?

jdclyde
jdclyde

does it HAVE to be in-line, or can it sit off a switch and "sniff"? I am getting despareate for a way to monitor TYPES of traffic (by protocol), who is using it, and total bandwidth. If someone is running something that is sucking up my bandwidth, I want to know. If someone is infected with a MM worm, I want to know. Wasting time? It is their managers job to supervise their employees, not mine. Mine is to keep the network flowing with work related flow.

Neon Samurai
Neon Samurai

I still get "out of space" messages in outlook but for the most part, autosorting my mail into eleven PST files seems to keep my exchange server alotment clear. (not that it relates in any way other than to be a solution from the user perspective)

tmalonemcse
tmalonemcse

I know it looks that way, but I think the CFO was genuinely shocked to see the report. Did he take advantage of it? Oh, absolutely. I know he did not like the arrogant CEO. Did he take his spot? No, he didn't want it. A new president was later brought on board.

tmalonemcse
tmalonemcse

I like it. Even though the computer use policy is posted on the company intranet, nobody reads it. It is clearly spelled out in there that monitoring, recording and reporting of web site visits is taking place. I agree with your point that it is best to be upfront with the employees and tell them when it is being put into place. I did not like the secretive way my boss asked me to do it. It was a morale problem engendering distrust. Thanks for the insight, Tom.

catseverywhere
catseverywhere

I'm a 100% open source guy, for my own use anyway. Wireshark shows all traffic on a segment, the source and destination, ports, what protocol etc. I assume this app you mention is similar? There's a really nifty graphic mapper called etherape, but it's less useful ultimately because you can't save any of it's output. The real conversation piece is driftnet. Sit in a wifi hot spot and sniff images out of the traffic, you literally see the images other people are seeing in their browsers. (certain file formats anyway) I strike up conversations with folk at wifi hot spots about their computers and security. When I show them pictures (on MY screen) that they were just looking at on theirs they have a tendency to listen. =) Not sure if there are win32 versions. I think there may be, and I'd guess they'd be open source also.

Mr_Fen
Mr_Fen

if you want to check out who is looking at what on your network get an application called from ipanematech.com, you can see who is looking at what site and which application is eating up your bandwidth. When we trialed it on our network we discovered one of the senior management was running a file share client from his work desktop over the weekends.

Dumphrey
Dumphrey

http://www.ntop.org/demo/ntop/win32/ Download option 1, its a self contained binary, libpcap and ntop all in one. The second version is for installing on a u2 cruizer micro flash drive. The option to register to rid yourself of the pesky 1000 capture limit, http://www.ntop.org/support.html Link is embedded in page, but was not a different color from regular text in FF2.... No need to compile yourself =) And registration is free.

jdclyde
jdclyde

but have yet to figure out how to install on a windoze system..... printed some of the text files, and off to start reading. Do you know WHICH file has the windows install instructions? I have to compile this for windows? ~sigh~

Dumphrey
Dumphrey

I think its much better and simplier for what your after then IPCop. And yes it would become the gateway in most cases.

jdclyde
jdclyde

Right now, all pc's point to the router as the gateway off the network. I assume this would have to be changed to the IP address of the proxie? Got netflow working, but just to do the snapshot which isn't ENOUGH (damnitallanyways!). That could be just what I am looking for! Of course, I think BOTH would be the better solution! B-)

Dumphrey
Dumphrey

it can read cisco netflow traffic once that is configed on the router/switch. It may be the option you are looking for, as well as me... http://www.ntop.org/overview.html And a transparent proxy CAN juts be a pass through, or it can be a filtering proxy that is used by default because there is no other way to leave the network, you don't see it...its just there.. MWAAAAHAHAHAHAH!

jdclyde
jdclyde

Looks like new toys for Me! B-) Transperent proxie, that would do a complete passthrough of all traffic without ANY filtering, right? I could drop that between the router and the switch just for traffic analysis if it didn't interfer with the flow. Thanks! Will probably take a week to get the gear together, but I would run a discussion paralleling the project, even though I WANTED to focus on playing with the Ciscos more.... :( Anyone know of a package that will take output from a 2801? :D

Dumphrey
Dumphrey

off a switch port and "sniff" though to be honest I have always used it as an In/out single card proxy (not transparent) or as a transparent proxy. Not having tried what you are asking, I really can not say, but it will install on a P2, so any old box you have will work as a test box, and the iso is maybe 300Mbs to download... sounds like play time to me. Some resources: http://articles.techrepublic.com.com/5100-6350_11-5187742.html http://ipcop.org/index.php?module=pnWikka&tag=IPCopAddons But if you are fater detailed types of traffic you may have better luck with MRTG http://oss.oetiker.ch/mrtg/3party.en.html EDIT: Found this JD http://demo.opennms.org/opennms/element/node.jsp?node=14 Had to dig a bit but it will monitor traffic TYPE by interface... OPensource community model and paid subscription model. http://www.opennms.org/index.php/Main_Page

ruby.otero
ruby.otero

i presume that you have an exchange server in the office, why is that you get "out of space" is it the quota set in the exchange?