Whitelisting Websites with Windows? 83
Nimey asks: "I support two computers which need Internet access to one website; they also are used to drive scientific instruments and so have proprietary scientific data. They run Windows XP SP2 because the instrument software requires IE, an ActiveX control, and .NET 1.1. Both machines are in a Windows 2003 active directory. Because of policy, it's not possible to redirect their network traffic to another box for filtering, but they are NATed. I want to restrict their network access to that one website (HTTP/HTTPS, possibly FTP) and to the file servers on the network (SMB). Can I enforce this in a way that's not changeable by a user?"
Easy (Score:2, Informative)
Re:Easy (Score:2, Informative)
And also, if the users have admin access, they can edit the hosts file
Or you could set this up on whatever's doing the NAT
Re:Easy (Score:3, Informative)
On the other hand I assume his users don't have admin access, if he wants to do something to the computer that the "users can't change."
Re:Easy (Score:2)
Re:Easy (Score:5, Informative)
That won't stop them from going wherever they want via IP addresses. And, in any case, doing it on the boxes themselves is the wrong approach--its known as "honor system security."
The real solution, as another poster suggested, is to do it on the NATing box. For that matter, if the systems are that important and that vulnerable, I would sure hope there's a firewall in the picture somewhere, either on the NATing box or somewhere outward from there. Do it in the firewall. After all that's what firewalls are for.
--MarkusQ
Re:Easy (Score:2)
Now, while a technological measure might be easiest, thing about this from a manager's standpoint. Log all the IP addresses accessed. Log the machine the IP re
Re:Easy (Score:2, Informative)
You wrote:
Because of policy, it's not possible to redirect their network traffic to another box for filtering, but they are NATed.
Policy? As in "active directory/groups policy"? Or "management policy"? Or "the University/Corporate IT department policy"?
Anyway as the above poster has said (among many others), if you have access to the NAT box, do it there, if you don't ask IT to do it there. Any protective software on the boxen themselves can be comprimised by stuff that isn't deterre
I've done it before........ (Score:1)
This is usually obscure enough that nobody is even going to realize that thay can do it..
type in: ROUTE PRINT
It will show you a bunch of routes.
You want to delete the 0.0.0.0 entry.. ie ROUTE DELETE 0.0.0.0
Then add entries for all of the destinations you want to talk to..... ie ROUTE ADD 10.0.69.69 MASK 255.255.255.255 192.168.0.1 METRIC 10
Where the 10.0.69.69 is your DNS server and th
Re:Easy (Score:2)
New technology? no
Advanced special usage of something? no
Something that needs to be review by thousands of serious (and less serius techies)? no
Can someone pleeease explain to me why this accepted!?
And for you who posted the question, search for what you can do with dhcpd, bind and your favorite firewall.
Re:Easy (Score:2)
Ps.. could you add something constructive? This appraoch is somewhat interesting to quite a few of us. This doesn't neccesarily mean we cannot google either. Lets recap the question in case you didn't understand it.
the poster wished to,
Limits the web surfing to maybe two sites and still allow domain browsing.
Has the problem of being windows XP sp2 computers,
has the problem of being on a win2003 active directory d
Here is a way (Score:5, Informative)
Re:Here is a way (Score:2)
The last time I looked (not at XP), you could enter port numbers, but not IP addresses.
The best approach would be to manually modify the routing table, assuming, of course, that is possible with XP.
Re:Here is a way (Score:2)
Re:Huh? (Score:4, Funny)
Re:Huh? (Score:2)
Re:Huh? (Score:1)
Re:Huh? (Score:2)
You might be surprised, but I found that nothing to do with Windows qualifies as "basic", despite my extensive experience with Linux/Unix..
The problem is that Windows functions and interface are just thrown together and then modified to mollify average user. Unlike Unix which is built to implement an abstraction, there is no operation in Windo
.bat, .js, .vbs (Score:2)
I have a feeling you didn't look very hard. Microsoft Windows out of the box can execute scripts written in the languages corresponding to the .bat, .js, and .vbs suffixes.
See [[VBScript]] (Score:2)
AC wrote:
VBScript [wikipedia.org]
Re:Huh? (Score:1)
On Windows XP, files, shortcuts, and directories appearing on your desktop will almost always be located in %userprofile%\Desktop and those appearing on all users' desktops will almost always be located in %allusersprofile%\Desktop. For most, %userprofile% expands to C:\Documents and Settings\username and %allusersprofile% expands to C:\Documents
Re:Huh? (Score:2)
Well, it is hard to figure out a good way to use it. For example, in Linux, I know that if I have plenty of free space (at least 10%) and one program writes or reads a single file you are going to access the disk in sequential mode - and get the maximum transfer rate the
Network Layer (Score:3, Insightful)
Re:Obviously not rocket science (Score:1)
Re:Obviously not rocket science (Score:1)
Re:Obviously not rocket science (Score:2)
Re:Obviously not rocket science (Score:2)
Re:Obviously not rocket science (Score:2)
Re:Obviously not rocket science (Score:2)
The moron facing a monopoly market. It's not like you can just go to SourceForge and download a driver for some highly specialized scientific equipment that costs thousands of dollars that no OSS developer knows how to use....
