Solutions Snapshot
PROBLEM
You need to block access
to thousands of unwanted Web sites without
spending a lot of money.
SOLUTION
If you're already running ISA Server 2004 or
2006, you can use an
inexpensive blacklist
service and a couple of
scripts to prevent access
to inappropriate Web sites.
WHAT YOU NEED
ISA Server 2004
or 2006, blacklist
service subscription,
ImportBlacklist.vbs and ScheduledUpdate.bat
scripts
DIFFICULTY
3 out of 5
Content-filtering products such as those from
Websense and SurfControl are wonderful
for regulating your users' access to undesirable Web sites, but they aren't cheap. If you have
Microsoft ISA Server 2004 or ISA Server 2006, you
can use it and a blacklisting service to block access
to off-limits sites.
Blacklisting services maintain lists of Web sites
that contain pornography, hate speech, violence,
hacking tools, or other prohibited content. You can
subscribe to an inexpensive blacklisting service and
import its list (typically updated each week) into ISA
Server with a script. In fact, I've included a free script
for doing this with this article. This might sound complicated, but don't worry, it's not hard to do. Let's walk
through the steps together.
Step 1: Use ISA Server
Of course, you must have ISA Server 2004 or 2006,
and your users' Web browsers must be configured
to go through it for HTTP access to the Internet. This
article assumes you've already got this set up, but if
you don't, you can download a trial version of ISA
Server from http://www.microsoft.com/isaserver. If
you have Microsoft Windows Small Business Server
(SBS) 2003 Premium Edition Service Pack 1 (SP1) or
SBS 2003 Premium Release 2 (R2), it includes ISA
Server 2004.
Step 2: Create a
Domain Name Set
In ISA Server, you can use firewall policy rules to grant
or deny access to a domain name set—that is, a list of
DNS domains. The list can include a mixture of fully qualified domain names (e.g., www.windowsitpro.com) and domains with wildcards (e.g., *.microsoft.com). We need to create a domain name set to hold
the hundreds of thousands of domains we wish to
block. Let's call it Bad-Sites.
To create the Bad-Sites domain name set, open
the Microsoft Management Console (MMC) ISA
Server Management snap-in, expand the container
list under your ISA Server, and click the Firewall Policy
container to highlight it. Next, right-click the Firewall
Policy container, select View, and select Task Pane (if
it's not already selected). The task pane will appear
on the right. In the task pane, click the Toolbox tab,
then click the Network Objects category. Right-click
Domain Name Sets and select New Domain Name
Set. Enter the name Bad-Sites and click OK. At the
top of the console window, click Apply to save the
changes. Figure 1 shows the Bad-Sites domain name
set on the Toolbox tab. The Bad-Sites list is currently
empty, but we'll fill it with blacklisted domains in a
moment.
Step 3: Create a
Blocking Rule
Once you have your Bad-Sites list of unwanted
domains, you'll block access to those sites with a rule
in the firewall policy. This rule will come just before
the rule that otherwise allows Internet access, which
I'll assume already exists.
To create the rule that blocks requests to Bad-Sites,
click the rule in your firewall policy that permits your
users Internet access. Next, right-click the Firewall
Policy container in the ISA Server Management
console, select New, Access Rule, name the rule Site_Blocker, click Next, select Deny, click Next, accept the
default for the rule to apply to all outbound traffic, and
click Next. Click Add and add the Internal Network to
the list of sources (expand the Networks folder to see
the Internal Network object), click Next. Click Add and
add the Bad-Sites domain name set for the destination
(expand the Domain Name Sets folder to see the BadSites object), click Next. Accept the default All Users
option, click Next, and click Finish.
Right-click your new Site_Blocker rule to move it
up or down, if necessary, to place it just above your
rule that allows users Internet access. Click Apply
at the top of the console to save your changes. You can see the completed Site_Blocker rule in Figure 1,
including the Bad-Sites set in the To column.
See “More Web Filtering” for guidance
on blocking certain file types and using other ISA
Server content-filtering features.
Step 4: Download a Blacklist
You now have a rule named Site_Blocker that prevents access to domains in the currently empty
Bad-Sites list. This list must now be filled with the
hundreds of thousands of domains that have undesirable content, and it must be updated at least weekly.
But where can you get this information in a usable
form? And how can you load it into your list?
Fortunately, free and inexpensive sources of
blacklists are available on the Internet that can be
imported into your Bad-Sites list. Perhaps the best known free blacklists are for the squidGuard (http://www.squidguard.org/blacklist) and DansGuardian
(http://www.dansguardian.org) UNIX/Linux filters,
but these blacklists work just fine with ISA Server
too.
I prefer the inexpensive blacklist service at http://www.urlblacklist.com. As of this writing, a business
can download an updated blacklist once per week for less than $190 a year with no per-user limits. Schools
and individuals pay less. Because URLBlacklist.com
is a commercial rather than free service, its blacklists
are managed better and the service is more likely to
still exist a year from now. You can download a small
demo blacklist for free to try out the service.
When you download one of these blacklists, it
will most likely be in a GNU zip (gzip)–compressed .tar file—that is, a file that ends with the .tar.gz extension. You can use graphical programs such as WinZip
(http://www.winzip.com) to extract your blacklist text
files, or you can get Windows versions of gunzip.exe
and tar.exe for free from http://unxutils.sourceforge.net
(notice that unxutils has only one i) or in the free Microsoft Windows Services for Unix (SFU) at http://www.microsoft.com/technet/interopmigration/unix/sfu.
To use gunzip.exe and tar.exe with the bigblacklist.tar.gz file downloaded from http://www.urlblacklist.com, move bigblacklist.tar.gz into a new folder and
execute the following commands in a CMD shell to
extract the blacklist files:
gunzip.exe bigblacklist.tar.gz
tar.exe -xf bigblacklist.tar
These commands will create a new folder that
contains all the blacklist files. The files are placed into subfolders named after their contents.
For example, one of these subfolders will be
named porn, and in the porn folder you'll find
a large text file named domains.
We'll use a script to import the porn domains text file into our blocked Bad-Sites
list. Then, we'll use another script to automate
downloading blacklist updates and importing
them into Bad-Sites.
Previous
Register
