A recent posting in Spiceworks caught my attention. It seems that this admin was asked to generate an Internet usage report on a fellow employee. The next thing he knows, the employee was let go. Of course he felt somewhat guilty about it. Another poster was talking about a fellow user who has been surfing porn while at work. Since management was watching, what should he do since he considered the colleague a friend? Well, in both instances, the solution to the problem lies on both sides of the equation – the HR side and the IT side.
First, HR has to establish some strong Internet usage policy. Often these rules are buried in the user’s welcome package. I’d advocate an actual form that they have to read, understand and sign; this becomes part of their employee packet. This would spell out exactly what you can and cannot do, and what the penalties for violations are. So the warning starts at the top. And speaking of the top, you cannot have a boss who gives this lip service and is guilty of violating it. I worked in a place once where we had a few employees surfing porn. Since this was becoming a problem, the boss looked to IT for solution. “Not a problem,” I said. “We buy a license for the firewall, install it, and then we can do a little more filtering to include porn.”
“Does that block everyone from reaching a porn site?” he asked.
“Of course,” I answered, “I can make some exceptions, but that might cause issues with the team if one person does something and the others can’t.”
“Well, that won’t work,” he said after a moment. He nixed the idea pretty quickly while continuing to let people go.
The majority of modern day firewalls will allow you to block websites of certain kinds. Most have some keyword programmed into them, and it’s these keywords the firewall jumps on whenever someone tries going to them. And instead of looking at the screen they expected, they get a rather generic looking, semi-official web page telling them that the site has been blocked by the company due to inappropriate content. Exceptions can be made, but they need to be treated on a case by case basis. You can also, in most cases, limit that access to only certain users, and still deny everyone else. In this way, everyone knows that there are reasons to grant access to certain sites, there is a process, and that it has been approved.
Another step admins might want to consider is what amounts to a more or less daily reminder. What you might want to do is configure a policy setting so that when a person logs on he gets a pop up banner that contains the warning. The user must acknowledge it by clicking an “OK” button. This is done as part of GPO in Active Directory and goes to every server and workstation attached to it. To do this is very simple, just follow these few steps:
Step 1 – Open Group Policy Management
Step 2 – Right click on the Default Domain Policy under Group Policy Objects, click Edit
Step 3 – Go to Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, Security Options, Interactive logon
Step 4 – Double click the “Interactive logon: Message title for users attempting to log on”, enter the title message
Step 5 – Double click the “Interactive logon: Message text for users attempting to log on”, enter the notice message
Step 6 – Close the Group Policy Management
Step 7 – Run the “gpupdate /force” on other machines to force the group policy or just wait for it to replicate about.
One thing about the Banner! This is a legal document, so don’t play for cute on it. Indeed, whatever you come up with should be approved by management. Don’t mention names or post phone numbers, if someone is doing a little hacking of the site; you just gave them a bit more information to help them do what they want to do. What needs to be mentioned is that this is a private system, that it is monitored, and that usage of your domain and network is for authorized users and usage only. You might also want to mention that unauthorized usage is in violation of the company Internet usage policy and can result in termination, criminal charges, and/or civil actions.
What a lot of companies do is they also run their employees through a yearly Internet usage and training course so they’re reminded of usage policies and better network protection (which implies an active anti-spam campaign).
Between training, warning banner, and the firewall we can consider the user warned! And violation means their indiscretion is on their head.