Blocking social networking facilities

I've been asked to block access to a range of social networking websites
like facebook, MySpace, bebo, etc, and also to prevent users running
Windows Messenger, MSN Messenger and Windows Live Messenger.

I'm finding this hard! The firewall I'm using (Netgear FVS338) will
block keywords but not URLs (so a mention of facebook on an otherwise
respectable site will mean it's blocked). Otherwise I have to block
individual IP addresses, and some of these sites have quite a few
(according to nslookup, anyway). I suspect these IP addresses will be
subject to change.

I've looked at using registry keys eg: DisallowRun in
HKLM\Software\Policies\Microsoft\Messenger\Client\
.. but I can't find a definitive account of this, and some of the PCs
are running XP Home, which may make it difficult perhaps. Ideally, I'd
want a scripted solution.

Time to ask for advice! Any suggestions?

Phil, London

Nb cross-posted, as I wasn't sure which group to ask. Followups to
microsoft.public.win2000.networking.

Meinolf
Sun Apr 20 12:09:15 PDT 2008

Hello Philip,

Do you talk about a single computer or a workgroup with more machines or
a domain?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> I've been asked to block access to a range of social networking
> websites like facebook, MySpace, bebo, etc, and also to prevent users
> running Windows Messenger, MSN Messenger and Windows Live Messenger.
>
> I'm finding this hard! The firewall I'm using (Netgear FVS338) will
> block keywords but not URLs (so a mention of facebook on an otherwise
> respectable site will mean it's blocked). Otherwise I have to block
> individual IP addresses, and some of these sites have quite a few
> (according to nslookup, anyway). I suspect these IP addresses will be
> subject to change.
>
> I've looked at using registry keys eg: DisallowRun in
> HKLM\Software\Policies\Microsoft\Messenger\Client\
> .. but I can't find a definitive account of this, and some of the PCs
> are running XP Home, which may make it difficult perhaps. Ideally,
> I'd
> want a scripted solution.
> Time to ask for advice! Any suggestions?
>
> Phil, London
>
> Nb cross-posted, as I wasn't sure which group to ask. Followups to
> microsoft.public.win2000.networking.
>

Philip
Mon Apr 21 01:38:08 PDT 2008

Meinolf Weber wrote:
> Hello Philip,
>
> Do you talk about a single computer or a workgroup with more machines or
> a domain?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> I've been asked to block access to a range of social networking
>> websites like facebook, MySpace, bebo, etc, and also to prevent users
>> running Windows Messenger, MSN Messenger and Windows Live Messenger.
>>
>> I'm finding this hard! The firewall I'm using (Netgear FVS338) will
>> block keywords but not URLs (so a mention of facebook on an otherwise
>> respectable site will mean it's blocked). Otherwise I have to block
>> individual IP addresses, and some of these sites have quite a few
>> (according to nslookup, anyway). I suspect these IP addresses will be
>> subject to change.
>>
>> I've looked at using registry keys eg: DisallowRun in
>> HKLM\Software\Policies\Microsoft\Messenger\Client\
>> .. but I can't find a definitive account of this, and some of the PCs
>> are running XP Home, which may make it difficult perhaps. Ideally,
>> I'd
>> want a scripted solution.
>> Time to ask for advice! Any suggestions?
>>
>> Phil, London
>>
>> Nb cross-posted, as I wasn't sure which group to ask. Followups to
>> microsoft.public.win2000.networking.
>>
>
>

Hi Meinolf - yes, I should have said that these are a group of
standalone PCs, mostly running XP Home, and loosely networked peer-peer
using ad-hoc shared folders in a single workgroup.

Phil

Phillip
Mon Apr 21 07:47:21 PDT 2008

This is not something that you can "just do" because someone asked for it.

The people who want it done need to be willing the spend $$$$ on the
products that it takes to accomplish it.

I use MS ISA Server 2006. But even with a solid indepth product such as ISA
Server it may still require more third-party "add-ons" ($$$$) for ISA
depending how detailed and how "carried away" with the idea you want to get.

