Do You Allow Webmail Use on Your Network?

rtobyr asks: "I don't allow users at my organization to use any third party e-mail. When users complain, I point out that we can't control the security policies of outside systems. End users tend to think that big business will of course have good security; so I ran a test of the 'Big Four': Hotmail, Yahoo Mail, AOL/AIM Mail, and GMail. Yahoo Mail was the only webmail provider to allow delivery of a VBS script. GMail was the only provider to block a zipped VBS script. End users also tend to think that a big business would never pull security features out from under their customers. Of course, we know that AOL and Microsoft have both compromised the security of their customers. I don't know of any security related bad press for Yahoo or Google. Three of my Big Four either allow VBS attachments or have a poor security track records. So, if you are a network administrator, do you limit your users' ability to use third party e-mail, and if so, do you allow for GMail or other providers that you've deemed to have secure systems and reputations?"

How?

Besides the obvious Content Filters how are you blocking them? A moderately bright young chap could proxify their way around that.

Re:How?

Not to mention, who cares what the webmail services allow? Just because they allow a user to receive - say - a VBS file doesn't mean that you have to allow that onto your network or that you can't block such an attachment and allow the webmail.

Right Choice, Wrong Reasons

The lad has made the correct decision, but for the wrong reasons. The number one reason is because you want all of your "business traffic" to go thru your corporate email system.

He should be asking himself, "Why do the people who work here feel they need to use the non-corporate system for business work?"

All my work email goes from my work account, personal goes thru gmail.

Also, if he doesn't allow people to use personal accounts for personal email, they'll just use the company email for that. Does he want that to happen?

Re:Right Choice, Wrong Reasons

But there it is, if it is work related email then it is not part of your private life. If it is not work related then you shouldn't be sending or receiving it while at work.

Re:Right Choice, Wrong Reasons

If it is not work related then you shouldn't be sending or receiving it while at work.

Hey, you could try banning personal phone calls at work, too. Let us know how that works out for you in a couple of years... if you're still in business.

Seriously, employees do not cease to become human when they walk through the office door. It is unreasonable (and indeed illegal, in some places) to expect them to work like machines, denied access to private communication with anyone outside the business during office hours, denied time off when they're sick or for medical check-ups, and so on.

Fortunately for all of us, it's rarely necessary to invoke such laws. Companies that abuse their staff (and that's exactly what this sort of thing is) will simply see all their staff walk, starting with the really good people, who find it easiest to find more pleasant conditions elsewhere. Meanwhile, companies with more enlightened, employee-friendly policies eat up good people for very modest costs and wonder what the problem is all about.

Re:How?

No site is ever 100% secure. IT/management generally shoot for the most bang for the buck, to get where the risk/cost ratio of a problem balances with the needs of their business objectives.

Why is webmail blocked but USB ports allow anyone to plug and play a thumb drive? Couldn't someone bring a virus in the same way?

And if they blocked up the usb ports, someone could come in with a SATA drive and a screw driver. Couldn't someone bring in a virus that way too? So why not install intrusion detection systems in all the cases...?? And on it goes.

The answer: risk/cost analysis indicates that email is by FAR the number 1 transport for viruses. Yes other vectors exist, but if you only deal with email you address the lions share of the risk.

Additionally, removing webmail is usually aligns with managements objectives, so blocking it generally gets immediate management support.

Why do we block webmail but no other websites/services are blocked? Shouldn't we worry about someone surfing for pr0n or possibly looking for warez?

The answer: risk/cost analysis again. You address the big problems before the little ones, and the little ones before the ones you don't even have (yet). IE - Knock out MSN/Yahoo/Gmail and you remove a huge chunk of the useless sites that staff ARE spending hours on. If its worth it, you could keep going after every porn or warez site too, but the returns rapidly diminish while the cost keeps going higher.

If surfing porn/warez was a rampant problem then you could expect management to address it with technology. But for most companies a policy against warez and porn is usually enough to keep the problem at minimal levels. (Hell, most of the time you don't even need formal policy, in my experience most people just 'know better' and don't have to be told that surfing porn at work is against policy and grounds to be fired.)

Weaning webmail addicts off their personal accounts, on the other hand, sometimes requires a little help from technology.

Re:How?

