×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Whitelisting Websites with Windows?

Cliff posted more than 7 years ago | from the a-non-end-user-changable-policy dept.

83

Nimey asks: "I support two computers which need Internet access to one website; they also are used to drive scientific instruments and so have proprietary scientific data. They run Windows XP SP2 because the instrument software requires IE, an ActiveX control, and .NET 1.1. Both machines are in a Windows 2003 active directory. Because of policy, it's not possible to redirect their network traffic to another box for filtering, but they are NATed. I want to restrict their network access to that one website (HTTP/HTTPS, possibly FTP) and to the file servers on the network (SMB). Can I enforce this in a way that's not changeable by a user?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

83 comments

Easy (1, Informative)

Henry V .009 (518000) | more than 7 years ago | (#15893886)

Editing system32/drivers/etc/hosts should do what you want. Direct everything (except windows update, maybe nist) to that one site.

Re:Easy (2, Informative)

xmodem_and_rommon (884879) | more than 7 years ago | (#15893893)

does the hosts file actually let you specify wildcards?

And also, if the users have admin access, they can edit the hosts file

Or you could set this up on whatever's doing the NAT

Re:Easy (2, Informative)

Henry V .009 (518000) | more than 7 years ago | (#15893899)

You're right, you can't specify wildcards in hosts. I've used it for some special things, but never read the documentation on it. It looks like this solution won't work at all.

On the other hand I assume his users don't have admin access, if he wants to do something to the computer that the "users can't change."

Re:Easy (0)

Anonymous Coward | more than 7 years ago | (#15894127)

Wow, two "informative" mods for completely bogus advice.

Re:Easy (5, Informative)

MarkusQ (450076) | more than 7 years ago | (#15893904)

That won't stop them from going wherever they want via IP addresses. And, in any case, doing it on the boxes themselves is the wrong approach--its known as "honor system security."

The real solution, as another poster suggested, is to do it on the NATing box. For that matter, if the systems are that important and that vulnerable, I would sure hope there's a firewall in the picture somewhere, either on the NATing box or somewhere outward from there. Do it in the firewall. After all that's what firewalls are for.

--MarkusQ

Re:Easy (1)

Bios_Hakr (68586) | more than 7 years ago | (#15894008)

I seem to remember a program for managing WAP access. I think it's called NOCATAUTH. Anyway, I haven't looked at the specifics, but it seem to me that you could use a WRT-54G (V1-4 or VL) to redirect all network traffic to a specific IP address for the purpose of authentication. Why couldn't you just redirect everyone to that specific IP address?

Now, while a technological measure might be easiest, thing about this from a manager's standpoint. Log all the IP addresses accessed. Log the machine the IP request originated from. Let the originator know that such access is forbidden. Let him/her know that any further attempts to access forbidden IP addresses will be dealt with harshly.

Re:Easy (2, Informative)

rhandir (762788) | more than 7 years ago | (#15894271)

First, a question,
You wrote:
Because of policy, it's not possible to redirect their network traffic to another box for filtering, but they are NATed.

Policy? As in "active directory/groups policy"? Or "management policy"? Or "the University/Corporate IT department policy"?

Anyway as the above poster has said (among many others), if you have access to the NAT box, do it there, if you don't ask IT to do it there. Any protective software on the boxen themselves can be comprimised by stuff that isn't deterred by audit trails (spyware, worms, virii, etc) so I wouldn't bother.

As an interim solution, buy a pair of d-link 604's (35$ +tax/ea) and put them inline, and set rules on them - don't forget to clone the mac addresses. (Yes, technically a lan isn't a wan, and weird stuff could happen, test it at home first, etc etc.)

Alternatively, if you are worried about idle websurfing and you think directives/audits might be a deterrent, find a pair of older computers* you can put next to the lab computers that you can set for websurfing. If you can't afford another monitor, get a cheap KVM switch.

-r. *blah blah linux blah blah live-cd blah blah won't run flash blah blah firefox etc etc.

I've done it before........ (1)

tempest69 (572798) | more than 7 years ago | (#15897143)

The hosts thing is a bit funky, it would mean turning the DNS off the local boxes, which is easy to spot by a novice.