Re:WTF? (Score:1)
Re:WTF? (Score:2)
use IE's content filter (Score:5, Informative)
when you close the dialouge box - it will ask for a password, and your done.
Microsoft has released a shared computer toolkit for places like labs and librarys that has some neat tools - including a good one to restrict access to only certain applictaion. you may wish to look into that as well
It works (Score:2)
You'll need to wait for Firefox's own DNS cache to expire (takes 60 minutes by default, quicker if you change the option in about:config).
In addition ipconfig has a /flushdns option which you might need to use to force Windows in general to look up the address in HOSTS instead of the cache.
Re: (Score:2)
Re:use IE's content filter (Score:3, Informative)
At some point you have to realize the old security axiom: There is no security that can protect you if your attacker has physical access to the box. However, you can lock down the default software state to something that limits access w/o extraordinary efforts. So
Re:use IE's content filter (Score:2)
Security zones allow you to define different browser settings based on your trust of the site. Restricted sites allows you to still go to the site, but applies the most restrictive policy to the site. -such as disableing active content. Go the http://www.theweathernetwork.com/ [theweathernetwork.com] and see how it looks. The
Re:use IE's content filter (Score:1)
BIOS passwords? Oh, please, if you have physical access to the machine without oversight, a BIOS password won't do jack. Resetting it is trivial, although it does require opening the box.
Re:use IE's content filter (Score:2)
if that wont foil the attacker, then you have much bigger problems them someone going to unauthorized websites.
I can just see some secretary wanting to cheack her hotmail account - trying to reset the bios and when she finds the password, pulling the case off and removing the batery or jumper.
Re:use IE's content filter (Score:2)
Re:use IE's content filter (Score:2)
Re: (Score:2)
Audit (Score:5, Insightful)
How about making a 3x5 sign and tape it on the machine that lets them know that their web surfing is being monitored and if they fiddle with the machine to go anywhere else, they'll be fired. Periodically audit the weblogs at your firewall and see if anyone at that device is doing anything.
I run into this problem all the time. People ask for some security measure when it's easier to simply make and enforce a policy. I work with medical records and the question is always "how do you keep people from looking at records inappropriately?" The thing is, if there's any false positive and the information isn't easily available, someone could die. So we audit. Lots and lots of auditing. And fire people when they're idiots.
Manage their DNS (Score:2)
Re: (Score:2)
use the builtin firewall (Score:4, Informative)
Instructions here: http://homepages.wmich.edu/~mchugha/w2kfirewall.h
Call technical support (Score:2, Funny)
Wicked Easy (Score:3, Informative)
Lock it down (Score:2)
Re:Lock it down (Score:2)
There are lots of ways to sneek past this. For instance you can browse the web using the help function in windows and many other places.
You would have to prove you caught them all
Re:Lock it down (Score:2)
But in all eventuality, it would likley still allow IP addresses to bypass the filters. maybe if something was done to hide the gateway address or filter there too.
Use the proxy settings. (Score:2)
Then add proxy exclusions for the sites that they are permitted to access.
Then lock down these settings via GPO.
Come on, this is ridiculously easy (Score:2)
Watchguard (Score:1)
To enable this access on the client PC, the user opens IE, goes to a local page that contains the applet, and enters their password in the applet. As long as that window is open in the background, they have access to the allowed sites.
I don't deal with the server end myself but I think it comes in hardware
Do it at the router (Score:4, Insightful)
You may need to get a better router to get adequate functionality, or get a WRT54GS and install OpenWRT.
Internal vs. external connections - VLAN? (Score:2)
The real questions are how much you trust your users not to mess around with the box and why you've got a policy against putting in extra firewall boxes if you need them. The answer may be to get better management :-) If the policy against routing through another box is just a budget
Don't connect the machine to the internet (Score:4, Insightful)
Easy solution (Score:2, Insightful)
Firewall (Score:2, Insightful)
Use IPSEC Policies (Score:1)
Alter the routing table... (Score:1)
Re:Alter the routing table... (Score:1)
route -p add "ip of webserver" mask 255.255.255.255 "ip of default gateway"
Maybe that will survive. Anyhow, the gist was just delete default route, add routes for what they need, and they won't be able to go anywhere else at all.
IPCOP (Score:1)
This will solve your problem only if you feel like changing your current firewall for IPCOP (OpenSource, Top choice IMHO ). You get a stateful fireall plus content filtering. If you want micromanagement capabilities you would need MS ISA (overkill for your setup)
If you decide for IPCOP then you are set for the future. You can then implement DMZ for your servers, VPN, QoS, and much more either using the builtin services or trhough addons.
A twist on the same question (Score:2)
Most of Wikipedia is fine, but it links to lots of places that aren't fine, at least for a five year old. I'd like to restrict him to a know whitelist, but I don't want my and my wife's accounts to have
Re:A twist on the same question (Score:1)
Re:A twist on the same question (Score:1)
We know the answer (Score:2)