Restricted Access

[greggo]

OK. Here's what the WTS says:

"The clerk machines have the newest and most sercure setup from Salt Lake. That is the reason you can only visit approved church sites on these machines. The network setting and internet sites are restricted by the Norton/Symantec program that is managed by the church. I do not have access to override any setting on those machines, and I'm quite certain that no one is given that. This is how they maintain the integrity of the connection over which membership and financial information is transmitted. Their network setting are so restrictive you cannot even install a network printer, thus the problem we encountered with our printer when the new software was installed. The printer problem was resolved by the addition of a print server, which was an approved work around by the stake. Most wards do not have that problem, because in most areas of the country, wards that share a building also share a computer. We are fortunate to have 2 machines but they are not ours to manage. they are controlled via a VPN directly to Salt Lake. So again I'm quite certain in saying these machines will never be allowed additional access to the internet."

Does this make sense to anyone? Do clerk computers need additional internet filtering over what is already filtered by the firewall?

[aebrown]

OK. Here's what the WTS says:

"The clerk machines have the newest and most sercure setup from Salt Lake. That is the reason you can only visit approved church sites on these machines. The network setting and internet sites are restricted by the Norton/Symantec program that is managed by the church. I do not have access to override any setting on those machines, and I'm quite certain that no one is given that. This is how they maintain the integrity of the connection over which membership and financial information is transmitted. Their network setting are so restrictive you cannot even install a network printer, thus the problem we encountered with our printer when the new software was installed. The printer problem was resolved by the addition of a print server, which was an approved work around by the stake. Most wards do not have that problem, because in most areas of the country, wards that share a building also share a computer. We are fortunate to have 2 machines but they are not ours to manage. they are controlled via a VPN directly to Salt Lake. So again I'm quite certain in saying these machines will never be allowed additional access to the internet."

Does this make sense to anyone? Do clerk computers need additional internet filtering over what is already filtered by the firewall?

There seems to be some confusion on a few points:

1. The filtering is controlled by the firewall device, not by the Symantec software (and although Norton was acquired by Symantec years ago, there is no Norton-branded software involved at all). There are ways to have additional filtering, but that is not the default configuration. In order to track down what is happening, it would be helpful if you could let us know what kind of blocking messages you receive when you visit restricted sites. On this thread you can see some screen shots of various block messages; if you report back which of those you are seeing, and in particular what the reported Access Level is, we can probably help you better. But to this point, you have not confirmed that there is even a firewall in place; as I said in this post, I certainly hope you do have one.
2. I have had no problems installing a printer that uses an IP port. I assume that is what is meant by a "network printer" that supposedly cannot be installed. This is how our stake administrative computer is configured at this moment, and it works great.
3. I'm not sure why he thinks "in most areas of the country, wards that share a building also share a computer." This is certainly not true; there are some wards that share computers, but where wards have separate clerks offices, it is far more common that they have their own computer.
4. It's not really accurate to say "they are not ours to manage. they are controlled via a VPN directly to Salt Lake." What controls the configuration is LANDesk software. The settings for LANDesk were set up when Desktop 5.5 (or the Local Unit Security Suite) was installed. Your WTS seems to think the system is locked down so he can't do anything. Although there are some restrictions, I have certainly seen some corporate environments where systems are very tightly controlled; the Church configuration is not wide open, but is by no means locked down.
5. Without knowing your current filtering level, I can't be certain, but I see no justification for the statement, "I'm quite certain in saying these machines will never be allowed additional access to the internet." The intent of Internet connections for administrative computers is to give clerks and priesthood leaders the tools they need to move the work forward. Let's figure out what your access level is, and work through proper channels to try to accomplish that goal.

Your Stake Technology Specialist receives information from the Church and is responsible for all computer issues in your stake. It's still not clear to me how your "Ward Technology Specialist" is operating, but it sounds like he is not really in the loop and is making a lot of unwarranted assumptions. I would repeat my recommendation that the STS be involved in all networking issues in your building.

[jdlessley]

I ditto what Alan has posted. In my experience, if a stake uses the configuration provided by the Church for administrative computers along with the standardized CCN then internet access is not limited to Church only sites except as noted below. This is true for wards if they are following the policies set by the STS as directed by the stake president - and they should if they are following Church policy.

