Make browsing safe for porn surfers

Question

At several places I've done some work at, I have a suspicion that some of the executives browse porn on their work computers. It appears this porn surfing has lead to virus infections on their computers despite the presence of an anti-virus. Filtering theses specific users' browsing is not an option, so what would be my next best solution be? I put Firefox + Adblock pro on their computers. I'm tempted to add NoScript, but I'm worried they'll start calling when noscript interferes with browsing on legit websites. Is there anything else I can due to mitigate this risk?

Answer 1

Use OpenDNS Low filtering and tell them that you are securing the company against malware, phishing, etc. You can put in legitimate exceptions by "Manag[ing] individual domains". They're not going to come to you to except porn sites, now are they? ;-)

Cheers

Answer 2

You say: "It appears this porn surfing has lead to virus infections on their computers despite the presence of an anti-virus.".

I see too many answers focusing on the porn aspect of the issue.

One might land on a porn type "trap site" even when searching for something as innocent as a cookie recipe or pcitures of the latest Corvette model.

Since you are already using an antivirus product, it is probably time to review its usefuleness and replace it.

But above else, you need to be certain what is actually causing the infections other than "..this porn surfing..."

Answer 3

Use IE8 or Chrome, which run at a security level below standard user. Run them as a standard user on Windows XP/Vista, so that they cannot harm their machines.

And on Windows Vista: IE8 and Chome run at a lower integrity level.

Answer 4

Might want to try a sandboxing app like Microsoft's Steady State: http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx

I'd also recommend a real time malware scanner, such as Windows Defender, on top of whatever anti-virus you're running. Perhaps add in a cloud based malware scanner like Threatfire or Prevx as well.

Answer 5

Filter - but don't block porn. AV and page analysis at the gateway. Block exes. Show them how firefox is the porn fiend's browser-of-choice.

TBH, I would even be careful admitting you know why, never mind vocalising those thoughts... whatever you need to do has to be fair invisible to the user. Good luck!

Answer 6

Back when I first got into IT, I worked in a small mom-and-pop shop where we went to a lot of small offices. We'd work on their personal computers too for the same rate, and whenever there was a frequent porn surfer I'd just burn them a copy of knoppix, show them how to boot to a CD and go.

Edit: Have you tried addressing the fact that they are using work computers to look at porn with your boss? You may not have influence over them but someone up the chain can give them a "cmoonnnnnnn"

Answer 7

Another option possible option, install Hyper-V on their machine and once you have a clean .VHD of their computer setup you can let them go. Especially if they're using networked profiles this would allow them to trash their local machine and for you to restore the original VHD and their network profile will still be the same so you could have them recovered instantly.

Word of advice, I'd be very careful with bringing up the topic of why these computers keep having issues if they're at the executive level. Said to the wrong person you might end up with a pink slip.

Answer 8

Sandboxie can be useful for this purpose. Generally it tries to intercept all disk and is stores them in a sandbox folder. I find it works particularly well when combined with instance of Portable Firefox.

Answer 9

Options I'd look into...

1) inline filtering. I thought I ran across this setup before; basically having HTTP traffic filtered for malware as they're surfing (filter for content of malware, not block the porn...wanted to make that clear). Something like the implementation for HAVP-Squid Secure Proxy or WebScan from this page. There may be others on that list too.

2) Sandboxie. There may be other software similar to this.

3) Faronics Deep Freeze; however, users can only save data to network drives, their profile, or external drives (or other partitions you configure for saving data to). When you reboot, the computer goes back to the way it was when frozen. We don't run antivirus on systems with this on it since anything that infects it will disappear at reboot (we found deleting c:\Windows to be cathartic...rebooting recovers the OS). This will still let them infect their profile but their system will be safe.

4) Use something like Partimage or other imaging software that will let you create hard drive snapshots in order to recover their systems when they're infected.

That's everything off the top of my head that I would explore as possibilities...

Answer 10

There are ways to deal with these issues but you're going about it all wrong. First, you need to get your facts together. Suspicions and assumptions are useless. This is a simple and routine admin task.

• Find out why the AV software appears to be ineffective and either fix or replace it
• Find out where the infections are coming from, without the guesswork

Answer 11

My recommendation would be to find whitepapers from companies like Finjan, McAfee, etc that talk about "drive-by Malware". I recall that Finjan in particular has case studies about major retailers whose sites were hacked used to distribute malware.

Use that pretense to wave your hands and get a few executive-types excited, then use the chaos to implement a few improvements, like:

• Upgrade to Vista/7
• Have them run as unprivileged users
• Provide them with an admin account without internet access
• Install appropriate tools to protect the network (like a local firewall)

You also need to manage the political situation. If you have multiple people in IT, designate one the "Executive Support" person, and make executive work the priority 1 and track the work. When other projects drag, the reason becomes the amount of cycles that VP Fred and EVP Bob are using up. (Don't mention the porn) You can't just whine about it -- you must explicitly document it.

Keep in mind that you cannot solve the world's problems. If it is acceptable for people to use company assets to futz around with porn, your options are limited. Just make an honest effort to mitigate the risk to the enterprise as a whole, and cover your ass in the process.

Answer 12

Enable a group policy that forces IE browser history to be kept for say 30 days. Then have it hide the tab that has the clear history on it. I think the tab can be hidden, I know you can set prevent them from clearing.

Make it company wide, it's simply a new security policy....... :)

Caught in the act would be what you're going for.

If not, then go with the CD idea. Release a company policy that says we understand when travelling one may need to use company assets for visiting personal sites. As such we are providing all laptop users with a bootable CD that will allow seperation of personal and company internet browsing. They'll clue into it without it actually being said.

or do both :) That forces them to use the CD.

Answer 13

Give them a bill for your time fixing the PC and suggest they simply subscribe to a site. I'm sure it would be less expensive and give them a "clean" path to what they seek.