This is usually obscure enough that nobody is even going to realize that thay can do it..

type in: ROUTE PRINT

It will show you a bunch of routes.

You want to delete the 0.0.0.0 entry.. ie ROUTE DELETE 0.0.0.0

Then add entries for all of the destinations you want to talk to..... ie ROUTE ADD 10.0.69.69 MASK 255.255.255.255 192.168.0.1 METRIC 10

Where the 10.0.69.69 is your DNS server and the 192.168.0.1 would be the inner NAT gateway.. and repeat for the rest of the boxes

If you have a nice group of machines in an IP range you can just loosen the MASK to 255.255.255.0, assuming that you trust the rest of the machines in that subnet.

Pop the commands into a startup script, or add the -p flag to make the changes persistent, and your good to go. Good Luck

Storm

Re:Easy (1)

jmo_jon (253460) | more than 7 years ago | (#15899606)

There are forums and mailinglists for simple (and more advanced) firewall setups. I fail to see why this deserves to be in slashdot.

New technology? no
Advanced special usage of something? no
Something that needs to be review by thousands of serious (and less serius techies)? no

Can someone pleeease explain to me why this accepted!?

And for you who posted the question, search for what you can do with dhcpd, bind and your favorite firewall.

Re:Easy (1)

sumdumass (711423) | more than 7 years ago | (#15900907)

It was included in slashdot to see if you knew the answer. And no RTFM wasn't the corect answer.

Ps.. could you add something constructive? This appraoch is somewhat interesting to quite a few of us. This doesn't neccesarily mean we cannot google either. Lets recap the question in case you didn't understand it.

the poster wished to,

Limits the web surfing to maybe two sites and still allow domain browsing.
Has the problem of being windows XP sp2 computers,
has the problem of being on a win2003 active directory domain that he apears to not have access to,
believes the computers are NATed and that means he cannot place an intermediate device between them and the domain controler.

Do you know an answer to the problem or just how to suggest that the answer is already out somewere if we look hard enough.

Here is a way (4, Informative)

giorgiofr (887762) | more than 7 years ago | (#15893895)

In the TCP/IP properties of the netowkr adapter they use, select Advanced -> Options -> TCP/IP filter. "Allow only" the IP addresses you want. Maybe it's not a flexible solution (OK... without "maybe") but it's a simplistic IP filter that will get your particular job done. HTH

Re:Here is a way (1)

eric76 (679787) | more than 7 years ago | (#15894061)

You can enter IP addresses now in their TCP/IP filter?

The last time I looked (not at XP), you could enter port numbers, but not IP addresses.

The best approach would be to manually modify the routing table, assuming, of course, that is possible with XP.

Huh? (-1, Troll)

Anonymous Coward | more than 7 years ago | (#15893896)

What are you doing supporting these computers? If you need to Ask Slashdot to get the answer to this fairly basic problem, then you are not qualified to do the job.

Harsh, but true.

Re:Huh? (3, Funny)

Bin_jammin (684517) | more than 7 years ago | (#15893915)

I just wish I could get a job supporting two computers.

Re:Huh? (0)

Anonymous Coward | more than 7 years ago | (#15894058)

Considering the submitter says the computers "also are used to drive scientific instruments", it would be a reasonable assumption that what s/he really supports is the instruments, and the computers are just peripheral.

Re:Huh? (1)

B'Trey (111263) | more than 7 years ago | (#15893945)

While there's a great deal of truth to what you're saying, reality often slaps theory in the face. My guess would be that there is no qualified support, there's no money (or no management desire) to hire qualified support, and someone who has an inkling of a clue about computers gets the responsibility dropped in their lap with no real option to say "No". It's not their fault and there's often not much they can do except struggle through and do the best they can. (And, of course, I know some pretty savy people who started out just that way a decade or so ago.)

Re:Huh? (1)

MLease (652529) | more than 7 years ago | (#15896808)

While there's a great deal of truth to what you're saying, reality often slaps theory in the face. My guess would be that there is no qualified support, there's no money (or no management desire) to hire qualified support, and someone who has an inkling of a clue about computers gets the responsibility dropped in their lap with no real option to say "No". It's not their fault and there's often not much they can do except struggle through and do the best they can. (And, of course, I know some pretty savy people who started out just that way a decade or so ago.)

