Whitelisting Websites with Windows?

Nimey asks: "I support two computers which need Internet access to one website; they also are used to drive scientific instruments and so have proprietary scientific data. They run Windows XP SP2 because the instrument software requires IE, an ActiveX control, and .NET 1.1. Both machines are in a Windows 2003 active directory. Because of policy, it's not possible to redirect their network traffic to another box for filtering, but they are NATed. I want to restrict their network access to that one website (HTTP/HTTPS, possibly FTP) and to the file servers on the network (SMB). Can I enforce this in a way that's not changeable by a user?"

Easy

[Henry V .009]

Editing system32/drivers/etc/hosts should do what you want. Direct everything (except windows update, maybe nist) to that one site.

Re:Easy

[xmodem_and_rommon]

does the hosts file actually let you specify wildcards?

And also, if the users have admin access, they can edit the hosts file

Or you could set this up on whatever's doing the NAT

Re:Easy

[Henry V .009]

You're right, you can't specify wildcards in hosts. I've used it for some special things, but never read the documentation on it. It looks like this solution won't work at all.

On the other hand I assume his users don't have admin access, if he wants to do something to the computer that the "users can't change."

Re:Easy

[KiloByte]

In hosts, you can't have wildcards. In bind, you can. So... (hint, hint)?

Re:Easy

[MarkusQ]

That won't stop them from going wherever they want via IP addresses. And, in any case, doing it on the boxes themselves is the wrong approach--its known as "honor system security."

The real solution, as another poster suggested, is to do it on the NATing box. For that matter, if the systems are that important and that vulnerable, I would sure hope there's a firewall in the picture somewhere, either on the NATing box or somewhere outward from there. Do it in the firewall. After all that's what firewalls are for.

--MarkusQ

Re:Easy

[Bios_Hakr]

I seem to remember a program for managing WAP access. I think it's called NOCATAUTH. Anyway, I haven't looked at the specifics, but it seem to me that you could use a WRT-54G (V1-4 or VL) to redirect all network traffic to a specific IP address for the purpose of authentication. Why couldn't you just redirect everyone to that specific IP address?

Now, while a technological measure might be easiest, thing about this from a manager's standpoint. Log all the IP addresses accessed. Log the machine the IP re

Re:Easy

[rhandir]

First, a question,
You wrote:
Because of policy, it's not possible to redirect their network traffic to another box for filtering, but they are NATed.

Policy? As in "active directory/groups policy"? Or "management policy"? Or "the University/Corporate IT department policy"?

Anyway as the above poster has said (among many others), if you have access to the NAT box, do it there, if you don't ask IT to do it there. Any protective software on the boxen themselves can be comprimised by stuff that isn't deterre

I've done it before........

[tempest69]

The hosts thing is a bit funky, it would mean turning the DNS off the local boxes, which is easy to spot by a novice.

This is usually obscure enough that nobody is even going to realize that thay can do it..

type in: ROUTE PRINT

It will show you a bunch of routes.

You want to delete the 0.0.0.0 entry.. ie ROUTE DELETE 0.0.0.0

Then add entries for all of the destinations you want to talk to..... ie ROUTE ADD 10.0.69.69 MASK 255.255.255.255 192.168.0.1 METRIC 10

Where the 10.0.69.69 is your DNS server and th

Re:Easy

[jmo_jon]

There are forums and mailinglists for simple (and more advanced) firewall setups. I fail to see why this deserves to be in slashdot.

New technology? no
Advanced special usage of something? no
Something that needs to be review by thousands of serious (and less serius techies)? no

Can someone pleeease explain to me why this accepted!?

And for you who posted the question, search for what you can do with dhcpd, bind and your favorite firewall.

Re:Easy

[sumdumass]

It was included in slashdot to see if you knew the answer. And no RTFM wasn't the corect answer.