There are two places internet filtering is accomplished for a CCN and an administrative computer running Desktop 5.5. The first is at the firewall and the second is at the computer.

There are only two types of filtering for CCNs. For family history centers the filtering is 'LDS Extended Access.' Any collocated units (in the same building) are directed by the Church to share that internet access and therefore will inherit the same filtering. 'LDS Extended Access' filtering is the most unrestricted of the two types. If a unit has installed internet access following the Church policies for "Broadband Internet Services in Meetinghouses" then they have a choice as to using 'LDS Extended Access' or 'LDS Restricted Access'. This is a call by the stake president in counsel with the STS. 'LDS Restricted Access' limits access to Church sponsored web sites. For the policy on this read the Meetinghouse Internet Guidelines.

The filtering at the computer is not a configuration for a new administrative computer for stakes and wards. Additional software or configuration management would have to be done for this to be the situation. Your STS may have installed additional software or made configuration changes. You will have to check with him about this.

Greggo, I do not know what your 'Ward Technology Specialist' means when he said "The clerk machines have the newest and most [secure] setup from Salt Lake." The only configuration I am aware of is Desktop 5.5 with the accompanying list of software it entails - namely Adobe® Flash® Professional 8, Adobe Reader® 7, CutePDF™ Writer 2.6, OpenOffice.org 2, Photo image editing tools (Picasa™ 2.1.0, PhotoFiltre 6.1.2), The Scriptures: CD-ROM Edition 1.1, and Symantec™ Client Security™ 3.1. There is no additional filtering software. Symantec™ Client Security™ 3.1 is only antivirus/anti-spyware and not a firewall.

As I explained in a post earlier in this thread your STS may have installed additional software or made configuration changes. If that is the case then those changes can be modified to obtain the level of internet access your local Priesthood leaders think necessary.

P.S. There are three types of filtering for CCNs. See the posts in this thread.

[jdlessley]

Anyone with administrator rights can change the configuration of the computer - well, within reason. I know that is an overly simplified statement. But for this situation I think it holds true. I suspect your WTS is not really familiar with your computer configuration and the software installed. Your WTS's statements lead me to believe this is true. Your best source of information is your STS for your setup.

For example this statement "The network setting and internet sites are restricted by the Norton/Symantec program that is managed by the church." There is so much wrong with this. Alan has already addressed the issue of Norton and Symantec. The second part is that the Church does not manage the Symantec program, Symantec does.

Also this statement is ridiculous, "I do not have access to override any setting on those machines, and I'm quite certain that no one is given that." You've got to be kidding me! If you have administrator access then you can change any setting on an administrative computer. The only thing that keeps anyone from doing so is lack of knowledge or the tools to do so. The Church tries to keep the administration of computers down to the lowest level, at least to the stake level. To do otherwise would be a costly administrative undertaking. The Church provides the tools, the policies, and the procedures. Local units are expected to use their best judgment and inspiration to meet the needs of local leadership. These computers are tools to be used and suited to the needs of carrying forth the Lords work. Who better to know the needs of the people in their part of the vineyard than the local leaders?

I can go on and on as to the reply you received from your WTS. I think I have said enough.

[mkmurray]

Also, I think this has been stated before, but I want to reiterate it. The reason we keep putting the phrase "Ward Technology Specialist" in quotes is because this is not a common calling among the units spread across the Church. In fact, I dare say your are one of less than a handful (possibly all within your one stake).

There is no Church document, handbook, or policy anywhere that every mentions such a calling or responsibility at the ward/branch level. I'm not saying it's against Church policy or procedure to have one, but I'm just not sure the Church intended hardware/software support and other IT responsibilities to be organized at the local level the way yours is. A WTS calling seems pointless to me, as I can't imagine them doing anything more than what a STS already does, just over one unit instead of 8-12 (which seems like a trivial responsibility to care for just one unit in my opinion).

[russellhltn]

Also this statement is ridiculous, "I do not have access to override any setting on those machines, and I'm quite certain that no one is given that." You've got to be kidding me! If you have administrator access then you can change any setting on an administrative computer.