Ding-ding-ding! We have a winner! There is no shame in ignorance, as long as one recognizes it and tries to do something to rectify it -- which is exactly what the poster of the article is doing.

-Mike

Re:Huh? (1)

Ruie (30480) | more than 7 years ago | (#15894344)

What are you doing supporting these computers? If you need to Ask Slashdot to get the answer to this fairly basic problem, then you are not qualified to do the job.

You might be surprised, but I found that nothing to do with Windows qualifies as "basic", despite my extensive experience with Linux/Unix..

The problem is that Windows functions and interface are just thrown together and then modified to mollify average user. Unlike Unix which is built to implement an abstraction, there is no operation in Windows that has a well-defined effect and can be automated to produce that effect again and again.

For example, if you see a file on a "Desktop" chances are you won't see it in c:/windows/desktop and even if you do a locate it sometimes still cannot be found.

If you name a file "a.txt" then it can get saved as "A.TXT".

And forget about optimization - the system call performance is hard to understand, the filesystem behaves unpredictably, heck, there are no programming languages at all on the installation disk !

.bat, .js, .vbs (1)

tepples (727027) | more than 7 years ago | (#15894607)

heck, there are no programming languages at all on the installation disk !

I have a feeling you didn't look very hard. Microsoft Windows out of the box can execute scripts written in the languages corresponding to the .bat, .js, and .vbs suffixes.

Re:Huh? (1)

Steendor (917855) | more than 7 years ago | (#15895497)

For example, if you see a file on a "Desktop" chances are you won't see it in c:/windows/desktop and even if you do a locate it sometimes still cannot be found.

On Windows XP, files, shortcuts, and directories appearing on your desktop will almost always be located in %userprofile%\Desktop and those appearing on all users' desktops will almost always be located in %allusersprofile%\Desktop. For most, %userprofile% expands to C:\Documents and Settings\username and %allusersprofile% expands to C:\Documents and Settings\All Users

The exceptions are the My Computer, Recycle Bin, My Documents, Internet Explorer, and My Network Places shortcuts. (maybe more?) Except for the Recycle Bin, those can be enabled/disabled on a per-user basis from the Display Properties control panel. Right-click the desktop and select properties, select the Desktop tab, and click the Customize Desktop... button. The Internet Explorer icon can also be enabled/disabled from the Internet Options control panel. There may be a hack to remove the Recycle Bin, but I don't know of one - try Google if you're interested.

On Windows 98, C:\Windows\Desktop is the desktop for the default user. If you're using an actual user account, you shouldn't expect to see your shortcuts, files, and folders there. Look in C:\Windows\Profiles\username

If you name a file "a.txt" then it can get saved as "A.TXT".

That's actually not a Windows problem; that's a problem with the particular program you're using. Because it's a problem with the program, you'll never see any change by upgrading to XP, or to Vista. There are plenty of programs that don't adjust your capitalization when you save a file (but maybe none that do what your program does).

Unfortunately, because Windows is not case-sensitive, if you want to change it manually, you need to change it to a completely different name first. I believe CKRename [musicsucks.com] is one program that can change the capitalization for you.

the filesystem behaves unpredictably

Would you care to elaborate on that? I can't recall a situation I've had with FAT or NTFS volumes that I couldn't attribute to someone (myself, on occasion) just not understanding how things work.

Re:Huh? (1)

Ruie (30480) | more than 7 years ago | (#15897197)

the filesystem behaves unpredictably

Would you care to elaborate on that? I can't recall a situation I've had with FAT or NTFS volumes that I couldn't attribute to someone (myself, on occasion) just not understanding how things work.

Well, it is hard to figure out a good way to use it. For example, in Linux, I know that if I have plenty of free space (at least 10%) and one program writes or reads a single file you are going to access the disk in sequential mode - and get the maximum transfer rate the drive is capable of.

With NTFS the files get fragmented unless one preallocates a chunk of space before writing the file (how the hell am I supposed the size of the gzip file I am unpacking ?) and even after defragmentation some files read pretty slow as if they were doing seeks all the time.

Also, I would expect that if I create a small file, run some other program on it (quickly) and then delete the file it should never hit the disk. Yet this is not very fast.

Also when creating lots of files the directories that hold them get fragmented.. This is just bizarre.

