Websites to block...

[Jason1977]

Can anyone offer up some suggestions or lsist of websites to block for the avg user...we are implementing some new security policies and blocking sites that seems to allow users to make poor choices. We have websense and it blocks via category for the most part but we want to cut down on other thinsg such as yahoo mail, hotmail and so on...here are some of what i have so far.

hotmail.com
mail.yahoo.com
ezula.com
iwon.com
whenu.com
aol.com
juno.com
passport.net
hotbar.com

any other sugestions please?thanks, J

[magnoon]

pogo.com and zones.msn.com were the gaming sites of choice for our users before we began blocking.

[SirDice]

Be prepared for a very long list. Also be prepared to constantly add/remove sites from your list as it will never be "complete".

You could also swing this the other way around. Only allow certain approved sites and blocking everything else.

Or how about installing something that will just block the "bad things"?
Things like executables, malware in general, mp3, movies etc...

[AngelicKnight]

Hopefully your firewall has a reporting feature that will tell you which websites users are visiting the most (our SonicWALL does anyway). What I do is watch that daily, and when a website makes the list that users shouldn't be viewing, I add it to the filter.

[morganlefay]

Here we use a policy....if you violate that policy your are disiplined...I look at the logs...and if you visit sites that are inappropriate...you lose you priviledge of the internet.

I usually wait til they approach me with ..."I cant get on the net"
Then I show them the logs...give them the lecture...and it usually never happens again.

you will continually add sites to your firewall....

As an alternative I have heard of using White lists (sites that you can visit) as opposed to Black Lists (sites you cannot visit).
That way you have more control and can add sites that are related to your business.

Personally...I like the policy and monitoring the logs...but then again each network and setup is different.

MLF

[Jason1977]

You guys are right I think the way to go is White lists. however at this point we cannot impliment such a policy untill we work through the "red tape" that may be 6 months so in the mean time i am trying to cut down on some issues. I am not usingt he firewall but using WEBSENSE.

[secure_lockdown]

Originally posted here by Jason1977
You guys are right I think the way to go is White lists. however at this point we cannot impliment such a policy untill we work through the "red tape" that may be 6 months so in the mean time i am trying to cut down on some issues. I am not usingt he firewall but using WEBSENSE.

just whatever you do, make sure you convince top mgtm (ecex level) to send out the email and inform the users. you will have a lot less complaining.

[rudack]

I would use DansGuardian http://dansguardian.org/

Great free content filtering and I think it comes with a list of sites already you just have to backtrack to get the list the way you want it.

if you can not use something like that make sure you block extensions such as:

ade .adp .bas .bat .chm .cmd .com .cpl .crt .eml .exe .hlp .hta .inf .ins .isp .jse .lnk .mp3 .mdb .mde .msc .msi .msp .mst .ocx .pcd .pif .reg .scr .sct .shs .url .vbs .vbe .wma .wmv .wsf .wsh .wsc

Also here at my company we block all webmail sites to prevent users from accessing their personal email.

http://webmail.(domain).com

Hope that helps.

[Tiger Shark]

This is a much bigger question than you think.....

There are some places you can block whole domains personal access, (I call them the "choke points"), to all things the domain provides such as personal email. The biggies are, (and they have to be done by FQDN because they rotte through numerous IP addresses):-

login.yahoo.com
login.passport.com
myscreenname.aol.com (I think it is).

By preventing them from logging onto the service you keep them off all the email servers etc.

But then the Lusers start getting email from other places regardless of the "you will be fired" policy and then these fail. i run through my logs every couple of weeks and search for:-

webmail
email
mail
login
pipeline, (a lot of universities use Pipeline to allow access to their personal stuff)
chat
messenger

and then I add the appropriate ones to the blocked list. To start with it is a big job but after a while it gets managable and is worth the time rather than chasing worms around your network.

You can stop most of the instant messengers by blocking their default ports, (Google them 'cos my old mind will get them wrong).

If you need more specific help just yell... I have most of this trash blocked and can tell you what I did to kill it.

[fyrewall]

as your users visit them for the first time you can block them.

I'd block public mail

www.gmail.com
www.hotmail.com
www.yahoo.com etc

then porn sites
script kiddie sites
malicious sites (how to make bombs etc)
dating sites (find people online)
chat rooms/some forums (not antionline)

block irc, msn all the chat programs you can think of

one website that isnt blocked where i am is www.kissg.com so dont forget that one heh.

we do have sites for games like www.miniclip.com open

you mainly wanna stop people from accessing email sites, chat rooms, porn, online gambling/betting, dating etc

hope some of these help dude