Ps.. could you add something constructive? This appraoch is somewhat interesting to quite a few of us. This doesn't neccesarily mean we cannot google either. Lets recap the question in case you didn't understand it.

the poster wished to,

Limits the web surfing to maybe two sites and still allow domain browsing.
Has the problem of being windows XP sp2 computers,
has the problem of being on a win2003 active directory d

Here is a way

[giorgiofr]

In the TCP/IP properties of the netowkr adapter they use, select Advanced -> Options -> TCP/IP filter. "Allow only" the IP addresses you want. Maybe it's not a flexible solution (OK... without "maybe") but it's a simplistic IP filter that will get your particular job done. HTH

Re:Here is a way

[eric76]

You can enter IP addresses now in their TCP/IP filter?

The last time I looked (not at XP), you could enter port numbers, but not IP addresses.

The best approach would be to manually modify the routing table, assuming, of course, that is possible with XP.

Re:Here is a way

[giorgiofr]

Why yes, yes you can. It's a matter of using ROUTE ADD etc commands.

Re:Huh?

[Bin_jammin]

I just wish I could get a job supporting two computers.

Re:Huh?

[B'Trey]

While there's a great deal of truth to what you're saying, reality often slaps theory in the face. My guess would be that there is no qualified support, there's no money (or no management desire) to hire qualified support, and someone who has an inkling of a clue about computers gets the responsibility dropped in their lap with no real option to say "No". It's not their fault and there's often not much they can do except struggle through and do the best they can. (And, of course, I know some pretty savy

Re:Huh?

[MLease]

While there's a great deal of truth to what you're saying, reality often slaps theory in the face. My guess would be that there is no qualified support, there's no money (or no management desire) to hire qualified support, and someone who has an inkling of a clue about computers gets the responsibility dropped in their lap with no real option to say "No". It's not their fault and there's often not much they can do except struggle through and do the best they can. (And, of course, I know some pretty savy peo

Re:Huh?

[Ruie]

What are you doing supporting these computers? If you need to Ask Slashdot to get the answer to this fairly basic problem, then you are not qualified to do the job.

You might be surprised, but I found that nothing to do with Windows qualifies as "basic", despite my extensive experience with Linux/Unix..

The problem is that Windows functions and interface are just thrown together and then modified to mollify average user. Unlike Unix which is built to implement an abstraction, there is no operation in Windo

.bat, .js, .vbs

[tepples]

heck, there are no programming languages at all on the installation disk !

I have a feeling you didn't look very hard. Microsoft Windows out of the box can execute scripts written in the languages corresponding to the .bat, .js, and .vbs suffixes.

See [[VBScript]]

[tepples]

AC wrote:

Are you sure about .vbs? How does that work?

VBScript [wikipedia.org]

Re:Huh?

[Steendor]

For example, if you see a file on a "Desktop" chances are you won't see it in c:/windows/desktop and even if you do a locate it sometimes still cannot be found.

On Windows XP, files, shortcuts, and directories appearing on your desktop will almost always be located in %userprofile%\Desktop and those appearing on all users' desktops will almost always be located in %allusersprofile%\Desktop. For most, %userprofile% expands to C:\Documents and Settings\username and %allusersprofile% expands to C:\Documents

Re:Huh?

[Ruie]

the filesystem behaves unpredictably

Would you care to elaborate on that? I can't recall a situation I've had with FAT or NTFS volumes that I couldn't attribute to someone (myself, on occasion) just not understanding how things work.

Well, it is hard to figure out a good way to use it. For example, in Linux, I know that if I have plenty of free space (at least 10%) and one program writes or reads a single file you are going to access the disk in sequential mode - and get the maximum transfer rate the

Network Layer

[paulywog]

I'd look at doing at the network infrastructure level. They're connected to network hardware of some kind. If you have some kind of router on their subnet manages the traffic, start setting up filtering rules. You said something about "not being allowed to intercept their traffic with another box," but the network itself has to have some infrastructure in it, so you should have an option there.

