Blocking Facebook

Discussion in 'alt.windows7.general' started by LocalHero, Nov 15, 2012.

  1. LocalHero

    LocalHero Guest

    Greetings

    Someone has asked me how to stop a computer that can be used by a
    number of people from connecting to Facebook.

    Is this something that could be done with the HOSTS file?

    If so, how would that be done?

    If not, any other ideas for a simple solution?

    Many thanks
    --
     
    LocalHero, Nov 15, 2012
    #1
    1. Advertisements

  2. LocalHero

    Stan Brown Guest

    Good call!

    1. Identify the Facebook domains, such as www.facebook.com. (There
    are probably others; I don't have an account so I can't check whether
    interior pages in the site have a different domain.)

    2. Click the Windows Start button, paste this, and press Enter:
    %WINDIR%\System32\Drivers\etc

    3. Right-click HOSTS and select Edit or Open. You may need to select
    Notepad or your favorite editor.

    4. Add this line at the end:
    127.0.0.1 www.facebook.com
    and repeat for any other domains.

    5. Save and exit. I suspect you will need to reboot.

    Now when you try to access facebook.com your browser should tell you
    that it can't find it. Make sure you let the other users know that
    Facebook is blocked; otherwise they'll waste time trying to figure
    out why it has stopped working.
     
    Stan Brown, Nov 15, 2012
    #2
    1. Advertisements

  3. LocalHero

    Ken1943 Guest

    I don't use the hosts list, but facebook uses two sites at the same time.
    From Firefox noscript.

    facebook.com
    fbcdn.net


    KenW
     
    Ken1943, Nov 15, 2012
    #3
  4. LocalHero

    Char Jackson Guest

    Yes, that's one way.
    Navigate to C:\Windows\System32\drivers\etc and open the hosts file in
    Notepad. That's the entire filename; there is no extension. It may be
    Hidden or Read Only, so be prepared for that. Once opened for editing,
    read the notes that are already there, look at the examples to see how
    easy it is, then scroll to the bottom of the file and on a line by
    itself, add the IP address 127.0.0.1, tab, then enter the URL that
    you'd like to redirect, for example www.facebook.com. Save the file,
    being sure you're not unintentionally adding an extension. No need to
    reboot, Windows will automatically pay attention to your change.

    In effect, what you're telling Windows is that www.faceback.com should
    resolve to the IP address 127.0.0.1, which is a special IP address
    that refers to your own computer, (AKA localhost).
    Many routers have a way to enter a URL, or partial URL, that you want
    blocked. For some people, that would be easier than editing the hosts
    file, especially if you need to block access from multiple computers
    and want to do it all in one place rather than on each machine.
     
    Char Jackson, Nov 15, 2012
    #4
  5. LocalHero

    VanguardLH Guest

    What's to stop those users from altering the 'hosts' file? If users
    have physical access to a host then they can modify its configuration.
    Using admin-level versus limited accounts does not preclude smart users
    from getting around those permissions *within* an instance of an OS.
    They'll just step outside that OS instantiation to make changes. You
    need to employ your censorware somewhere upstream in a host or network
    node to which the users do not have physical access, like at a gateway
    or router host or even further by enforcing your users to use a DNS
    service where you can define what to block in any DNS lookups (which
    won't help if the users use IP addresses instead of hostnames).

    How is a 'hosts' file going to work on a laptop or network that an
    employee brings into work (and upon which your IT department didn't
    setup with their customized 'hosts' file)? Does your company even
    permit the use of non-authorized hosts on their corporate nework?

    In your network's router, block all DNS requests (port 53) that go
    anywhere other than to your router. Tell your router to block on
    particular hostnames if that feature is available in your router. If
    not available, configure your router to redirect DNS requests to a DNS
    provider of your choice that lets you add blocks or select categories of
    sites. After all, if your company is trying to prevent its employees
    wasting time at Facebook then why wouldn't they also want to prevent
    wasted time at other ego-stroking childish inane social sites, too? You
    can use OpenDNS for free with a single account there. Besides
    categories you can also block on specific URLs (hostnames) but there is
    a limit of 50 in the free account. If it's a business then they should
    afford a business account at OpenDNS. Of course, if it is a business
    interested in censoring to where their employees navigate outside their
    corporate network then they should be looking something like Websense
    for censorware.

    If these are children using the same computer, why aren't their parents
    monitoring their activities? Or, at least, employing censorware
    installed on the kiddies computer to regulate where they can visit? If
    they are adults and continue abusing company policy then treat them like
    children and take the computer away from them. If that means they
    cannot perform their work tasks then suspend them without pay for the
    time the computer's access is suspended for their use. Either you treat
    the users as adults that get punished when they abuse their use of
    someone else's property or resources; else, you treat them like children
    for which several censorware schemes are possible. Just telling them
    that all their network connections are being logged and any violation
    results in punishment might be sufficient to deter that abuse but
    obviously that means you must actually have a policy defined that you
    will then enforce.

    To deter without punishment will eventually lead to the abusive users
    finding another means of circumventing your schemes, like using IP
    addresses, proxies, tunneling within other (non-HTTP) protocols, etc.
    If they have the time to waste at work stroking their egos at social
    sites then they also have the time to thwart your local censor measures.
    After all, if they are at work and are expected to work during their
    work hours then do they really need Internet access at all? Are they
    really web site designers testing their output?
     
    VanguardLH, Nov 16, 2012
    #5
  6. Permissions.

    If the users don't have Administrator privileges, they can't edit Hosts
    (or so the experiment I just did indicates).
     
