Pornography addiction is endemic within Christian churches. The numbers are as low as half of a given congregation and as high as three quarters of that congregation consume pornography on a monthly basis. As a technology pastor, I see my fair share of browsing history and firewall logs… I can confirm that it’s endemic even among church staff. 😟

Now, it’s nearly impossible to prevent a motivated individual from finding a way to access pornography and I’d argue that there are more effective means of addressing this endemic from the spiritual and relationship side because as Kierkegaard points out, people aren’t Christians because you force them to act Christian, they have to follow Christ of their own volition… but I digress. That being said, it doesn’t hurt to add some level of blocking to church owned devices to conform with the church computer use policy. 👮

No alt text provided for this image

So here’s how to get started using your existing donations for content filtering. This guide really only applies to church owned/issued Windows 10 and 11 devices, but there are other solutions out there to help filter content on macOS, Linux, iOS, and Android devices. With that caveat out of the way, let’s get started. 😎

Prerequisites

  • A Microsoft 365 subscription that includes Defender for Business or Defender for Endpoint. Your church is entitled to 10 free Microsoft 365 Business Premium licenses that should cover most church staff scenarios.
  • Windows 10/11 desktops or laptops.
  • Policy in Microsoft 365 Security Center or Intune/Microsoft Endpoint Management (MEM) to deploy Defender for Business/Defender for Endpoint.
  • Windows Defender SmartScreen and Network Protection enabled (preferably via Intune/MEM).

Enabling the filter

  1. Go to https://security.microsoft.com and log in with an admin account.
  2. Select the “Settings” blade near the bottom left of the screen.
  3. Select “Endpoints.”
  4. In the blade that appears select “Web content filtering.”
  5. Now click “+ Add item.”
  6. You’ll be asked to name your policy, name it “Adult content” or something equally descriptive and click “Next.”
  7. Now, select the categories you want to block. At the minimum block “Pornography/Sexually explicit” under “Adult content” as well as anything that’s against your church’s computer use policy and click “Next.”
  8. Review the policy and click “Save.”

That’s it, now when users try to access pornographic sites, Defender will pop up a notice that the site is blocked. 🚫

Going further

If you want to take things a step further, you can also utilize DNS to help with blocking sites. Here’s a few DNS services that seek to block adult content (and, as a bonus, malicious software as well).

  • Cloudflare: 1.1.1.3, 1.0.0.3
  • OpenDNS (Cisco): 208.67.222.123, 208.67.220.123
  • CleanBrowsing: 185.228.168.10, 185.228.169.11
  • AdGuard: 94.140.14.14, 94.140.15.15

I won’t go into the complexities of setting and enforcing chosen DNS servers here… DNS tends to be a relatively complex topic 🤯… but assuming we are one of the 99% of churches without an on-premise Directory server, then…

  • both DNS server IPs for a single chosen provider should be applied to every device,
  • their IP addresses should be handed out via DHCP in the router,
  • and the firewall should drop requests on port 53 that are not to either of those servers.

It isn’t foolproof by any means as DNS over HTTPS will bypass blocking port 53, but this can still be very helpful if your church provides guest WiFi or has staff on “bring your own device” (BYOD) scenarios to prevent most abuse of those networks.