Network Layer (2, Insightful)

paulywog (114255) | more than 7 years ago | (#15893898)

I'd look at doing at the network infrastructure level. They're connected to network hardware of some kind. If you have some kind of router on their subnet manages the traffic, start setting up filtering rules. You said something about "not being allowed to intercept their traffic with another box," but the network itself has to have some infrastructure in it, so you should have an option there.

Obviously not rocket science (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#15893903)

What kind of moron buys scientific software...
  1. That requires MS Windows?
  2. That is written using the .NET framework?

What kind of science is this, beauty therepy?

Re:Obviously not rocket science (1)

SubliminalVortex (942332) | more than 7 years ago | (#15893931)

The same kind of person that wants to 'reverse engineer' it. The .NET Reflector by Lutz Roeder will most likely tear it apart. Especially for case #2.

Re:Obviously not rocket science (0)

Anonymous Coward | more than 7 years ago | (#15893964)

So the selling point is that although this scientific software does not ship with source code, purchasers can spend months reverse engineering and modifying it to fit their needs? The world of beauty therepy will never be the same again.

Re:Obviously not rocket science (1)

SubliminalVortex (942332) | more than 7 years ago | (#15893985)

Actually, it doesn't take months, just moments. You have to give credit to impulse management decisions. ;)

Re:Obviously not rocket science (0)

Anonymous Coward | more than 7 years ago | (#15894023)

What about if the code has been obfuscated prior to assembly? I'm not well up on MSIL but do all the companies being told to move to .NET know their assemblies can be reversed engineered so trivially?

Re:Obviously not rocket science (0)

Anonymous Coward | more than 7 years ago | (#15894122)

Read the summary again - he's using the computers for scientific *instruments*, not software. When you buy highly specialized (and expensive) equipment there's often no choice in what software you use to drive it.

Re:Obviously not rocket science (1)

mabu (178417) | more than 7 years ago | (#15894508)

This is what happens when you hire programmers who don't know the best tool for the job. It's everywhere in the tech field today unfortunately. People design applications, not after a search of what technology is best suited, but based on what narrow area of expertise they have.

Re:Obviously not rocket science (1)

falsified (638041) | more than 7 years ago | (#15896235)

Not that I'm a Windows fanboy (or, um, a scientific instrument fanboy), but considering that from the question itself we have no idea what the scientific instruments ARE, we have no way whatsoever to determine whether Windows is the right tool for the job?

Re:Obviously not rocket science (1)

mabu (178417) | more than 7 years ago | (#15899751)

I know a lot of scientific instruments that need minesweeper running concurrently.

Re:Obviously not rocket science (1)

Geoffreyerffoeg (729040) | more than 7 years ago | (#15895136)

What kind of moron buys scientific software...
  1. That requires MS Windows?
  2. That is written using the .NET framework?

The moron facing a monopoly market. It's not like you can just go to SourceForge and download a driver for some highly specialized scientific equipment that costs thousands of dollars that no OSS developer knows how to use....

WTF? (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#15893905)

The most basic thing under any UNIX operating system comes up as a Windows question on Ask Slashdot. This must be a new low.

Re:WTF? (1)

SubliminalVortex (942332) | more than 7 years ago | (#15893944)

Now now, most people don't know that Windows actually does have a HOSTS file and that you can use it to restrict access. Most of them probably think that way because *NIX users train them to ignore their roots. Shame on you!

Re:WTF? (0)

Anonymous Coward | more than 7 years ago | (#15894055)

most people don't know that Windows actually does have a HOSTS file and that you can use it to restrict access.
Except you can't. Maybe _you_ should read up on roots and stuff...

Windows XP SP2 comes with a firewall. (0)

Anonymous Coward | more than 7 years ago | (#15893913)

Use it.

use IE's content filter (4, Informative)

linuxbert (78156) | more than 7 years ago | (#15893919)

IE has a built in content filter that accepts wildcards. Turn it on, Click on tools, go to options. click on the restricted sites tab. and add a wildcard * and click never. Then add the one site you want to have people go to click Allways. Under general youll probably also want to disable Supervisors can enter a password to see site (it makes users less cranky thinking someone else is allowed, but not them.

when you close the dialouge box - it will ask for a password, and your done.

