Slashdot Mirror

← Back to Stories (view on slashdot.org)

Whitelisting Websites with Windows?

Posted by ryuzaki0 on from the a-non-end-user-changable-policy dept.

Nimey asks: "I support two computers which need Internet access to one website; they also are used to drive scientific instruments and so have proprietary scientific data. They run Windows XP SP2 because the instrument software requires IE, an ActiveX control, and .NET 1.1. Both machines are in a Windows 2003 active directory. Because of policy, it's not possible to redirect their network traffic to another box for filtering, but they are NATed. I want to restrict their network access to that one website (HTTP/HTTPS, possibly FTP) and to the file servers on the network (SMB). Can I enforce this in a way that's not changeable by a user?"

17 of 83 comments (clear)

  1. Re:Easy by xmodem_and_rommon · · Score: 2, Informative

    does the hosts file actually let you specify wildcards?

    And also, if the users have admin access, they can edit the hosts file

    Or you could set this up on whatever's doing the NAT

  2. Here is a way by giorgiofr · · Score: 4, Informative

    In the TCP/IP properties of the netowkr adapter they use, select Advanced -> Options -> TCP/IP filter. "Allow only" the IP addresses you want. Maybe it's not a flexible solution (OK... without "maybe") but it's a simplistic IP filter that will get your particular job done. HTH

    --
    Global warming is a cube.
  3. Network Layer by paulywog · · Score: 2, Insightful

    I'd look at doing at the network infrastructure level. They're connected to network hardware of some kind. If you have some kind of router on their subnet manages the traffic, start setting up filtering rules. You said something about "not being allowed to intercept their traffic with another box," but the network itself has to have some infrastructure in it, so you should have an option there.

  4. Re:Easy by Henry+V+.009 · · Score: 2, Informative

    You're right, you can't specify wildcards in hosts. I've used it for some special things, but never read the documentation on it. It looks like this solution won't work at all.

    On the other hand I assume his users don't have admin access, if he wants to do something to the computer that the "users can't change."

  5. Re:Easy by MarkusQ · · Score: 5, Informative

    That won't stop them from going wherever they want via IP addresses. And, in any case, doing it on the boxes themselves is the wrong approach--its known as "honor system security."

    The real solution, as another poster suggested, is to do it on the NATing box. For that matter, if the systems are that important and that vulnerable, I would sure hope there's a firewall in the picture somewhere, either on the NATing box or somewhere outward from there. Do it in the firewall. After all that's what firewalls are for.

    --MarkusQ

  6. Re:Huh? by Bin_jammin · · Score: 3, Funny

    I just wish I could get a job supporting two computers.

  7. use IE's content filter by linuxbert · · Score: 4, Informative

    IE has a built in content filter that accepts wildcards. Turn it on, Click on tools, go to options. click on the restricted sites tab. and add a wildcard * and click never. Then add the one site you want to have people go to click Allways. Under general youll probably also want to disable Supervisors can enter a password to see site (it makes users less cranky thinking someone else is allowed, but not them.

    when you close the dialouge box - it will ask for a password, and your done.

    Microsoft has released a shared computer toolkit for places like labs and librarys that has some neat tools - including a good one to restrict access to only certain applictaion. you may wish to look into that as well

    1. Re:use IE's content filter by nahdude812 · · Score: 2, Informative

      Hehe, what if they bring an Ubuntu Live CD/DVD? What if they plug in a bootable USB/Firewire disk? What if they move the network cable to a laptop they control? What if they replace the master SATA/IDE disk and put the old one into slave mode?

      At some point you have to realize the old security axiom: There is no security that can protect you if your attacker has physical access to the box. However, you can lock down the default software state to something that limits access w/o extraordinary efforts. Sometimes "sufficient" security is sufficient. You cannot protect against a determined attacker w/ physical access, but if you do a reasonable job of locking the box down for typical / normal access, you protect against the casual coworker looking to surf porn w/o it being tracable back to him. Just like locks on houses & cars: this keeps the honest people honest; the dishonest people are going to do whatever they want no matter what.