You are not asking for some "simple thing" and you are not going to
accomplish it very well with "home-user" products like Netgear.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------


"Philip Herlihy" <thiswillbounceback@you.com> wrote in message
news:fuhjo4$hhf$1$8300dec7@news.demon.co.uk...
> Meinolf Weber wrote:
>> Hello Philip,
>>
>> Do you talk about a single computer or a workgroup with more machines or
>> a domain?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>>> I've been asked to block access to a range of social networking
>>> websites like facebook, MySpace, bebo, etc, and also to prevent users
>>> running Windows Messenger, MSN Messenger and Windows Live Messenger.
>>>
>>> I'm finding this hard! The firewall I'm using (Netgear FVS338) will
>>> block keywords but not URLs (so a mention of facebook on an otherwise
>>> respectable site will mean it's blocked). Otherwise I have to block
>>> individual IP addresses, and some of these sites have quite a few
>>> (according to nslookup, anyway). I suspect these IP addresses will be
>>> subject to change.
>>>
>>> I've looked at using registry keys eg: DisallowRun in
>>> HKLM\Software\Policies\Microsoft\Messenger\Client\
>>> .. but I can't find a definitive account of this, and some of the PCs
>>> are running XP Home, which may make it difficult perhaps. Ideally,
>>> I'd
>>> want a scripted solution.
>>> Time to ask for advice! Any suggestions?
>>>
>>> Phil, London
>>>
>>> Nb cross-posted, as I wasn't sure which group to ask. Followups to
>>> microsoft.public.win2000.networking.
>>>
>>
>>
>
> Hi Meinolf - yes, I should have said that these are a group of standalone
> PCs, mostly running XP Home, and loosely networked peer-peer using ad-hoc
> shared folders in a single workgroup.
>
> Phil

Philip
Mon Apr 21 14:25:59 PDT 2008

Thanks for the comment. I note what you say, although the device I'm
using is sold as a business router - I can't imagine why a domestic user
might want 50 VPN tunnels, for example.

From my experiments I've certainly learned that it isn't easy.
However, by looking up the IP addresses associated with (eg)
www.facebook.com and blocking those (laborious as it was) then I've
managed to block the three main sites. I wouldn't expect this to be
proof against a well-informed attempt to circumvent these provisions but
the environment doesn't have any technically savvy people. Similarly,
I've managed to block Windows Live Messenger from running through the
use of gpedit.msc on an XP Pro machine, although this isn't available on
the XP Home machines (but see this:
http://www.dougknox.com/xp/utils/xp_securityconsole.htm)

Phil H

Phillip Windell wrote:
> This is not something that you can "just do" because someone asked for it.
>
> The people who want it done need to be willing the spend $$$$ on the
> products that it takes to accomplish it.
>
> I use MS ISA Server 2006. But even with a solid indepth product such as ISA
> Server it may still require more third-party "add-ons" ($$$$) for ISA
> depending how detailed and how "carried away" with the idea you want to get.
>
> You are not asking for some "simple thing" and you are not going to
> accomplish it very well with "home-user" products like Netgear.
>
>

Phil
Mon Apr 21 15:00:09 PDT 2008

Philip Herlihy wrote:
> I've been asked to block access to a range of social networking websites
> like facebook, MySpace, bebo, etc, and also to prevent users running
> Windows Messenger, MSN Messenger and Windows Live Messenger.
>
> I'm finding this hard! The firewall I'm using (Netgear FVS338) will
> block keywords but not URLs (so a mention of facebook on an otherwise
> respectable site will mean it's blocked). Otherwise I have to block
> individual IP addresses, and some of these sites have quite a few
> (according to nslookup, anyway). I suspect these IP addresses will be
> subject to change.
>
> I've looked at using registry keys eg: DisallowRun in
> HKLM\Software\Policies\Microsoft\Messenger\Client\
> .. but I can't find a definitive account of this, and some of the PCs
> are running XP Home, which may make it difficult perhaps. Ideally, I'd
> want a scripted solution.
>
> Time to ask for advice! Any suggestions?

Stop being a net nazi? :)

--
There's only four things you can be certain of: taxes, change, spam, and
death.

Philip
Tue Apr 22 02:30:26 PDT 2008

Phil Cartwright wrote:
> Philip Herlihy wrote:
>> I've been asked to block access to a range of social networking
>> websites like facebook, MySpace, bebo, etc, and also to prevent users
>> running Windows Messenger, MSN Messenger and Windows Live Messenger.
>>
>> I'm finding this hard! The firewall I'm using (Netgear FVS338) will
>> block keywords but not URLs (so a mention of facebook on an otherwise
>> respectable site will mean it's blocked). Otherwise I have to block
>> individual IP addresses, and some of these sites have quite a few
>> (according to nslookup, anyway). I suspect these IP addresses will be
>> subject to change.
>>
>> I've looked at using registry keys eg: DisallowRun in
>> HKLM\Software\Policies\Microsoft\Messenger\Client\
>> .. but I can't find a definitive account of this, and some of the PCs
>> are running XP Home, which may make it difficult perhaps. Ideally,
>> I'd want a scripted solution.
>>
>> Time to ask for advice! Any suggestions?
>
> Stop being a net nazi? :)
>