Microsoft has released a shared computer toolkit for places like labs and librarys that has some neat tools - including a good one to restrict access to only certain applictaion. you may wish to look into that as well

Firefox? (0)

Anonymous Coward | more than 7 years ago | (#15893950)

How would you block sites in Firefox?

I've tried using the 'c:/Windows/System32/drivers/etc/hosts' file, but that doesn't work like it does in *NIX. Actually, it doesn't work at ALL in XP.

It works (1)

The MAZZTer (911996) | more than 7 years ago | (#15894458)

You'll need to wait for Firefox's own DNS cache to expire (takes 60 minutes by default, quicker if you change the option in about:config).

In addition ipconfig has a /flushdns option which you might need to use to force Windows in general to look up the address in HOSTS instead of the cache.

Re:It works (0)

Anonymous Coward | more than 7 years ago | (#15895234)

You'll need to wait for Firefox's own DNS cache to expire (takes 60 minutes by default, quicker if you change the option in about:config).

No need to wait, just click "Work Offline" in the File menu. It automatically expires the cache.

Re:use IE's content filter (1)

liquidpele (663430) | more than 7 years ago | (#15893954)

And if they just bring in a disk with firefox on it? Ya.

Re:use IE's content filter (2, Informative)

nahdude812 (88157) | more than 7 years ago | (#15894384)

Hehe, what if they bring an Ubuntu Live CD/DVD? What if they plug in a bootable USB/Firewire disk? What if they move the network cable to a laptop they control? What if they replace the master SATA/IDE disk and put the old one into slave mode?

At some point you have to realize the old security axiom: There is no security that can protect you if your attacker has physical access to the box. However, you can lock down the default software state to something that limits access w/o extraordinary efforts. Sometimes "sufficient" security is sufficient. You cannot protect against a determined attacker w/ physical access, but if you do a reasonable job of locking the box down for typical / normal access, you protect against the casual coworker looking to surf porn w/o it being tracable back to him. Just like locks on houses & cars: this keeps the honest people honest; the dishonest people are going to do whatever they want no matter what.

Also, I get the impression that for whatever reason, filtering at the NAT box won't work (maybe because they won't always control this NAT box, or the NAT box lacks the capability), which would be why he's looking at software solutions.

P.S. you can set Windows to only run certain executables; there's a tool for doing this. This would protect against an install of Firefox from a disk.

Re:use IE's content filter (0)

Anonymous Coward | more than 7 years ago | (#15894286)

Have you tried this?

1) You are confusing the Content Filter and the Security Zones. Restricted Sites is a security zone; users can still access websites in this zone, it just disables certain features deemed unsafe (e.g. ActiveX).

2) There is a Content Filter (CF). My experience with the content filter is it rarely works as expected. My experience with trying to solve this specific problem with the content filter is that it doesn't work (or it's certainly not trivial): The CF uses a set of pre-existing rules which enable access to many websites. I have tried creating and importing custom rules, but implementing it was such a mess that we moved on to a different solution.

Re:use IE's content filter (1)

linuxbert (78156) | more than 7 years ago | (#15894509)

I am aware of both, and no I didnt get them mixed up. (I will qualify that I currently only have IE7 Beta 3 on this machine, but this feature exists in other versions, and the instructions might be different.)

Security zones allow you to define different browser settings based on your trust of the site. Restricted sites allows you to still go to the site, but applies the most restrictive policy to the site. -such as disableing active content. Go the http://www.theweathernetwork.com/ [theweathernetwork.com] and see how it looks. Then add it to the restricted sites list and go back. The page still loads -but looks quite different.

The Content filter is meant to control what webpages users can access - exactly what this person wants. If you add * to the never allow list in Content filters restricted list it will disallow all websites, and then you allow the specific website you want to go to. I tried this before I posted and it did work. Content filter has many issues when you attempt to use it to filter based on violence, nudity and language. Content filter relies on RASCi ratings to be embeded as META tags on the website. Many sites dont have META tags with RASCi Information, and RASCi itself has folded into a different organization and has changed the way rateings are detected by browsers (which IE7 suprisingly hasen't incorperated) and require the user to install a plugin iirc.