Re:Obviously not rocket science

[SubliminalVortex]

The same kind of person that wants to 'reverse engineer' it. The .NET Reflector by Lutz Roeder will most likely tear it apart. Especially for case #2.

Re:Obviously not rocket science

[SubliminalVortex]

Actually, it doesn't take months, just moments. You have to give credit to impulse management decisions. ;)

Re:Obviously not rocket science

[mabu]

This is what happens when you hire programmers who don't know the best tool for the job. It's everywhere in the tech field today unfortunately. People design applications, not after a search of what technology is best suited, but based on what narrow area of expertise they have.

Re:Obviously not rocket science

[falsified]

Not that I'm a Windows fanboy (or, um, a scientific instrument fanboy), but considering that from the question itself we have no idea what the scientific instruments ARE, we have no way whatsoever to determine whether Windows is the right tool for the job?

Re:Obviously not rocket science

[mabu]

I know a lot of scientific instruments that need minesweeper running concurrently.

Re:Obviously not rocket science

[Geoffreyerffoeg]

What kind of moron buys scientific software...

1. That requires MS Windows?
2. That is written using the .NET framework?

The moron facing a monopoly market. It's not like you can just go to SourceForge and download a driver for some highly specialized scientific equipment that costs thousands of dollars that no OSS developer knows how to use....

Re:WTF?

[SubliminalVortex]

Now now, most people don't know that Windows actually does have a HOSTS file and that you can use it to restrict access. Most of them probably think that way because *NIX users train them to ignore their roots. Shame on you!

Re:WTF?

[MntlChaos]

doesn't stop entering URLs with IP address instead of hostname

use IE's content filter

[linuxbert]

IE has a built in content filter that accepts wildcards. Turn it on, Click on tools, go to options. click on the restricted sites tab. and add a wildcard * and click never. Then add the one site you want to have people go to click Allways. Under general youll probably also want to disable Supervisors can enter a password to see site (it makes users less cranky thinking someone else is allowed, but not them.

when you close the dialouge box - it will ask for a password, and your done.

Microsoft has released a shared computer toolkit for places like labs and librarys that has some neat tools - including a good one to restrict access to only certain applictaion. you may wish to look into that as well

It works

[The MAZZTer]

You'll need to wait for Firefox's own DNS cache to expire (takes 60 minutes by default, quicker if you change the option in about:config).

In addition ipconfig has a /flushdns option which you might need to use to force Windows in general to look up the address in HOSTS instead of the cache.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:use IE's content filter

[nahdude812]

Hehe, what if they bring an Ubuntu Live CD/DVD? What if they plug in a bootable USB/Firewire disk? What if they move the network cable to a laptop they control? What if they replace the master SATA/IDE disk and put the old one into slave mode?

At some point you have to realize the old security axiom: There is no security that can protect you if your attacker has physical access to the box. However, you can lock down the default software state to something that limits access w/o extraordinary efforts. So

Re:use IE's content filter

[linuxbert]

I am aware of both, and no I didnt get them mixed up. (I will qualify that I currently only have IE7 Beta 3 on this machine, but this feature exists in other versions, and the instructions might be different.)

Security zones allow you to define different browser settings based on your trust of the site. Restricted sites allows you to still go to the site, but applies the most restrictive policy to the site. -such as disableing active content. Go the http://www.theweathernetwork.com/ [theweathernetwork.com] and see how it looks. The

Re:use IE's content filter

[sd.fhasldff]

as for live cd's, bootable floppy's and usb keys; why is the bios allowing anything but the C: drive to boot, and why isint the bios passworded?

BIOS passwords? Oh, please, if you have physical access to the machine without oversight, a BIOS password won't do jack. Resetting it is trivial, although it does require opening the box.

Re:use IE's content filter

[linuxbert]

then use security screws to the case.
if that wont foil the attacker, then you have much bigger problems them someone going to unauthorized websites.