My advice was to appraise people's work based on what they achieved, and
if they were pulling their weight,turn a blind eye to what else they
might be doing at odd moments. However, this office has several young
workers who seem unable to resist these facilities and despite
discussion and eventually warnings continue to fall behind in their
work. Your comment suggest you may be content to be a drone in an
organisation too large to care, but this is a very small family business
and it matters, not least to the people concerned who might end up
losing their jobs if a solution isn't found.

Meanwhile, the Party knows where you live, and you can expect a visit
very early one morning for your "re-education". This may involve
extended travel, so have a toothbrush ready.

PH

Bob
Tue Apr 22 05:13:29 PDT 2008



Phil Cartwright wrote:

> Philip Herlihy wrote:
>
>> I've been asked to block access to a range of social networking
>> websites like facebook, MySpace, bebo, etc, and also to prevent users
>> running Windows Messenger, MSN Messenger and Windows Live Messenger.
>>
>> I'm finding this hard! The firewall I'm using (Netgear FVS338) will
>> block keywords but not URLs (so a mention of facebook on an otherwise
>> respectable site will mean it's blocked). Otherwise I have to block
>> individual IP addresses, and some of these sites have quite a few
>> (according to nslookup, anyway). I suspect these IP addresses will be
>> subject to change.
>>
>> I've looked at using registry keys eg: DisallowRun in
>> HKLM\Software\Policies\Microsoft\Messenger\Client\
>> .. but I can't find a definitive account of this, and some of the PCs
>> are running XP Home, which may make it difficult perhaps. Ideally,
>> I'd want a scripted solution.
>>
>> Time to ask for advice! Any suggestions?
>
>
> Stop being a net nazi? :)
>

Wasn't his decision

Phillip
Tue Apr 22 08:14:24 PDT 2008

"Philip Herlihy" <thiswillbounceback@you.com> wrote in message
news:fuj0ns$ehq$1$8300dec7@news.demon.co.uk...
> Thanks for the comment. I note what you say, although the device I'm
> using is sold as a business router - I can't imagine why a domestic user
> might want 50 VPN tunnels, for example.

There are "middle ground" devices that are just slightly more than home user
boxes. Generally they are around the $400-$500 dollar range. There is too
much variety in that area for me to comment on.

>
> From my experiments I've certainly learned that it isn't easy. However,
> by looking up the IP addresses associated with (eg) www.facebook.com and
> blocking those (laborious as it was) then I've managed to block the three
> main sites.

That is fine. You can do a lookup on their domain name to find the subnet
they own and block the whole subnet, as long as your firewall device can
identify by subnet.

> I wouldn't expect this to be proof against a well-informed attempt to
> circumvent these provisions but

There isn't much way around blocking the IP#s,...well informed or not.
It pretty much stops it dead in its tracks as long as the destination
doesn't change their IP#s. That isn't the problem,...the problem is the
labor that goes into maintaining your restrictions over long periods of
time.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Philip
Tue Apr 22 09:37:28 PDT 2008