Well then can you tell me where the Symantec Firewall setting are?

Also, please keep in mind that just because someone is part of the Administrators group doesn't mean they really have full rights to the machine. It's quite possible to lock things down by policy. For example, I've removed the "clerk" login from being able to change the date/time on the computer. This was after a couple of incidents where someone altered the time and messed up MLS. Sure, they could go and give themselves rights again - unless I take away the right to change the policy.

[jdlessley]

Well then can you tell me where the Symantec Firewall setting are?

Also, please keep in mind that just because someone is part of the Administrators group doesn't mean they really have full rights to the machine. It's quite possible to lock things down by policy. For example, I've removed the "clerk" login from being able to change the date/time on the computer. This was after a couple of incidents where someone altered the time and messed up MLS. Sure, they could go and give themselves rights again - unless I take away the right to change the policy.

What Symantec firewall are you talking about?

As I said before, anyone with administrator priviledges can make changes to the machine. All that is required is the knowledge and the tools. I have been wrestling with the issue of locking down computers ever since I was called as STS. Even when I used the Group Policy Editor to 'configure' the computer a knowledgable user just changed the configuration to suite their needs. Yes, doing what you have done keeps the casual tamperer at bay - but because an administrator can install anything, including software tools, they can do as they please. The only deterent has been education. Telling users that the configuration must remain as it is and that the policy for configuration comes from Church headquarters and from the stake president puts enough of a damper on tampering.

I have tried to take away the right to change policy but have been unsuccessful.

[jdlessley]

Well then can you tell me where the Symantec Firewall setting are?

I was really tempted to try and answer this. But after talking to Symantec Corporate Support and the GSD I found no reason to want to even access the Symantec Client Security firewall options. What I found out was that the Church uses the firewall for intrusion detection and protection and not internet filtering. In keeping with the original issue of this thread posted by Greggo about "only being able to connect to church sponsored websites" I stopped further investigation into finding how to access the firewall settings. It is not an issue for the purpose of Greggo's post.

Also, please keep in mind that just because someone is part of the Administrators group doesn't mean they really have full rights to the machine. It's quite possible to lock things down by policy.

I agree with this. What I said was:

Anyone with administrator rights can change the configuration of the computer - well, within reason. I know that is an overly simplified statement. But for this situation I think it holds true.

I did not even want to imply an administrator would have a desire to change what the Church IT professionals put in place to save users from themselves. Or worse yet cause GSD technicians considerable extra work to remedy difficulties caused by those individuals with a little dangerous knowledge. I wanted to get accross the point that having administrator priviledges allows one to make a lot more changes to the system than people such as Greggo's "Ward Technology Specialist" wants Greggo to believe.

In the past I have had little experience in using group policies and security policies to 'taylor' a system. But I've had to learn quickly those areas to do my technology callings over the past couple of years. I have added that little knowledge to my experience with the registry. By using those three a lot can be accomplished to talyor a system.

[greggo]

You are correct. I delt wilth this situation on our stake clerk computer. I never did figure out how the computer based filtering was set up. I had assumed it was configured as part of Desktop 5.5. But there is nothing in any other administrative computer configuration to verify this. I did find the implementation was in the internet options applet. In Desktop 5.5 one or more tabs of the internet options applet are disabled. I don't recall if the connections tab is disabled. It is the connections tab in which the additional filtering is set up.

I am not at the clerk computer so I am going by memory as to what the configuration details are. You can check the filtering by opening the internet options applet, inetcpl.cpl. I will make the assumption you know how to do this. Click the 'LAN settings' button at the bottom of the connections tab. If you have additional filtering then the 'Proxy Server' section will have the 'Use a proxy server for your LAN..." checkbox checked and something like "INETPROXY" in the 'Address' text box with the port set to '80'. You can edit the whitelist of sites by clicking the 'Advanced' button to edit the 'Exceptions' list.

I confirmed that the issue was in fact caused by the same unusual set up in the Internet Options applet. I deselected the Proxy Server option, and now the only restrictions are those defined in the FHC firewall settings (General Access). So I think everything is now functional and to policy.

Thank you all for your valuable help.