I can just see some secretary wanting to cheack her hotmail account - trying to reset the bios and when she finds the password, pulling the case off and removing the batery or jumper.

Re:use IE's content filter

[sumdumass]

There used to be a program floating around called "kill CMOS". If the computer would boot, all you had to do was run it and it would reset the CMOS to defaults allowing the password to be reset. But why go that far, 90% of the computers out there have back door CMOS password already installed in them. This was something manufacturers demanded because of all the "dead machines" out there after some disgruntled employee locked everything out and "tech support couldnt help".

Re:use IE's content filter

[X0563511]

Unfortunately a quick peruse of the registry allows a user to simply turn it off. Judging by what the submitter has told us, I'm willing to be the software requires an Administrator class account, simply to work magic with the system's ports.

Re:

[account_deleted]

Comment removed based on user account deletion

Audit

[PIPBoy3000]

It sounds like your concern is that people using the equipment will surf the web inappropriately, potentially compromising the machine and losing valuable data.

How about making a 3x5 sign and tape it on the machine that lets them know that their web surfing is being monitored and if they fiddle with the machine to go anywhere else, they'll be fired. Periodically audit the weblogs at your firewall and see if anyone at that device is doing anything.

I run into this problem all the time. People ask for some security measure when it's easier to simply make and enforce a policy. I work with medical records and the question is always "how do you keep people from looking at records inappropriately?" The thing is, if there's any false positive and the information isn't easily available, someone could die. So we audit. Lots and lots of auditing. And fire people when they're idiots.

Manage their DNS

[loftwyr]

If you be come their DNS resolver then you have control over any site they want to visit. Just turn everything except what they need to null.

Re:

[account_deleted]

Comment removed based on user account deletion

use the builtin firewall

[Keruo]

Use the firewall built-in Windows, it does pretty much everything you need.
Instructions here: http://homepages.wmich.edu/~mchugha/w2kfirewall.ht m [wmich.edu]

Call technical support

[Ougarou]

Microsoft Windows products come with an excelent website for support. Their technical team is always there for you and will help you solve all your problems with their product. However, if you still have unsolved problems, please try Windows Live OneCare [windowsonecare.com].

Wicked Easy

[og-emmet]

Privoxy [privoxy.org]. Install, set whitelist and restart. Done. All for free.

Lock it down

[alanjstr]

Sure. Set the homepage to your site and then prevent users from changing that setting. As long as you don't have any external links and lock IE down with policies, you're ok. You'll also need to prevent users from accessing the command line and explorer. Everything would have to be driven by what icons you place on the desktop and start menu. You should google around for terms such as "kiosk mode".

Re:Lock it down

[maxwells_deamon]

No, this is a bad idea.

There are lots of ways to sneek past this. For instance you can browse the web using the help function in windows and many other places.

You would have to prove you caught them all

Re:Lock it down

[sumdumass]

Well, this may not be too bad of an idea after all. First, disable the DNS entry on the network interface. Set up the proxy server to forward domain browsing to the domain controler then block eveything except the sites wanted.

But in all eventuality, it would likley still allow IP addresses to bypass the filters. maybe if something was done to hide the gateway address or filter there too.

Use the proxy settings.

[jaseuk]

Set the Proxy server to a junk value.

Then add proxy exclusions for the sites that they are permitted to access.

Then lock down these settings via GPO.

Come on, this is ridiculously easy

[ocbwilg]

Step 1, make sure that these PC's always use the same IP address. Set it statically if you can, and while you're at it, set up a DHCP reservation for their MAC addreses to give them that same address. That way if they switch it to DHCP they get the same thing. Step 2, set up a rule on your firewall for those two addresses that basically says 'allow http and https traffic from these IP addresses only if they are going to this specified address (the web site that they need)'. Put a rule immediately after

Watchguard

[Peregr1n]

At work we use a Watchguard [watchguard.com] java applet, which I don't particularly like, but it does the job as you describe. We use it to restrict users/workstations to our own websites and limited tech support sites.
To enable this access on the client PC, the user opens IE, goes to a local page that contains the applet, and enters their password in the applet. As long as that window is open in the background, they have access to the allowed sites.
I don't deal with the server end myself but I think it comes in hardware

Do it at the router

[metamatic]

If you want real security, get the NAT box to null-route anything from those machines unless it's going to one of the approved IP addresses.