Our company uses a proxy server that redirects you to a warning page. I think most large organizations do that nowadays if they want to block something. I doubt you can proxy your way around it since you need the proxy to get out of the firewall, so basically you can't connect through port 80 at all. Of course, attempting to go around the proxy will probably get you fired anyways, so I don't try it.

Another reason, that isn't documented here, that people would want to block external communications (AIM, GMail, whatever) would be legal requirements to document any communication with a client. This would especially include banks, security companies, etc. I know that financial institutions are required to archive all email communication forever, literally. Morgan Stanley got into huge trouble because they didn't. In order to control the flow of information, most banks just block external email services so the content is easier to control.

Re:How?

Simply have a policy that states "email services outside of the control of this company are not to be used for business correspondence". Seems simple enough.

Except some people may NEED to do just that because of the stupid rules set up on the company mail servers.

For my work, I deal with a developer in another state and we have to exchange large files. From inside our network, I have way to ftp/ssh into his company servers to transfer the files. So, e-mailing is the only option. Our e-mail servers won't allow attachments that large.

So, we use gmail. It's not elegant, but we can easily send the files we need back and forth and actually get our work done.

Oh yes... our IT people are the same totalitarians you find everywhere (I used to be an admin, and back then, we actually tried to help our people do their jobs, not inhibit their work). So, they won't adjust the rules of our mail servers, or provide a way for me to connect to the other company's computers and transfer the files.

So there it is... IT's motto is "IT at the speed of business", but the reality is "business crawling at the bureaucratic speed of IT". It's like they believe that they are the revenue generating portion of the company and that the rest of the company exists to serve IT.

Sadly, that view is all too common.

Re:How?

Yes, A moderately bright young chap could proxy his way around the content filtering. We have had those moderately bright chaps get fired for doing it as well.

Way to remove your best talent there, chief.

And drive away the possibility of any new talent.

Re:How?

I am one such "Moderately Bright Chap".

I have putty on my computer and I run everything through a SOCKS proxy. I have Firefox, Thunderbird (no webmail for me) and iTunes all going through one of my few shells.

I occasionally surf between 0 and 3 hours a day: fark, slashdot, ebay, etc. Last year I received the highest rating that someone of my salary level could. My boss, my coworkers think I'm a magic man, when I'm asked to get something done I get it done as fast as possible. Techno &/or 80's music tends to set a rhythm for my coding, despite internet radio being frowned on (not officially banned). My parents are going through a divorce. I like to e-mail both of them and my siblings during the day, but I like to keep that off of corporate mail. Sometimes I want to win an auction during work and sometimes I just need a detox.

With all due respect, you and your company can go fuck themselves. If I got the lowest rating, then yes, there's a problem. But you and your company are automatically removing people like me because we get stuff done AND we have personal lives.

Content filter the secretary not the MSMEs.

Re:Monopoly blames the user again!

It's funny, but nothing happens to me when I notepad random.vbs

Your point?

Squirrelmail

Where do you work? I'd like to know so that I do not inadvertently apply for work at your company.

Then again, I'm sure you've addressed all of your company's really important network concerns first before moving on to this. Or, maybe you were sure to restrict all of the workstations such that no one can change their desktop wallpaper and things like that.

Which webmail system do I use while at work? I use my own squirrelmail installation. I bet you'd really hate that!

