What is there in terms of technical/operational security policy when it comes to a corporate internet service.

If you have already got:
a) an internet usage policy
b) a best practice browser configuration that cant be amended (locked through GP)
c) proxy appliance that logs internet activity and blocks access to malicious sites

What other controls are there around an internet service? Can you list any above and beyond those 3?

asked 11/28/2011 07:04

pma111's gravatar image

pma111 ♦♦

7 Answers:
Other than a baseball bat with "User Adjustment Tool" painted on it,..I can't think of anything,...many places don't even have all three of those above.

I use for blocking sites instead of the firewall/proxy, is more effective because it works at the DNS Level.  Since it stops the sites from resolving, a request for the site never happens, so there is nothing to block,...and since users aren't allowed to make outbound DNS queries there is no way for them to get around it.

I don't use GPO,...too inflexable.  I use proxy autosdetection via WPAD.  Since the firewall proxy is the only way out to the internet,...users removing proxy settings from the browser causes them to simply "go no where" the users are forced to leave things alone.


pwindell's gravatar image


Love the bat idea....

answered 2011-11-29 at 06:54:01

jmeggers's gravatar image


Thanks for the feedback

So covering the above 3 is covering all bases?

answered 2011-11-29 at 07:31:38

pma111's gravatar image


I guess that depends on how many bases there are.
There is no such thing as "I have sought after security,...and now I have arrived".

But a general answer to the question,...yes,...those are the main common approaches.
I've been doing this for over a decade and I only use #1 and #3.  I don't use #2 because I don't depend on a silly browser for any kind of security other than keeping it patched. I use GPO but not for things like this,..I only use GPO for things that don't have to be very flexible because GPO is too rigid, can't compensate for changing circumstances.  

A huge thing to do is to make sure users remain normal users and are not allowed to be local Admins on their machines,...then you can let the natural restrictions MS built into Windows to be a good way to "box in" users' abilities

answered 2011-11-29 at 07:35:35

pwindell's gravatar image


As I think more about it,...maybe you need to stop thinking of it as an Corporate Internet Policy and start thinking of it as a Corporate Security Policy,...think bigger picture.  I mean the whole point of being safe from the internet is to keep the whole LAN safe.  So measures like not letting users be local Admins plays into a lot more than just being safe from the Internet.

answered 2011-11-29 at 07:45:08

pwindell's gravatar image


I appreciate your points re internet security vs corporate security, but in this instance we were trying to group control families per "technology" or "IT service", as opposed to look at the whole picture.

When you mention

>>I've been doing this for over a decade

is that audits/reviews of internet security, or management of internet services/web monitoring tools?

answered 2011-11-29 at 07:52:47

pma111's gravatar image


I've been the IT Manager for an NBC Affiliated TV News Station for over a decade.   I'm a "one-man" IT Dept.  I'm just an "IT Guy" that's all,...not an auditor or any kind of "specialist" other than I am an MS MVP for Microsoft Forefront focusing on ISA/TMG.

Basically I'm just a grouchy old fart that's been doing this for what seems like "too long".

answered 2011-11-29 at 07:58:27

pwindell's gravatar image


Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments


Asked: 11/28/2011 07:04

Seen: 398 times

Last updated: 11/29/2011 12:13