What about Firefox/Ubuntu live cd etc?
Why are users allowed to install software? are they running as administrators? I also mentioned Microsofts toolkit for locking down public worksations, and defining what software can run on a system. this would take care of that. as for live cd's, bootable floppy's and usb keys; why is the bios allowing anything but the C: drive to boot, and why isint the bios passworded? if the machine has sensitive research data there is no reason anyone should be able to boot off any other device - if the admin has too, he knows the password.

My original solution takes 5 minutes to implement, and uses tools that already exist on the system. It doesnt muck with a network, or make you buy or find a firewal - and spend time writing or finding rules to do what the user wants. And most importantly it just works.

Re:use IE's content filter (1)

sd.fhasldff (833645) | more than 7 years ago | (#15895143)

as for live cd's, bootable floppy's and usb keys; why is the bios allowing anything but the C: drive to boot, and why isint the bios passworded?

BIOS passwords? Oh, please, if you have physical access to the machine without oversight, a BIOS password won't do jack. Resetting it is trivial, although it does require opening the box.

Re:use IE's content filter (1)

linuxbert (78156) | more than 7 years ago | (#15895856)

then use security screws to the case.
if that wont foil the attacker, then you have much bigger problems them someone going to unauthorized websites.

I can just see some secretary wanting to cheack her hotmail account - trying to reset the bios and when she finds the password, pulling the case off and removing the batery or jumper.

Re:use IE's content filter (1)

sumdumass (711423) | more than 7 years ago | (#15900941)

There used to be a program floating around called "kill CMOS". If the computer would boot, all you had to do was run it and it would reset the CMOS to defaults allowing the password to be reset. But why go that far, 90% of the computers out there have back door CMOS password already installed in them. This was something manufacturers demanded because of all the "dead machines" out there after some disgruntled employee locked everything out and "tech support couldnt help".

Re:use IE's content filter (1)

X0563511 (793323) | more than 7 years ago | (#15896975)

Unfortunately a quick peruse of the registry allows a user to simply turn it off. Judging by what the submitter has told us, I'm willing to be the software requires an Administrator class account, simply to work magic with the system's ports.

use a #@%# firewall? (1)

liquidpele (663430) | more than 7 years ago | (#15893947)

1) Use an external firewall
2) Change their domain policy so they can't
3) Install a desktop solution with firwall capabilities they can't change (for instance this [iss.net] although you have to have the full siteprotector suite to use it so it's overkill for just 2 computers).

Audit (4, Insightful)

PIPBoy3000 (619296) | more than 7 years ago | (#15893970)

It sounds like your concern is that people using the equipment will surf the web inappropriately, potentially compromising the machine and losing valuable data.

How about making a 3x5 sign and tape it on the machine that lets them know that their web surfing is being monitored and if they fiddle with the machine to go anywhere else, they'll be fired. Periodically audit the weblogs at your firewall and see if anyone at that device is doing anything.

I run into this problem all the time. People ask for some security measure when it's easier to simply make and enforce a policy. I work with medical records and the question is always "how do you keep people from looking at records inappropriately?" The thing is, if there's any false positive and the information isn't easily available, someone could die. So we audit. Lots and lots of auditing. And fire people when they're idiots.

Call technical support (2, Funny)

Ougarou (976289) | more than 7 years ago | (#15894051)

Microsoft Windows products come with an excelent website for support. Their technical team is always there for you and will help you solve all your problems with their product. However, if you still have unsolved problems, please try Windows Live OneCare [windowsonecare.com].

Lock it down (1)

alanjstr (131045) | more than 7 years ago | (#15894149)

Sure. Set the homepage to your site and then prevent users from changing that setting. As long as you don't have any external links and lock IE down with policies, you're ok. You'll also need to prevent users from accessing the command line and explorer. Everything would have to be driven by what icons you place on the desktop and start menu. You should google around for terms such as "kiosk mode".

Re:Lock it down (1)

maxwells_deamon (221474) | more than 7 years ago | (#15895028)

No, this is a bad idea.

There are lots of ways to sneek past this. For instance you can browse the web using the help function in windows and many other places.

You would have to prove you caught them all

Re:Lock it down (1)

sumdumass (711423) | more than 7 years ago | (#15900954)

Well, this may not be too bad of an idea after all. First, disable the DNS entry on the network interface. Set up the proxy server to forward domain browsing to the domain controler then block eveything except the sites wanted.