      Also, I get the impression that for whatever reason, filtering at the NAT box won't work (maybe because they won't always control this NAT box, or the NAT box lacks the capability), which would be why he's looking at software solutions.

      P.S. you can set Windows to only run certain executables; there's a tool for doing this. This would protect against an install of Firefox from a disk.

      --
      Slay a dragon... over lunch!
  8. Audit by PIPBoy3000 · · Score: 4, Insightful

    It sounds like your concern is that people using the equipment will surf the web inappropriately, potentially compromising the machine and losing valuable data.

    How about making a 3x5 sign and tape it on the machine that lets them know that their web surfing is being monitored and if they fiddle with the machine to go anywhere else, they'll be fired. Periodically audit the weblogs at your firewall and see if anyone at that device is doing anything.

    I run into this problem all the time. People ask for some security measure when it's easier to simply make and enforce a policy. I work with medical records and the question is always "how do you keep people from looking at records inappropriately?" The thing is, if there's any false positive and the information isn't easily available, someone could die. So we audit. Lots and lots of auditing. And fire people when they're idiots.

  9. use the builtin firewall by Keruo · · Score: 3, Informative

    Use the firewall built-in Windows, it does pretty much everything you need.
    Instructions here: http://homepages.wmich.edu/~mchugha/w2kfirewall.ht m

    --
    There are no atheists when recovering from tape backup.
  10. Call technical support by Ougarou · · Score: 2, Funny

    Microsoft Windows products come with an excelent website for support. Their technical team is always there for you and will help you solve all your problems with their product. However, if you still have unsolved problems, please try Windows Live OneCare.

  11. Wicked Easy by og-emmet · · Score: 3, Informative

    Privoxy. Install, set whitelist and restart. Done. All for free.

    --
    Skeptic and Reason
  12. Re:Easy by rhandir · · Score: 2, Informative
    First, a question,
    You wrote:
    Because of policy, it's not possible to redirect their network traffic to another box for filtering, but they are NATed.

    Policy? As in "active directory/groups policy"? Or "management policy"? Or "the University/Corporate IT department policy"?

    Anyway as the above poster has said (among many others), if you have access to the NAT box, do it there, if you don't ask IT to do it there. Any protective software on the boxen themselves can be comprimised by stuff that isn't deterred by audit trails (spyware, worms, virii, etc) so I wouldn't bother.

    As an interim solution, buy a pair of d-link 604's (35$ +tax/ea) and put them inline, and set rules on them - don't forget to clone the mac addresses. (Yes, technically a lan isn't a wan, and weird stuff could happen, test it at home first, etc etc.)

    Alternatively, if you are worried about idle websurfing and you think directives/audits might be a deterrent, find a pair of older computers* you can put next to the lab computers that you can set for websurfing. If you can't afford another monitor, get a cheap KVM switch.

    -r. *blah blah linux blah blah live-cd blah blah won't run flash blah blah firefox etc etc.

  13. Do it at the router by metamatic · · Score: 3, Insightful

    If you want real security, get the NAT box to null-route anything from those machines unless it's going to one of the approved IP addresses.

    You may need to get a better router to get adequate functionality, or get a WRT54GS and install OpenWRT.

    --
    GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
  14. Don't connect the machine to the internet by vijayiyer · · Score: 3, Insightful

    A scientific instrument or computer that controls them with proprietary data should not be connected to the internet. Period. Place a second machine with internet access in the same room, and users can transfer the data they need, if necessary, using some form of media/external drive.

  15. Easy solution by Sloppy · · Score: 2, Insightful
    Because of policy, it's not possible to redirect their network traffic to another box for filtering
    Change policy.
    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  16. Firewall by kalmite · · Score: 2, Insightful

    Use the site firewall to restrict traffic from those machines to only go to the required sites. As for SMB, use a host based firewall, such as Symatec Client Security. SCS can be locked down through the management console.