- Block Web Proxy Servers - Ben Lancaster
One of the tasks that many system administrators have is to control access to the Internet. In many cases, management wishes to prohibit access to websites that are counterproductive to the organization such as Facebook, online games, and hacking information.
Content control software, also known as web filtering software such as SurfControl and Websense are often installed to control the Internet activities of users. However, many users can be especially persistent with attempts at bypassing these filters. If the following steps are followed, it will be nearly impossible for users to bypass Internet access restrictions.
Disabling Proxy Settings in Windows
The first thing to do in networks with Windows based computer systems is to disable the configuration of proxy settings. With a proxy server, users can configure the web browser to access the proxy server as an intermediary instead of accessing the prohibited website.
In Internet Explorer and some other web browsers such as Google Chrome and Safari, the proxy settings are derived from the operating system. A policy can be set up to disable the configuration or changing on the proxy settings. Disabling this operating system setting is not foolproof because users can install Mozilla Firefox or Opera to bypass it since those web browsers don't use Windows to configure the proxy server settings.
Disable Installation of Programs in Windows
Another good way to frustrate users attempting to bypass Internet access restrictions is to prohibit the installation of programs on the computer. There are many programs on the web that are designed to bypass filtering by Websense, SurfControl, or other Internet filtering software. The easiest way to enforce this on Windows based computers is to set up a Group Policy in Active Directory that disallows the installation of programs. In particular, the installation of Firefox and Opera web browsers could be used to bypass web proxy server restrictions since they don't use Windows to configure the web proxy server settings.
Not all programs require installation to run. In those cases, prohibiting the use of USB flash drives may be the necessary.
SSH Tunneling and VPN Tunneling
The most sophisticated users will use a technique called SSH tunneling to bypass the filters. The way it works is that one computer initiates an encrypted SSH connection to another. The remote computer has a proxy server installed. All web browser traffic is then configured to go through the encrypted SSH tunnel, thus bypassing all Internet filters.
The best way to stop this traffic is to have the network administrator disallow all outbound traffic to the Internet other than HTTP (port 80) and HTTPS (port 443). Hopefully, the software that is being used to filter web traffic will be able to figure out if port 80 and port 443 are being used to initiate SSH connections. Keep in mind that blocking VPN and SSH may interfere with legitimate traffic that isn't trying to bypass Internet access filtering.
If Internet access and network configuration are properly configured from the beginning, the users will be more quickly frustrated by attempts to bypass any Internet filters and get back to studying or work. It is best to do it right the first time by anticipating what users will try to bypass Internet access filters.