But in all eventuality, it would likley still allow IP addresses to bypass the filters. maybe if something was done to hide the gateway address or filter there too.

Use the proxy settings. (1)

jaseuk (217780) | more than 7 years ago | (#15894184)

Set the Proxy server to a junk value.

Then add proxy exclusions for the sites that they are permitted to access.

Then lock down these settings via GPO.

Come on, this is ridiculously easy (1)

ocbwilg (259828) | more than 7 years ago | (#15894284)

Step 1, make sure that these PC's always use the same IP address. Set it statically if you can, and while you're at it, set up a DHCP reservation for their MAC addreses to give them that same address. That way if they switch it to DHCP they get the same thing. Step 2, set up a rule on your firewall for those two addresses that basically says 'allow http and https traffic from these IP addresses only if they are going to this specified address (the web site that they need)'. Put a rule immediately after that one that says 'deny all traffic from these IP addresses to any other IP addresses'. Now they should have free roam of the internal network, but only be allowed web access to that one external site. If you want to get even more paranoid, you can configure the ports on their network switch to only allow traffic from their IP addresses, in case the users get the idea of statically setting a different IP address on the same subnet than the one that you gave them. Of course, these users shouldn't have the ability to change the IP address configuration for their PCs if they aren't running as admin. You don't let them run as admin, do you? I don't believe that Windows XP has the same settings for IP security that you can put on Windows 2000 and later, otherwise that would be an option. If you really wanted to get detailed and make it secure, you could change all of the Windows Firewall settings to block everything except necessary traffic to necessary hosts, but then it gets really tedious, but I know that Windows firewall settings can be set with Group Policy.

Re:Come on, this is ridiculously easy (0)

Anonymous Coward | more than 7 years ago | (#15894762)

People should delve deeper into Windows. It can do just about anything you want. Some things are really easy, like basic network configuration, but the rest is there too. Even IPSec is builtin. The frontend of the firewall makes it look like a toy, but that's just how Windows works: It's a GUI for the usual stuff and the rest is hidden.

This IE whitelist works in a domain group policy (0)

Anonymous Coward | more than 7 years ago | (#15894327)

We wanted a whitelist for IE in a 2003 domain. Note that this won't affect Firefox or other apps.

1) Go to 'Group Policy >> user config >> windows settings >> ie maintenance >> connection >> proxy settings'
2) Proxy everything to localhost
3) In the exceptions, list allowed hosts separated by semicolons. Wildcards work.

Watchguard (1)

Peregr1n (904456) | more than 7 years ago | (#15894353)

At work we use a Watchguard [watchguard.com] java applet, which I don't particularly like, but it does the job as you describe. We use it to restrict users/workstations to our own websites and limited tech support sites.
To enable this access on the client PC, the user opens IE, goes to a local page that contains the applet, and enters their password in the applet. As long as that window is open in the background, they have access to the allowed sites.
I don't deal with the server end myself but I think it comes in hardware or software flavours.

Do it at the router (3, Insightful)

metamatic (202216) | more than 7 years ago | (#15894420)

If you want real security, get the NAT box to null-route anything from those machines unless it's going to one of the approved IP addresses.

You may need to get a better router to get adequate functionality, or get a WRT54GS and install OpenWRT.

Internal vs. external connections - VLAN? (1)

billstewart (78916) | more than 7 years ago | (#15895129)

The router isn't going to affect their ability to reach other sites in your LAN, just their connections to the outside world. If you've got a LAN switch that supports VLANs, you could restrict the local connections as well.


The real questions are how much you trust your users not to mess around with the box and why you've got a policy against putting in extra firewall boxes if you need them. The answer may be to get better management :-) If the policy against routing through another box is just a budget thing, you can get a Linksys for $29, and you'll spend more time than that (even at grad student wages) haggling about policies.

Don't connect the machine to the internet (3, Insightful)

vijayiyer (728590) | more than 7 years ago | (#15894533)

A scientific instrument or computer that controls them with proprietary data should not be connected to the internet. Period. Place a second machine with internet access in the same room, and users can transfer the data they need, if necessary, using some form of media/external drive.

