I was asked to help out with an issue that one of the local companies owned by a friend is having.
They have 58 computers linked to a partial T1.
They are connected to an ancient DNS server that is doing nothing for them.
This is what they are asking me to help them with.
Their netowrk is currently an open door. They want me to close it and make them secure from intrusions as they getting hacked on regular basis.
Their people are downloading all kinds of movies, games and such and in turn downloading trojans and other viruses. According to their attorney they cannot force people not to do all the things they are doing.
Can I build them a server that they can all link to the internet through and in turn control all incoming and outgoing traffic. They have no use for a file server.
They have asked me to go into all the machines and limit their access to any sites but those the owner wish them to access. Would it not be better to do such security lock from a server they all connect to?
I am not sure if I am explaining what I want accomlished, I am open to all suggestions.
The budget to get this done is about $7000

Hi,

So what you want is a basic server with Windows Server 2003, and you want to be able to limit access to certain sites, Disable program usage, and installing games?

When you say 58 Computers, is there 58 users, because CAL (Client Access Licenses) cost alot of money?

Do you want them to connect through the network (not logging on to the local machine)?

You can make user permissions vary to the user, So an admin can; go to the blocked sites, use all programs, install programs, and make system wide changes. While a user cannot.

YukonMaster

I don't think they want to buy 58 CALs they are rediculously expensive. Can't a DNS server control traffice without having to spend all that money on CALs?

You don't have to buy 58 CALs ex. you can buy Server 2003 with 5 or 25 CALs and just make 1 Admin account and 1 User account and make the rest for people who need special privileges.
You did say you wanted a server right? If you just want to block the sites and stop the spam you could get a hardware firewall ie. FreeGuard 100 Network Firewall.

Look into something like a Sonicwall firewall appliance. It's really a grown up router with all kinds of filtering and maintenance options. You install it in between your T1 adapter and your switches.

If you want to go cheap either/or a squid proxy server on Linux and something like pfSense for the firewall. Force all the clients through the proxy. Between the two, you should be able to filter and control what you need.

They also need to put an acceptable use policy in place for their employees reguarding internet usage.

I totally agree with great one. Though I wouldn't recommend it for an enterprise situation as opposed to a simple home network, IPCop with a few mods could accomplish all that you want. This capability comes from running the Squid proxy. You might want to look into the products offered by that Astro company, or the paid versions of Smoothwall.

Hi there,

I've had to restrict access on Cybercafe PCs for the charitu I work at (both adults and young folks use the facility so we've had all sorts of child-protection issues to deal with).

We have a Windows 2000 Server network but as the admin part of the building deals with some quite sensitive information, I decided that the public PCs shouldn't even be on the same domain.

So, the public PCs are on a Peer-2-Peer setup; out broadband connection has a built-in firewall so we're okay there.... to handle the content we purchased a copy of CCProxy (I guess in US dollars it's about $70) configured it on an old P4 and installed 2 Network Cards - one for internal and one for external. The public PCs simply see the Internal card in their gateway settings and the external card points to the router.

The software is highly custimisable and you can block content using words, block file types (eg. *wmv; *avi) and configure your own "Access Denied" screen for those naughty employees!!

I hope this makes sense, it's a simple setup but works fine for our purposes. To test security, try gbc's leaktest also....

Good luck,

Akira.