Block or Disable Port 80?

Windows XP Pro, SP3. Please hear me out first, because I do definitely need to block Port 80 on one of the work computers.

Here's the story: We have an employee who wastes a lot of time on the WWW. But everyone in the office—including my boss, the owner of the company—is apparently afraid to confront him. The Office Manager came and asked me if I could block the Internet on that machine. I told her I could, but not on my own authority; that she should check with the boss first. The boss said OK, and now expects me to take care of it so that he doesn't have to confront the employee.

So I went to Set Program Access & Defaults-->Microsoft Windows-->Custom-->Internet Explorer, and unchecked "Enable access to this program." I assumed that would be enough of a hint, because it removes the Quick Launch shortcut and removes Internet Explorer from the Start menu. I assumed that it would block Port 80 and throw up an error at any attempt to run Internet Explorer.

But I was wrong. Turns out the user was smart enough to go into the Programs folder and run it from there. Damn thing ran without a hitch.

Now here's the catch: I would just yank the stupid Ethernet cable, but this particular employee does the UPS shipping and needs to run UPS Worldship. There's also a proprietary program on the local Intranet that has to be available.

I've tried gpedit.msc. There are a million settings for Internet Explorer, but they're all configurations for running a functioning browser—not for turning it off.

Did a Google search, but of course 99% of the hits are: 1) "Why do you want to disable Port 80?" 2) "No. You never want to disable Port 80, you idiot—you won't be able to use the Internet!" And the remaining 1% are 3) a few technical discussions mainly dedicated to the proposition that "you really can't disable Port 80—and anyway, you'd lose your Internet connection!"

So: Does anyone know of any straightforward way to block/disable Port 80? Or even a complicated, non-straightforward way? I have the time and adequate proficiency....

In the router configuration you can block ports, you just have to set the computer in question to a static ip address.

reply to post by shaneslaughta


Block the port for just that one computer? Like in the "Pinhole" (AT&T terminology) configuration? Details?

reply to post by Ex_CT2


set a static ip on the pc, and router on the LAN side. it forces the router to only allow certain ports on certain machines.

Configuration depends on your router and operating system.

if you give me your router make and model along with operating system info i will do my best to explain it.

Management being scared to confront their employee is the problem that needs to be solved first - management's first priority is to discuss business expectations with their team.

Technically it's possible, even legally within the rights of the business to limit web access of an employee, but doing so is an investment, especially to solve what is currently a one-person issue.

Is the person worth buying an $X000.00 piece of equipment and implementing a website access control policy for? Are they really that unreplaceable (or is it really worth that much to /NOT/ confront that employee)?

If so, take a look at contracting a network admin competent with Cisco Web ACLs and give him a budget.

If not, have the conversation - you'd be surprised at the decisions rational people make when they hear the options the business is facing.

reply to post by cryptographrix


Most routers have the capability to customize port routing and blocking and the capability to reserve ips for specific machines...this guarantees that only the single machine is blocked from the web.

reply to post by Ex_CT2


I am uncertain of the specific port your software will need to communicate. This is also something you will have to look in to.

reply to post by shaneslaughta


Yeah, I've a reason to set a static IP on all computers; done that.

Connecting to my work computer now to get the model. I know the damn thing as well as I know my own name, but it's slipped my mind. BRB....

reply to post by shaneslaughta


But, wouldn't that affect all traffic going to/from port 80? I believe (if I read his post correctly) that access the the Internet for valid business reasons was needed fir this employee...blocking all traffic on port 80 would effectively shut off ALL access to non-SSL web traffic (since SSL defaults to port 443 it would not be affected). I would think applying a whitelist filter would be a better alternative, and more cost effective across the business.

reply to post by Ex_CT2


oh for f's sake

install a fire wall password protect the settings

block the port

block the access to startup settings, so he can't disable firewall

geesh

if this guy is a hacker and can override, then go to registry and F him up

and if you are a techie for your company, fire yourself

reply to post by shaneslaughta


Netopia 3347-02.

I have the manual. Just can't locate it at the moment. I can look it up tomorrow, unless you just have at your fingertips.

Originally posted by AnyoneSeenJustice
reply to post by Ex_CT2

 

oh for f's sake

install a fire wall password protect the settings

block the port

block the access to startup settings, so he can't disable firewall

geesh

if this guy is a hacker and can override, then go to registry and F him up

and if you are a techie for your company, fire yourself

No need to be rude. Not everybody does this everyday. It's not even my main job. Jeez, guy. Not everybody's your level of genius....

ETA: But, as always, a star for all participants....

reply to post by Krakatoa


Some router employ that ability, some are only configurable with port blocking. The software for the business may not use port 80....there are thousands of ports available for the pc software. port 80 is mostly used for web browsers like IE or FF.