Easy solution (2, Insightful)

Sloppy (14984) | more than 7 years ago | (#15894567)

Because of policy, it's not possible to redirect their network traffic to another box for filtering
Change policy.

Firewall (2, Insightful)

kalmite (89186) | more than 7 years ago | (#15894569)

Use the site firewall to restrict traffic from those machines to only go to the required sites. As for SMB, use a host based firewall, such as Symatec Client Security. SCS can be locked down through the management console.

Use IPSEC Policies (1)

hardreset (775806) | more than 7 years ago | (#15894713)

As silly as this sounds, I would suggest using an IPSEC applied via Group Policy to enforce access/non-access based on port numbers and IP's. An lesser known function of the IPSEC rules is filtering. You'll want to keep in mind the policies are NOT stateful, so make sure to test your rules. Applying the IPSEC policy via Group Policy will ensure consistent re-application (in the event someone figure out how to un-apply the settings... and in that case, pull in HR/management).

Alter the routing table... (1)

lebean (638838) | more than 7 years ago | (#15894800)

Well, if they aren't administrators on the machines, then just change the routing tables. "route delete 0.0.0.0" does amazing things to limit internet access from a host. Just do a "route add" for the webserver they need to access, and they'll already have a route in their routing table that lets them talk to servers on the same local network. If the machines are pulling DHCP, this isn't going to survive reboots, of course, but if you can statically assign their IP info, just do that, but don't enter a default gateway (many people seem to errorneously believe you *have* to put something for the default gateway, which isn't true at all). Your machines will come up with the ability to talk to the local network, and nothing else. To add additional routes for 'outside' hosts, i.e. the webserver you want them to hit, you'd just set up a persistent static route so it will live across reboots: route -p add mask 255.255.255.255 Now you have a machine that can talk to local net, one outside webserver, and nothing else at all. Add additional routes for other local networks if needed.

Re:Alter the routing table... (1)

lebean (638838) | more than 7 years ago | (#15894827)

argh, should have previewed, formatting got massacred :(

route -p add "ip of webserver" mask 255.255.255.255 "ip of default gateway"

Maybe that will survive. Anyhow, the gist was just delete default route, add routes for what they need, and they won't be able to go anywhere else at all.

IPCOP (1)

brenddie (897982) | more than 7 years ago | (#15894938)

IPCOP + AdvProxy AddOn + URLFilterAddOn
This will solve your problem only if you feel like changing your current firewall for IPCOP (OpenSource, Top choice IMHO ). You get a stateful fireall plus content filtering. If you want micromanagement capabilities you would need MS ISA (overkill for your setup)
If you decide for IPCOP then you are set for the future. You can then implement DMZ for your servers, VPN, QoS, and much more either using the builtin services or trhough addons.

A twist on the same question (1)

edremy (36408) | more than 7 years ago | (#15894953)

My wife and I have a five year old. He's quite good on a computer: we set him up with a few websites (Thomas the Tank Engine, Sesame Street, etc) but he's since figured out how to use the search bar in Firefox to look for things he likes. This is mostly Thomas and animals, which has led him to Wikipedia.

Most of Wikipedia is fine, but it links to lots of places that aren't fine, at least for a five year old. I'd like to restrict him to a know whitelist, but I don't want my and my wife's accounts to have the same restrictions. (We're both tired of Thomas.) In a few years, #2 son will want to look at stuff, and we'll need to loosen the whitelist for #1.

Anyone have a solution where we can have multiple filter sets for different accounts, and where the filter set can be protected from the users?

Re:A twist on the same question (0)

Anonymous Coward | more than 7 years ago | (#15902117)

A Netscreen + WebAuth [juniper.net]?

Re:A twist on the same question (1)

cwru4128 (995232) | more than 7 years ago | (#15903452)

I have had a good experience with an inexpensive program called NetNanny (http://www.netnanny.com/) It should give you the options you are looking for.

Without a filtering box? No. (0)

Anonymous Coward | more than 7 years ago | (#15895636)

If you can't do it from a filtering box then you can't do it in a way that the users cannot change. Anything you set up on the actual client machine could be subverted by users who had physical access to the machine since it's trivial to gain Administrator access to a machine you're actually sitting at.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...