f/fgeorge wrote:
> On Tue, 22 Apr 2008 10:30:26 +0100, Philip Herlihy
> <thiswillbounceback@you.com> wrote:
>
>> Phil Cartwright wrote:
>>> Philip Herlihy wrote:
>>>> I've been asked to block access to a range of social networking
>>>> websites like facebook, MySpace, bebo, etc, and also to prevent users
>>>> running Windows Messenger, MSN Messenger and Windows Live Messenger.
>>>>
>>>> I'm finding this hard! The firewall I'm using (Netgear FVS338) will
>>>> block keywords but not URLs (so a mention of facebook on an otherwise
>>>> respectable site will mean it's blocked). Otherwise I have to block
>>>> individual IP addresses, and some of these sites have quite a few
>>>> (according to nslookup, anyway). I suspect these IP addresses will be
>>>> subject to change.
>>>>
>>>> I've looked at using registry keys eg: DisallowRun in
>>>> HKLM\Software\Policies\Microsoft\Messenger\Client\
>>>> .. but I can't find a definitive account of this, and some of the PCs
>>>> are running XP Home, which may make it difficult perhaps. Ideally,
>>>> I'd want a scripted solution.
>>>>
>>>> Time to ask for advice! Any suggestions?
>>> Stop being a net nazi? :)
>>>
>> My advice was to appraise people's work based on what they achieved, and
>> if they were pulling their weight,turn a blind eye to what else they
>> might be doing at odd moments. However, this office has several young
>> workers who seem unable to resist these facilities and despite
>> discussion and eventually warnings continue to fall behind in their
>> work. Your comment suggest you may be content to be a drone in an
>> organisation too large to care, but this is a very small family business
>> and it matters, not least to the people concerned who might end up
>> losing their jobs if a solution isn't found.
>>
>> Meanwhile, the Party knows where you live, and you can expect a visit
>> very early one morning for your "re-education". This may involve
>> extended travel, so have a toothbrush ready.
>>
>> PH
> My 'company' has almost 30,000 users and we have similar problems.
> There is almost one pc per worker, some have several pc's some have
> none. But what we do is the same thing as you do but have also added
> the ability to remote control desktops. That means they can also
> record that users desktop remotely. In a couple of instances they have
> done that and the user has changed their ways. In a couple of
> instances the user was fired because of how little work they were
> actually doing. It only took a few times before EVERYONE was aware of
> what was possible, the old "big brother is watching" scenario and most
> people now do what they were hired to do. In ALL cases the person was
> reported, and warned, before the IT people setup the recording. One
> person actually had a blog on his work computer and thought that it
> was 'cool' to do that all day instead of work. He is gone! He actually
> said "you can't fire me because it doesn't specifically say I can't
> host a blog". As I said he was fired for doing non work related stuff
> at work and the list of things prohibited at work was expanded to say
> no blogging at work allowed. We also block all streaming websites as
> they are found. Streaming, even radio sites, consumes a huge amount of
> bandwidth and as such slows down the people trying to work. Skype is
> another thing you may want to block. It loads wherever it can, no
> amount of admin rights can stop it, and uses huge amounts of
> bandwidth. We blocked the skype website itself and that seems to have
> stopped it. We are also progressively blocking all the internet sex
> sites as we find them. That seems to be another huge time waster for
> some people.


It's just too easy to look as if you're working! We have RealVNC on
most machines, but I don't think that has the capacity to record -
interesting idea. In a similar vein I'm investigating the logging
capabilities of the firewall - a smaller one (FVS114, rather
underpowered) would log every site visited, whereas its big brother
doesn't (obviously) do this. Even then, if we can block the
distractions we may be able to steer people away from being in trouble
in the first place.

Sounds like you have to invest a great deal of effort in this. :-(

Phil

Philip
Tue Apr 22 09:52:16 PDT 2008

Phillip Windell wrote:
> "Philip Herlihy" <thiswillbounceback@you.com> wrote in message
> news:fuj0ns$ehq$1$8300dec7@news.demon.co.uk...
>> Thanks for the comment. I note what you say, although the device I'm
>> using is sold as a business router - I can't imagine why a domestic user
>> might want 50 VPN tunnels, for example.
>
> There are "middle ground" devices that are just slightly more than home user
> boxes. Generally they are around the $400-$500 dollar range. There is too
> much variety in that area for me to comment on.
>
>> From my experiments I've certainly learned that it isn't easy. However,
>> by looking up the IP addresses associated with (eg) www.facebook.com and
>> blocking those (laborious as it was) then I've managed to block the three
>> main sites.
>
> That is fine. You can do a lookup on their domain name to find the subnet
> they own and block the whole subnet, as long as your firewall device can
> identify by subnet.
>
>> I wouldn't expect this to be proof against a well-informed attempt to
>> circumvent these provisions but
>
> There isn't much way around blocking the IP#s,...well informed or not.
> It pretty much stops it dead in its tracks as long as the destination
> doesn't change their IP#s. That isn't the problem,...the problem is the
> labor that goes into maintaining your restrictions over long periods of
> time.
>

The firewall we use (just bought!) will block a range of addresses but
not a subnet, so if the apparently random collection of IP addresses
returned by nslookup for www.bebo.com COULD be expressed as a complex
subnet mask I'd still have to enter them one by one :-(

Where could I find definitive information on the subnet an organisation
owns?

