Proxy server that logs domain user names

D

Darkstar850

[H]ard|Gawd
Joined
Feb 18, 2004
Messages
1,307
Some of the salesmen are using company computer(s) at my dad's small business to view porn. Now I wish I would of gotten SBS premium to have ISA, but I don't. So we are considering setting up a proxy server on one of the old retired machines that isn't doing anything.
However, all of the salesmen use the same machine, so I need whatever software I end up using to log the username on the machine as well, if possible. I will probably set it up for filtering later, but at first I just want it to passively log traffic, so that I can find out who or whom is inappropriately using the company computer assets.
I looked at some of the more commonly referenced linux firewall/proxy packages, but I was unable to tell specifically if they'd be able to log domain names. Anyone have a recommendation?
 
I have a squid proxy on a linux machine that requires login. In this way it reports who it was that logged in viewing the sites.

I don't have any filtering on it though.
 
Darkstar850 said:
Now I wish I would of gotten SBS premium to have ISA, but I don't.
Click to expand...

What do you have currently on the server? SBS 2003 Standard can be upgraded to premium.
 
SJConsultant said:
What do you have currently on the server? SBS 2003 Standard can be upgraded to premium.
Click to expand...

Yup, its standard, and I am aware that it can be upgraded to premium, but the budget for this project is extremely low (being approximately 0). Buying a server, SBS, 5 workstations. Trend CSM, a decent router and a switch was as much as he could afford currently. Actually I even financed a good bit of it.
 
AFAIK the free linux based systems will not log usernames. At best you'll only log date and time.

You need a product which integrates with AD in order to obtain the information you are looking to record.
 
If they all use the same computer lock it down to a guest account and put in IE rules and a host file - u can tell IE to blcok any pages that dont have any rating or a rating you approve.
 
MrGuvernment said:
If they all use the same computer lock it down to a guest account and put in IE rules and a host file - u can tell IE to blcok any pages that dont have any rating or a rating you approve.
Click to expand...

Locking it down is for the future, first step is to catch whoever is doing it. Also, this is a domain environment. I don't want them using a guest account, they need to use their own accounts for email and such.
 
understood - but locking down could still be done with guest account or if you have a Domain Controller you can controll their access from it i beleive.

Good luck catching them!!
 
Nate7311 said:
Might look at Censornet Linux based but user-level access through integration with NT and/or AD domains.
Click to expand...

I can understand that they'd want to charge for the AIC (damn, that's expensive) because it is pretty swanky software (too bad it isn't GPL'd too). What I don't understand, why the 100 pounds for a simple blacklist update? That's ridiculous. If it weren't for the extremely high cost of censornet, I would suggest its use at a couple of local schools at which I volunteer.
 
How many people are we talking? I know it's not ideal, but you're saying it's temporary so I don't know if setting up the linux server with squid is out of the question. yes it requires a second set of login info apart from the domain, but for small numbers I think it's the cheapest short term solution until you get into actually blocking everything. At that point you don't need the logins as the blocking will be across the board.
 
I am going to look at squid. I would rather it be transparent so they aren't aware of anything, but I am sure I can make up a good story for the extra login. Heck, even if that prompted them to stop, it might be worth it.
 
Darkstar850 said:
I am going to look at squid. I would rather it be transparent so they aren't aware of anything, but I am sure I can make up a good story for the extra login. Heck, even if that prompted them to stop, it might be worth it.
Click to expand...

You gotta decide what your goal is here. Do you want the activity to stop or do you want to catch who is doing it? If you just want it to stop have a general meeting and tell them from now on their internet is being monitored. 90% of the time this will be enough - regardless if its actually being done. If you want to catch the person, then you need a transparent proxy that doesn't ask for a user/password. Could you just tie the activity to the person by date/time? They can't all be on 1 PC at the same time. (Lets see here, Joe you were in Boston, Bob you were in New York, well, must have been you Fred!) :)

In a perfect world you could do both, but I don't think thats possible with your stated budget of $0.
 
http://www.acmeconsulting.it/pagine/opensource/squid/SquidNT.htm

Squid Proxy for Windows.

Download latest basic version, install, configure to your specs, add/uncomment these lines to the config in the proper locations (make sure you read and understand the entire basic config file first, otherwise stuff is not going to work properly).:

Code: 
auth_param ntlm program C:/squid/libexec/win32_ntlm_auth.exe
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program C:/squid/libexec/nt_auth.exe
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

external_acl_type NTGroups ttl=1800 %LOGIN C:/squid/libexec/win32_check_group.exe -G

acl AllowedUsers external NTGroups "C:/squid/etc/ntgroup.txt"
acl AuthorizedUsers proxy_auth REQUIRED

http_access allow AuthorizedUsers AllowedUsers
http_access deny all
ntgroup.txt contains:
Proxy-Users

Add all users that need access to the internet to a Global Group on the AD or PC that is running Squid named Proxy-Users. Any users not in this group will get an error message instead of web pages. This will log all access by time, date, site and authenticated username into the squid log file. Disable all outbound access at the network firewall and require everyone to use the proxy server for access. You now have a proxy that logs usernames.
 
Darkstar850 said:
I am going to look at squid. I would rather it be transparent so they aren't aware of anything, but I am sure I can make up a good story for the extra login. Heck, even if that prompted them to stop, it might be worth it.
Click to expand...

Why go with transparent? Let the employees know what is being changed and tell them how it is going to be. If they don't like it they can find employment elsewhere. Trying to be sneaky about monitoring is just dumb and hurts morale when employees do find out. It's the business owners network, facilities and equipment. The owner(s) can monitor, limit or flat out deny access in any way they feel necessary as long as they notify the employees that they are being monitored and logged at all times.

Tell the employees, who should all be behaving like proper adults at work, to keep their freaky shit at home.
 
Goofball said:
Why go with transparent? Let the employees know what is being changed and tell them how it is going to be. If they don't like it they can find employment elsewhere. Trying to be sneaky about monitoring is just dumb and hurts morale when employees do find out. It's the business owners network, facilities and equipment. The owner(s) can monitor, limit or flat out deny access in any way they feel necessary as long as they notify the employees that they are being monitored and logged at all times.

Tell the employees, who should all be behaving like proper adults at work, to keep their freaky shit at home.
Click to expand...

Gotta completely agree here. We tell everyone that while we don't actively monitor things, we CAN and reserve the right to at any moment in time. Of course this gets into a written IT policy for employees that should be made public and available for reading.
 
deuce868 said:
Gotta completely agree here. We tell everyone that while we don't actively monitor things, we CAN and reserve the right to at any moment in time. Of course this gets into a written IT policy for employees that should be made public and available for reading.
Click to expand...

That's what we do. We don't actively look at our logs either, but recently I noticed someone was watching some pretty nasty videos on a computer as I was walking by, but I didn't get the chance to figure out who it was. I did know what computer and what time it was at; that was all I needed to know. :) He got a day's off w/o pay!
 
They were notified that company computer assets are for company use, and that they may be monitored for inappropriate use. However, this is a very old line, industrial industry, and some of the employees have an entitlement attitude. Basically, my dad wants to know who it is, since some of the salesmen aren't pulling their weight anyway, and if you can't sell enough equipment you certainly don't have time to be looking at porn at work.
I don't mind a little non-work use. Some people have sent email to friends and family, and I turn a blind eye to that. Heck, I would be a hypocrite if I was a hard liner about the policy, as I have a fair bit of down time at my job if nothing is breaking. However, I spent alot of time and money setting this up, and I draw the line at porn viewing.
 
You must log in or register to reply here.
Back
Top