Re:Squirrelmail

You know, its not always as sarcasticly simple as you want to make it out to be. The fact of the matter is, things like GLBA and SOX force IT departments to take these kinds of drastic measures whether we like it or not. They REQUIRE that you inventory 'customer sensitive data' and control the flow of that data. The CEO literally signs on the bottom line that the reports you give to the auditors are true. Not to the best of his knowledge or any cop outs like that. So, when the big guns come down from their gilded offices, and demand to know for a 'fact' that you have control over data, it doesn't matter that the steps you have to take might have little to no real world effect. You just have to take them. Yes, as a security professional, *I* understand that if I wanted to get customer sensitve data out of the network, I could write it on my own ass, and press it up against a window for the guy in the next building over to read. But my board of directors doesn't find that amusing. They know they are legally responsible now, and they must be seen to be doing *everything* possible to secure the data. This does include doing our best to block things like mail apps, IM apps, USB drives and the like. Personally, I can see MANY ways in which each of those things would streamline the business process, and provide actual performance and productivity increases for the business, but that doesn't matter because GLBA demands that if we were to use those things, we keep logs of ALL of the ways they were used for 3 years, that are indexed and searchable and online, and another 4 after that in archive format. So when you go to the accounting dept with your new budget with all these new equipment costs, and software costs, and you have to GUARANTEE legally that they can't be used in ways other than intended...guess what the simpler solution is? Thats right, they go away. And lets be honest, for every valid business purpose, there's an equal number of time wasting BS purposes for that stuff that expose the company to legal liability. And the fact of the matter is, if we have policies against it, procedures in place to prevent it, and you still manage to get it done, then we have a pretty damn good case in court to hang YOU out to dry and not the company. CYA for the big wigs, and frankly, for myself. I know as geeks and nerds we think we know best, but if you play hard enough, stuff does break. I know I've had my own little personal web host 'pwned' before, and thats being decently careful to lock things down. I can't imagine my 'lusers' having more access than they already do, and what they might 'accomplish' with that access. For my own sanity, our regulatory requirements, the CEOs CYAs, and to be able to support the secured environment that we do, things like you refer to so sarcasticaly would get you fired. We own that machine, we own the network its on, we own the bandwidth you use to connect to the outside world, and therefore, we get to say exactly what you get to do with it. If you don't like that, thats fine, I totally understand, leave. But sometimes, even though I personally don't like it, I 'get it'.

Re:Squirrelmail

Congrats, you just pwnt the GP with the GIANT WALL OF TEXT!!.

Seriously man, paragraphs.

One thing for sure...

I'm glad I don't work at your organization!

Seriously, webmail has so much use that blocking it is ultimately counterproductive -- the only equivalent "security" would be totally blocking net access.

If you are worried about productivity loss, well, I often use webmail so I can stay at work longer. Really, it's not hard to imagine that allowing people to use light net access for personal communication means that they do not have to physically leave work to do these things. It's a bonus for all.

If you are worried about security, any net access that allows submission of forms or uploading of files is equivalent security breach. As stated before, any moderately skilled hacker can configure a proxy to get data off your network.

You're crippling your users and kidding yourself.

Yes

Simply put, yes.

We would prefer that the work e-mail not be used for personal mailings. One of the reasons is file storage space.

We are willing acknowledge that the parents are going to communicate with their kids, and other folks with friends and family. It makes for better employee morale when they are permitted access to web mail for such things, leading to less abuse of work systems. It is better to use e-mail than the phone, which needs to be left free for actual business calls with clients.

Are there security concerns? Though the poster found some concerns, those concerns are easily disarmed by a good anti-virus/anti-spyware program.

Sure, we could be rather draconian and put the kabosh on all of it, but it comes back to employee morale. A happy worker is a productive worker. Our workers are given the task of being responsible and are rewarded for their success.

Re:Yes

I just wanted to respond to this post by saying that is exactly how it should be! Peoples' lives do not cease to exist when they walk in their employer's front door. It is much better to allow people to keep their work and personal lives separate by allowing webmail systems for person emails and cell phones for personal calls. Kudos to your company for recognizing that employees are people and if you treat them as such they will have a much better perception of their work place and be happier about working for you.

Where I work...

The big Net Admins in the sky tried to block web based e-mail from Comcast, Aol, G-mail, Hotmail, Yahoo, etc... then all the physicians freaked out and got pissed enough for them to change it back. Or at least that is the story I was told...

Shooting the messenger

Translation: my organizations' computers are not secure enough to safely access the Internet. This is somehow Google/Yahoo/MSN's fault.

Re:Shooting the messenger

The only thing left to add is: ... and I'm a dick about it.

Re:Users are a pain!

Hah! With Linux, it's so much easier. I just don't give them a login for the system at all! Those pesky users just get to look at a pristine monitor and keyboard, but are not allowed to touch... Can't have them fucking up my nice clean install now can I?

Muahahaha!

Stupid

I work at a very large company that allows unrestricted access to any webmail provider. Let me repeat that: You can use any webmail provider you want from within their network. So long as you use their proxy (obviously).

What's their secret? They take care of preventing stupid users from downloading crap themselves, meaning they scan at their proxy and/or firewall boundaries (I'm not a network admin here so I don't know exactly how it works).

This has been the policy for at least five years and they've never had a single problem. Never.