Blocking use of Windows Messenger and its variants is proving tricky, as
they revert to port 80. You can use gpedit on XP Pro, or Doug Knox's
utility (see earlier post) on XP Home to block the executable, but a
savvy user could copy and rename the executable and evade the
restriction that way (subject to permissions to do that, of course).
There is an option to allow only listed applications, but that's going
to be hard work for yours truly, and you can also use this firewall to
allow only named IP addresses, but how many sites are all served by one IP?

I've wondered whether NTFS permissions might be an option? You can use
the cacls utility to grant or deny permissions even on XP Home (or boot
in Safe Mode and use the familiar security dialogue windows).

It is bizarre how some people regard a job as an attendance centre. I
worked in a very genteel place once where one chap spent all day on the
phone to Turkey sorting out supplies for his brother's restaurant. When
the (vast) phone bill was finally noticed, and his telephone was blocked
from making external calls (not needed for his job) he simply started
using his neighbour's phone. It was over a year before they finally
sacked him, and I don't think he'd done a stroke the whole time. (Nice
work if you can get it...).

Phil

Philip
Tue Apr 22 13:08:33 PDT 2008

f/fgeorge wrote:
> On Tue, 22 Apr 2008 17:52:16 +0100, Philip Herlihy
> <thiswillbounceback@you.com> wrote:
>
>
[snip]
>> Where could I find definitive information on the subnet an organisation
>> owns?
>>
> Thsi website www.samspade.org will give you that, but here is the
> bebo.com info:
> http://samspade.org/whois/nq3bwssslwtexap6wueqxtx53y
>

Don't see anything there on the subnet, and when I use nslookup (command
line) it suggests there are loads of possible IP addresses, although
results vary, and the current two aren't the same as the one suggested
by samspade.

Confused of London....

Philip
Wed Apr 23 02:22:14 PDT 2008

f/fgeorge wrote:
> On Tue, 22 Apr 2008 21:08:33 +0100, Philip Herlihy
> <thiswillbounceback@you.com> wrote:
>
>> f/fgeorge wrote:
>>> On Tue, 22 Apr 2008 17:52:16 +0100, Philip Herlihy
>>> <thiswillbounceback@you.com> wrote:
>>>
>>>
>> [snip]
>>>> Where could I find definitive information on the subnet an organisation
>>>> owns?
>>>>
>>> Thsi website www.samspade.org will give you that, but here is the
>>> bebo.com info:
>>> http://samspade.org/whois/nq3bwssslwtexap6wueqxtx53y
>>>
>> Don't see anything there on the subnet, and when I use nslookup (command
>> line) it suggests there are loads of possible IP addresses, although
>> results vary, and the current two aren't the same as the one suggested
>> by samspade.
>>
>> Confused of London....
> Many, many companies have LOADS of ip addresses to let more people on
> at the same time. Comcast, for instance, has hundreds of thousands!

Just so. What would be nice would be a way of figuring out the minimum
set to block!

Phil

George
Mon Apr 28 18:50:07 PDT 2008

Philip Herlihy wrote:
> However, this office has several young
> workers who seem unable to resist these facilities and despite
> discussion and eventually warnings continue to fall behind in their
> work.

How about denying such access by a particular employee for a week or
whatever as a punishment for that employee falling behind in work?
Doesn't affect anyone who avoids falling behind that way, and provides a
milder initial consequence than being fired for those who do.
(Continuing to make a habit of it would obviously have to lead to more
severe penalties, and eventually job loss.)

Consider also that some employees may simply prove not to be cut out for
the work. One that lacks self-discipline may just find other
distractions, and may never perform well.

Also, do try to determine the actual cause of the employee's behavior.
There are at least two explanations, and of those only one involves the
employee needing more self-discipline.

That explanation is, of course, that the employee is prone to
distractions and non-work activities at the expense of getting work done
on time.

An alternative is if the employee's work keeps getting stalled by
external factors, and they amuse themselves in various ways while
waiting to be able to proceed with their work again. This can happen if
their tasks sometimes have to wait for something else to have been
finished by someone else -- a coworker to have completed something, or a
supplier to have shipped something, for instance. If a shipment is late
in arriving and some work can't proceed until the stuff arrives, for
instance, depriving the employees of net access won't do much good.
Finding a better supplier might be more effective in that case.

Of course, since you haven't given many details about the jobs in
question, it's not clear whether that's even possible in this particular
case, or whether you've already determined that that isn't what's happening.

