Whitelisting Websites with Windows?

Nimey asks: "I support two computers which need Internet access to one website; they also are used to drive scientific instruments and so have proprietary scientific data. They run Windows XP SP2 because the instrument software requires IE, an ActiveX control, and .NET 1.1. Both machines are in a Windows 2003 active directory. Because of policy, it's not possible to redirect their network traffic to another box for filtering, but they are NATed. I want to restrict their network access to that one website (HTTP/HTTPS, possibly FTP) and to the file servers on the network (SMB). Can I enforce this in a way that's not changeable by a user?"

Easy

[Henry+V+.009]

Editing system32/drivers/etc/hosts should do what you want. Direct everything (except windows update, maybe nist) to that one site.

Re:Easy

[xmodem_and_rommon]

does the hosts file actually let you specify wildcards?

And also, if the users have admin access, they can edit the hosts file

Or you could set this up on whatever's doing the NAT

Re:Easy

[Henry+V+.009]

You're right, you can't specify wildcards in hosts. I've used it for some special things, but never read the documentation on it. It looks like this solution won't work at all.

On the other hand I assume his users don't have admin access, if he wants to do something to the computer that the "users can't change."

Re:Easy

[MarkusQ]

That won't stop them from going wherever they want via IP addresses. And, in any case, doing it on the boxes themselves is the wrong approach--its known as "honor system security."

The real solution, as another poster suggested, is to do it on the NATing box. For that matter, if the systems are that important and that vulnerable, I would sure hope there's a firewall in the picture somewhere, either on the NATing box or somewhere outward from there. Do it in the firewall. After all that's what firewalls are for.

--MarkusQ

Re:Easy

[rhandir]

First, a question,
You wrote:
Because of policy, it's not possible to redirect their network traffic to another box for filtering, but they are NATed.

Policy? As in "active directory/groups policy"? Or "management policy"? Or "the University/Corporate IT department policy"?

Anyway as the above poster has said (among many others), if you have access to the NAT box, do it there, if you don't ask IT to do it there. Any protective software on the boxen themselves can be comprimised by stuff that isn't deterred by audit trails (spyware, worms, virii, etc) so I wouldn't bother.

As an interim solution, buy a pair of d-link 604's (35$ +tax/ea) and put them inline, and set rules on them - don't forget to clone the mac addresses. (Yes, technically a lan isn't a wan, and weird stuff could happen, test it at home first, etc etc.)

Alternatively, if you are worried about idle websurfing and you think directives/audits might be a deterrent, find a pair of older computers* you can put next to the lab computers that you can set for websurfing. If you can't afford another monitor, get a cheap KVM switch.

-r. *blah blah linux blah blah live-cd blah blah won't run flash blah blah firefox etc etc.

Here is a way

[giorgiofr]

In the TCP/IP properties of the netowkr adapter they use, select Advanced -> Options -> TCP/IP filter. "Allow only" the IP addresses you want. Maybe it's not a flexible solution (OK... without "maybe") but it's a simplistic IP filter that will get your particular job done. HTH

use IE's content filter

[linuxbert]

IE has a built in content filter that accepts wildcards. Turn it on, Click on tools, go to options. click on the restricted sites tab. and add a wildcard * and click never. Then add the one site you want to have people go to click Allways. Under general youll probably also want to disable Supervisors can enter a password to see site (it makes users less cranky thinking someone else is allowed, but not them.

when you close the dialouge box - it will ask for a password, and your done.

Microsoft has released a shared computer toolkit for places like labs and librarys that has some neat tools - including a good one to restrict access to only certain applictaion. you may wish to look into that as well

Re:use IE's content filter

[nahdude812]

Hehe, what if they bring an Ubuntu Live CD/DVD? What if they plug in a bootable USB/Firewire disk? What if they move the network cable to a laptop they control? What if they replace the master SATA/IDE disk and put the old one into slave mode?

At some point you have to realize the old security axiom: There is no security that can protect you if your attacker has physical access to the box. However, you can lock down the default software state to something that limits access w/o extraordinary efforts. Sometimes "sufficient" security is sufficient. You cannot protect against a determined attacker w/ physical access, but if you do a reasonable job of locking the box down for typical / normal access, you protect against the casual coworker looking to surf porn w/o it being tracable back to him. Just like locks on houses & cars: this keeps the honest people honest; the dishonest people are going to do whatever they want no matter what.

Also, I get the impression that for whatever reason, filtering at the NAT box won't work (maybe because they won't always control this NAT box, or the NAT box lacks the capability), which would be why he's looking at software solutions.

P.S. you can set Windows to only run certain executables; there's a tool for doing this. This would protect against an install of Firefox from a disk.

use the builtin firewall

[Keruo]

Use the firewall built-in Windows, it does pretty much everything you need.
Instructions here: http://homepages.wmich.edu/~mchugha/w2kfirewall.ht m

Wicked Easy

[og-emmet]

Privoxy. Install, set whitelist and restart. Done. All for free.