If a large financial services company can do it, I don't know why everyone else can't either. So you're asking the wrong question - instead, ask "how can I provide a better service to my users by allowing them to access their webmail and also maintain my network security?"

I've worked at companies that either completely or selectively block webmail access. Nothing personal, but you and other network admins like you suck rocks as far as I'm concerned. Trusting or distrusting the webmail provider because they do X or Y is supremely stupid because you're basically bending over for them and waiting for the inevitable vulnerability to show up. What, are you going to go to your CTO and say "well, I didn't trust Microsoft and AOL, but I thought Yahoo was OK! It's not my fault!"?

You should know better and you should do better. If you can't, just block all webmail and stop complaining about what other companies do or fail to do. It's your network and your responsibility.

At my company...

They've blocked both webmail and instant messaging, but the reasoning is "document retention." ie, in case there's a lawsuit they want to guarantee they have all our communications archived. And since I work at a fortune 500 there's always a lawsuit.

I guess I understand that, but the bummer is that for a lot of us we don't work just your basic 9-5. If you work a lot its nice to be able to take care of a little personal business, in fact I think it probably increases productivity by making people more willing to hang around at work a little longer. So in that regard these bans are counterproductive.

I don't think IT people really think about stuff like that much...the ideal situation for IT isn't necessarily whats best for the enterprise. That said I can see how security and document retention are valuable goals...maybe webmail could provide some kind of mechanism to allow companies to hook into it and archive messages read or sent using corporate machines. Same for instant messengers. Then everyone's happy (except privacy advocates...)

May as well prohibit all web-browsing...

Making a non-webmail page with links to nasty VBS scripts, etc. is just as easy as send an e-mail, so you are not really protecting your network by these annoying limitations... An attacker can send your charges an e-mail (at the corporate address) with a link to his script. And if you check all browsing (via scanning proxies), then you may as well leave webmails alone, for they'll be checked too, along with all other HTML pages.

You are not alone, unfortunately. I found, that whenever admins (pompously) argue for strict banishment of a particular "attack vector", they almost always ignore another vector for the same attack.

There could be one justification for banning external (non-corporate) means of communications, while at work — compliance and legal issues. A big bank, for example, does not want a broker to be able to claim, that a bank's trader ordered a (bad) trade via. GMail or cell-phone. But this only makes sense, when your official (corporate) communications get recorded and archived (unlike private webmail accounts and personal cell-phones), and can be played back.

In short, you have to remember, that you (an administrator) exist for the benefit and convenience of these people, not the other way around. So if they want to be able to access their webmail, you must have a much better reason than "you may get a virus" to deny it to them.

I bet, more productivity is lost, when an employee brings in flu and half the office gets sick. But no one is advocating forcing people to take vitamin C and wear scarves, right?..

People do this?

Do people really chmod +x email attachments?!? I'd say your problem is in user education. Hell, any user knowledgeable enough to know how to set the executable flag should KNOW better!

Re:People do this?

Insightful? I thought this person was trying to be funny.

IT Tough Guy

This sounds less like a real Ask Slashdot question and more like "Hey look at me. I'm an IT fascist!"
Blocking webmail is pointless and serves only for you to needlessly flex your authority in the only part of the world you have authority: your company's network.
Seriously, if you are so paranoid about webmail, why allow internet to the desktop at all? Since you are so afraid of VBS, why don't you just lock out VBS execution at the desktop and keep your enterprise AV up2date?
Grow up, have kids, and annoy them with your stupid restrictions. Leave the people at work alone.

Much better solution

Long, Long ago we just disabled vbs execution across the whole enterprise.. we allow access to any of these services.

A great topic and question!

Man, was this ever timely. I just finished setting up a very complete solution for my current location (forward deployed military in the M.E.). Yes, of course I allow Webmail access. Everyone relies on it for 'reach-back' capability. What I do in an attempt to secure things is to setup a very complete firewall/filtering/etc. box. Is it perfect? No, but it's very effective. I'm running a Linux box with a slew of services(HAVP, P3Scan, ProxSMTP, HAVP, Privoxy, frox, ClamAV, RenAttach, Rules Du Jour and of course IPTables plus a bunch of others) and have had outstanding success. I recommend just using IPCop + BOT + CopFilter if you need something quick and relatively painless. I also do regular automated Nessus scans, etc. Man I love my job!