Philip
Tue Apr 29 00:59:18 PDT 2008

George Smith wrote:
> Philip Herlihy wrote:
>> However, this office has several young workers who seem unable to
>> resist these facilities and despite discussion and eventually warnings
>> continue to fall behind in their work.
>
> How about denying such access by a particular employee for a week or
> whatever as a punishment for that employee falling behind in work?
> Doesn't affect anyone who avoids falling behind that way, and provides a
> milder initial consequence than being fired for those who do.
> (Continuing to make a habit of it would obviously have to lead to more
> severe penalties, and eventually job loss.)
>
> Consider also that some employees may simply prove not to be cut out for
> the work. One that lacks self-discipline may just find other
> distractions, and may never perform well.
>
> Also, do try to determine the actual cause of the employee's behavior.
> There are at least two explanations, and of those only one involves the
> employee needing more self-discipline.
>
> That explanation is, of course, that the employee is prone to
> distractions and non-work activities at the expense of getting work done
> on time.
>
> An alternative is if the employee's work keeps getting stalled by
> external factors, and they amuse themselves in various ways while
> waiting to be able to proceed with their work again. This can happen if
> their tasks sometimes have to wait for something else to have been
> finished by someone else -- a coworker to have completed something, or a
> supplier to have shipped something, for instance. If a shipment is late
> in arriving and some work can't proceed until the stuff arrives, for
> instance, depriving the employees of net access won't do much good.
> Finding a better supplier might be more effective in that case.
>
> Of course, since you haven't given many details about the jobs in
> question, it's not clear whether that's even possible in this particular
> case, or whether you've already determined that that isn't what's
> happening.

Very much my own approach, as it happens - I've argued that they need to
find a way to assess whether someone is performing well, and that
involves issues such as job design, training, and connecting processes,
as you say. However, the employer concerned (an estate agent) has lost
patience with one or two of the younger staff (one of whom got fired
recently) and wants to prevent this distraction from being available.

I've now set up a (long) list of firewall rules, and will be analysing
firewall logs for signs of larking around. I hope to get the chance to
warn informally individuals so highlighted myself before passing the
information on, and have discussed this with the relevant manager.

I'll be using NTFS file permissions to deny access to Windows (live)
Messenger on a machine by machine basis, using a simple script based on
cacls.

Phil

Digital
Sun May 11 19:15:04 PDT 2008

On 2008-04-22 05:30:26 -0400, Philip Herlihy <thiswillbounceback@you.com> said:

> My advice was to appraise people's work based on what they achieved,
> and if they were pulling their weight,turn a blind eye to what else
> they might be doing at odd moments. However, this office has several
> young workers who seem unable to resist these facilities and despite
> discussion and eventually warnings continue to fall behind in their
> work. Your comment suggest you may be content to be a drone in an
> organisation too large to care, but this is a very small family
> business and it matters, not least to the people concerned who might
> end up losing their jobs if a solution isn't found.


Then ask your management and HR department (small!) to stop being
gutless and fearing litigation your company isn't facing, write up the
offending employees several times for the infraction and terminate
their employment as soon as possible. This can be cost-justified by the
amount these employees are costing in your time spent solving this
problem, and how much technology you're going to wind up purchasing to
address this problem.

Some problems can be solved with technology, some seemingly are, but
are not technology problems. This is not a technology problem.

These employees will wind up costing you a lot more money when they
start talking about confidential corporate information in public forums
even though they've been instructed not to because they think they know
better. This isn't being a "Net-Nazi", it's good corporate policy - how
many harder working employees are being insulted by the lack of effort
from this bunch?

Besides, you'll be doing them a favor - they can go home and consume
all the social website content they want in the privacy of their own
home.

I'm really tired of the "gimme / clueless" work generation out there,
and tired of network admins and IT people being asked to cope and
remedy what is essentially a bad work ethic problem. I really feel for
your problem and the fact this is a family business, which means these
people you work for really put their backs into what they have & sell.

Make sure you hand them : "Schools out sucka." stickers before they
exit your front doors.

While this sounds like a rant - here's the purpose of it - how much CPU
power, electrically energy and Internet slowness does the bad work
ethic cost us in technology spending because people won't adhere to
management direction, as well as overzealous lawyers trying to tell us
each bit must be analyzed to protect us from lawsuits that don't exist?
When people are not reasonable and take advantage of a resource, there
is no balance.

/dmfh

--
_ __ _
__| |_ __ / _| |_ 01100100 01101101
/ _` | ' \| _| ' \ 01100110 01101000
\__,_|_|_|_|_| |_||_| dmfh(-2)dmfh.cx