    Gene E. Bloch, Nov 16, 2012
    #6
  7. LocalHero

    Paul Guest

    If someone brings a Linux LiveCD into the picture, then the hosts
    file is open game.

    If you want to engineer filtering, a separate network box is one way
    to do it. It's just a question of what's cheap and doesn't waste
    a lot of electricity. Using a 150W old computer with two NIC
    cards as a filter, is rather wasteful (that's 150W at idle).
    And while tiny router boxes with custom firmware loads are
    one solution, that isn't as convenient as it might be.

    http://www.howtoforge.com/blocking-facebook-web-trackers-at-the-firewall-for-extra-privacy

    The advantage of a separate box, is you can use physical security on it.
    (Lock up broadband modem, and other gear to implement the filter.)
    Then, the only networking service, comes through the filtered connection.

    Paul
     
    Paul, Nov 16, 2012
    #7
  8. LocalHero

    Bob L Guest


    Use Opendns.

    Set up your free account with them, then point your router DNS setting
    to their DNS servers

    On your Opendns control you can block facebook, or all social networks
    etc.



    When they try to access Facebook etc, they will get a message that
    this site is not allowed on this newtork (or similar)
     
    Bob L, Nov 16, 2012
    #8
  9. LocalHero

    Joe Morris Guest

    [blocking Facebook access]

    Especially if UAC hasn't been disabled.
    That's a valid argument, but only if the users the OP wishes to control can
    boot from removable media. The appropriate security control is to disable
    removable media boot capability in BIOS, then password-protect the BIOS
    settings.

    Incidentally, the suggestions upthread about editing the HOSTS file didn't
    take UAC into account. If it's not disabled and you haven't monkeyed with
    the permissions on the file you'll need to open Notepad explicitly using
    "Run as administrator", then open HOSTS by navigating to
    C:\Windows\System32\Drivers\ETC and selecting the file.

    Or (again assuming that the computer can be secured against tampering)
    configure the firewall (Windows Firewall or one from a third party) to block
    traffic to the Facebook IP addresses.

    The OP didn't specify the context, leaving us without enough information to
    provide a solid recommendation. For example, if the (apparently but not
    necessarily single) machine is a desktop then there's probably a "reset
    BIOS" jumper inside, so if the BIOS setting to prohibit removable media is
    used then the cabinet would need to be secured and the jumper pins taped up
    to prevent someone from poking a wire into the cabinet. Similarly, there's
    no information on whether the users against which the "no-Facebook" policy
    is to be enforced are unknown members of the public, employees/students who
    can be diciplined for attempting to disable the restrictions, or family
    members and their friends. Along the same lines, we don't know just *why*
    the OP wants to restrict access, the answer to which can affect the need for
    a bulletproof block.

    Joe
     
    Joe Morris, Nov 16, 2012
    #9
  10. LocalHero

    Desk Rabbit Guest

    Yup, that's the correct answer
     
    Desk Rabbit, Nov 16, 2012
    #10
  11. LocalHero

    LocalHero Guest

    Thanks Stan

    --
     
    LocalHero, Nov 16, 2012
    #11
  12. LocalHero

    LocalHero Guest

    Thanks Ken

    --
     
    LocalHero, Nov 16, 2012
    #12
  13. LocalHero

    LocalHero Guest

    Thanks Char

    --
     
    LocalHero, Nov 16, 2012
    #13
  14. LocalHero

    LocalHero Guest

    Thanks for all the replies

    The setting is a small company where the "culprit's" computer has had
    internet access stopped because she has been found a number of times
    using facebook. She was then seen using this other computer (the only
    other one accessible to her). The Hosts approach will be fine because
    she doesn't have the level of knowledge to know it exisits let alone
    change it.

    --
     
    LocalHero, Nov 16, 2012
    #14
  15. LocalHero

    Desk Rabbit Guest

    The user doesn't need the level of knowledge, all it takes is a friend
    or co-worker with the level needed.

    You should implement a company policy on network resource use and
    enforce it with appropriate hardware/software solutions. If you don't do
    this it will turn into an arms race of the user going to other social
    network sites and services and you editing hosts files on one or more
    machines which will soon spiral into an administrative nightmare.
     
    Desk Rabbit, Nov 16, 2012
    #15
  16. LocalHero

    Justin Guest


    You should probably be more worried about blocking Brazzers.
     
    Justin, Nov 16, 2012
    #16
  17. If she were working for me, she wouldn't be working for me. She is
    stealing from the company. What would you do if you caught here stealing
    office supplies, or dipping into the petty cash?
     
    Dave \Crash\ Dummy, Nov 16, 2012
    #17
  18. LocalHero

    LocalHero Guest

    The company has 3 employees - the manager and two job-share people -
    i.e. the culprit, and her co-worker. Although the job-share people
    don't ever work at the same time, they each have their own desktops.
    Now that the culprit's own PC has been denied all internet access, the
    only other machine she can access is the other person's, and that
    should have the Hosts file modified by now. The manager is quite happy
    to try out this approach for a while.

    --
     
    LocalHero, Nov 16, 2012
    #18
  19. LocalHero

    LocalHero Guest

    You may not be surprised to hear that she is actually suspected of
    stealing cash as well, but it would be impossible to prove it was her.
    But because she has "problems" the manager is too big a softy to pursue
    it. If it were me she'd have been out the door ages ago.

    --
     
    LocalHero, Nov 16, 2012
    #19
  20. LocalHero

    s|b Guest

    OpenDNS's HQ is based in the US, so it falls under US law. For instance,
    the Patriot Act. No way in hell would I use OpenDNS...
     
    s|b, Nov 16, 2012
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.