You may need to get a better router to get adequate functionality, or get a WRT54GS and install OpenWRT.

Internal vs. external connections - VLAN?

[billstewart]

The router isn't going to affect their ability to reach other sites in your LAN, just their connections to the outside world. If you've got a LAN switch that supports VLANs, you could restrict the local connections as well.

The real questions are how much you trust your users not to mess around with the box and why you've got a policy against putting in extra firewall boxes if you need them. The answer may be to get better management :-) If the policy against routing through another box is just a budget

Don't connect the machine to the internet

[vijayiyer]

A scientific instrument or computer that controls them with proprietary data should not be connected to the internet. Period. Place a second machine with internet access in the same room, and users can transfer the data they need, if necessary, using some form of media/external drive.

Easy solution

[Sloppy]

Because of policy, it's not possible to redirect their network traffic to another box for filtering

Change policy.

Firewall

[kalmite]

Use the site firewall to restrict traffic from those machines to only go to the required sites. As for SMB, use a host based firewall, such as Symatec Client Security. SCS can be locked down through the management console.

Use IPSEC Policies

[hardreset]

As silly as this sounds, I would suggest using an IPSEC applied via Group Policy to enforce access/non-access based on port numbers and IP's. An lesser known function of the IPSEC rules is filtering. You'll want to keep in mind the policies are NOT stateful, so make sure to test your rules. Applying the IPSEC policy via Group Policy will ensure consistent re-application (in the event someone figure out how to un-apply the settings... and in that case, pull in HR/management).

Alter the routing table...

[lebean]

Well, if they aren't administrators on the machines, then just change the routing tables. "route delete 0.0.0.0" does amazing things to limit internet access from a host. Just do a "route add" for the webserver they need to access, and they'll already have a route in their routing table that lets them talk to servers on the same local network. If the machines are pulling DHCP, this isn't going to survive reboots, of course, but if you can statically assign their IP info, just do that, but don't enter a de

Re:Alter the routing table...

[lebean]

argh, should have previewed, formatting got massacred :(

route -p add "ip of webserver" mask 255.255.255.255 "ip of default gateway"

Maybe that will survive. Anyhow, the gist was just delete default route, add routes for what they need, and they won't be able to go anywhere else at all.

IPCOP

[brenddie]

IPCOP + AdvProxy AddOn + URLFilterAddOn
This will solve your problem only if you feel like changing your current firewall for IPCOP (OpenSource, Top choice IMHO ). You get a stateful fireall plus content filtering. If you want micromanagement capabilities you would need MS ISA (overkill for your setup)
If you decide for IPCOP then you are set for the future. You can then implement DMZ for your servers, VPN, QoS, and much more either using the builtin services or trhough addons.

A twist on the same question

[edremy]

My wife and I have a five year old. He's quite good on a computer: we set him up with a few websites (Thomas the Tank Engine, Sesame Street, etc) but he's since figured out how to use the search bar in Firefox to look for things he likes. This is mostly Thomas and animals, which has led him to Wikipedia.

Most of Wikipedia is fine, but it links to lots of places that aren't fine, at least for a five year old. I'd like to restrict him to a know whitelist, but I don't want my and my wife's accounts to have

Re:A twist on the same question

[ArcticFlood]

The only 100% filter is to be surfing with the kid.

Re:A twist on the same question

[cwru4128]

I have had a good experience with an inexpensive program called NetNanny (http://www.netnanny.com/) It should give you the options you are looking for.

We know the answer

[aminorex]

The answer is yes, trivially. We are not telling you how because you are evil.