Websense help

Well, let me just begin by saying that I both love and hate Websense from an Administrators point of view!

We just installed Websense in our office and shut down our proxy server.
Unfortunately we have 1 department where all the users have a shared account, There are reasons that it is set up this way and it is unlikely this will change.

The proxy server provided a way for users to have to authenticate to use through the browser, Websense authenticates and filters through Active Directory.

So, these guys log into the network using the same user name, but no longer are required to authenticate who they are through the browser as Websense does not support this.

Any quick Ideas?

Thanks!

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

sprkymrk

Megadeth4168 wrote:

Unfortunately we have 1 department where all the users have a shared account, There are reasons that it is set up this way and it is unlikely this will change.

I think you're trying to fix the wrong problem. No offence intended, I realize you're trying to do your job with the tools and authority you have from the powers that be. Perhaps if you can give us the short version of why several users in a department share the same user account we can toss around some ideas that might help. Because personally, try as I might, I cannot think of any reason to have shared user accounts that couldn't be handled in a different way.

opie6373

Yeah, i've got websense enterprise running in my environment as well. I was just looking around in websense manager and there appeared to be more identification methods than strictly AD. Have you contacted websense support? They've been good so far.

What kind of firewall do you have running in your environment? we have a sonicwall and there is an option in there to require a login to surf the web. Maybe your firewall has something similar.

Megadeth4168

Sorry, I re-read my first post and realized how vague it was! So, it's not that these people are not being filtered... They are being filtered, but when it comes time to run reports to see who has been going to what sites, we are unable to really tell for this department, so how can there be any punishment?

Anyway, the department is a the Fire Department... Unfortunately they, need to have the computers up at all times because of the dispatch information and maps that come to them if they need to go on a run.

Even if we did assign them all their own separate user name in AD, they would never log off.... We could punish that person even if they were not on that shift, but what good does that do for the guys who really abused the system....

opie6373,
Sorry for the confusion on what it is that I'm trying to accomplish.....

I had not thought about looking at the firewall level.... Probably because our current PIX firewall is going bye bye soon and being replaced by a Juniper Netscreen Firewall. I'll take a look into that, thanks!

sprkymrk

Megadeth4168 wrote:

Anyway, the department is a the Fire Department... Unfortunately they, need to have the computers up at all times because of the dispatch information and maps that come to them if they need to go on a run.

Even if we did assign them all their own separate user name in AD, they would never log off.... We could punish that person even if they were not on that shift, but what good does that do for the guys who really abused the system....

Do these maps and things come into an email account? It would be better to have multiple users access a common mailbox. Then each user account could be tracked seperately, and you can either force a logoff after a certain amount of idle time (Microsoft has a special "logoff" screensaver with a timer) or simply train them to logoff for their own "safety".

Otherwise I was going to suggest the firewall option, but in most cases a firewall authenticates someone based on AD, RADIUS, or local firewall user account. The first two options run into the same problem as the websense does (one user account) and the third option can become tedious to manage (creating multiple individual users on the firewall) and inconvenient for the user (has to remember another user name and password - which of course gets written down and stuck to the monitor).