This is a cheap way to ensure that only work related tasks are allowed internet access. Provided the port used for communication isnt 80.

reply to post by shaneslaughta


Very few sub-$500 routers have the capability to create firewall ACLs for a single networked host.

Netgear routers have "live parental controls" that block categories of websites for all hosts on the network, as does Belkin's "Parental control web content filter."

Thinking /maybe/ a cisco SOHO/SMB router /might/, but only through telnet, and while I'm sure the Vyatta-based Ubiquiti EdgeRouter can, you're still going to need that network admin and the business decision of what ACL policies they want to implement or enforce.

Depending on the type of business they're in, they may have to create a network access policy for their entire workforce.

But ultimately, neither of those are the real issues - the real issue is that management is not directly addressing what it believes is counterproductive. Depending on the employee's wage, that conversation could cost anywhere from $7-$200...still cheaper than doing creepy and passive aggressive stuff around him.

Do you want to work for a business that singles someone out in secret for a secret form of discipline?

Originally posted by cryptographrix
Management being scared to confront their employee is the problem that needs to be solved first - management's first priority is to discuss business expectations with their team.

Technically it's possible, even legally within the rights of the business to limit web access of an employee, but doing so is an investment, especially to solve what is currently a one-person issue.

Is the person worth buying an $X000.00 piece of equipment and implementing a website access control policy for? Are they really that unreplaceable (or is it really worth that much to /NOT/ confront that employee)?

If so, take a look at contracting a network admin competent with Cisco Web ACLs and give him a budget.

If not, have the conversation - you'd be surprised at the decisions rational people make when they hear the options the business is facing.

edit on 14-8-2013 by cryptographrix because: clarification on the second sentence

You're right on all counts. My boss might as well be a worker there, not the owner. He doesn't want to be the boss. Problem is, he doesn't really want anybody else to be the boss either.

I just told the employee that I'd been told to disable Internet access on all the "outlier" machines, as if his was just one of several. That way, if he wants a conversation with the boss, it becomes his responsibility.

reply to post by shaneslaughta


Ahh, I see. He has the router using a port other than 80 for access to the 'Net. Then, blocking 80 is less of an impact then in this case.
Thanks for clarifying.

reply to post by Ex_CT2


I believe that that is one that will be from a phone company. It may be locked out on your end. Some phone companies around my area limit your ability to tamper. If you can find the manual, look up how to configure ports and how to reserve addresses. That should get your feet wet.

A firewall is great but you will have to block all access to everything and configure what passes through. If its not a major issue across the board i would go with the first option.

The software should be well documented, you should be able to find out the ports necessary for proper operation.

reply to post by Krakatoa


Well that is my only confusion, not knowing the software and all. All software use different ports to access the net, its more ore less to make sure data takes the correct way into and out of the network.

I have gone into my router settings here at the house to block my daughter from getting on at certain times. (We homeschool and sometimes the fight over getting off the "fun" stuff and back to schoolwork is more work than it is worth.)

This was as simple as accessing the router (not modem)... depending on the model you would connect directly via the ip of the router. (Example: mine is 192.168.1.1 You should be able to find yours with a quick google search.) Of course this is my home network and yours may be much more involved and difficult to deal with.

Another option that I toyed with, but never devoted the time to mess with was Open DNS. Again, I am not sure of your set-up but it may be an option as you said each computer has a static IP.

When all else fails, the marvelous members here on ATS can likely get you up and running in a flash! =) You came to the right place for help.

I do also agree though... this guy just needs to have a discussion with the boss. If your direct boss can't handle it then maybe their boss will. Or an indirect way would be to send out a company "memo" that lays out ground rules for internet usage. Maybe a nice little threat that all employees caught "surfing" will have time docked for the time they are playing... Legality would definitely need to be checked on that one. Just throwing out an idea.

Good luck! I hope you get it working for you soon.

Originally posted by cryptographrix
reply to post by shaneslaughta

 

...

But ultimately, neither of those are the real issues - the real issue is that management is not directly addressing what it believes is counterproductive. Depending on the employee's wage, that conversation could cost anywhere from $7-$200...still cheaper than doing creepy and passive aggressive stuff around him.

Do you want to work for a business that singles someone out in secret for a secret form of discipline?

Look: You're right. But I've learned to pick my fights. This is not really my fight.

I've had conversations with the boss about this very sort of thing. This is his business, and it's truly the only job he's ever had. He didn't go to Boss School. He is completely incapable of grasping the concept of "office politics."

My experience is that ALL jobs are like high school. I'm like the A/V guy. I go to class, I keep my head and my hand down, I have my own little hideout and I do my job. I stay out of clubs and cliques. And, to the extent possible, I don't really want to talk to the Principal about how the school is run....