Slashdot Mirror
Whitelisting Websites with Windows?
Nimey asks: "I support two computers which need Internet access to one website; they also are used to drive scientific instruments and so have proprietary scientific data. They run Windows XP SP2 because the instrument software requires IE, an ActiveX control, and .NET 1.1. Both machines are in a Windows 2003 active directory. Because of policy, it's not possible to redirect their network traffic to another box for filtering, but they are NATed. I want to restrict their network access to that one website (HTTP/HTTPS, possibly FTP) and to the file servers on the network (SMB). Can I enforce this in a way that's not changeable by a user?"
In the TCP/IP properties of the netowkr adapter they use, select Advanced -> Options -> TCP/IP filter. "Allow only" the IP addresses you want. Maybe it's not a flexible solution (OK... without "maybe") but it's a simplistic IP filter that will get your particular job done. HTH
Global warming is a cube.
That won't stop them from going wherever they want via IP addresses. And, in any case, doing it on the boxes themselves is the wrong approach--its known as "honor system security."
The real solution, as another poster suggested, is to do it on the NATing box. For that matter, if the systems are that important and that vulnerable, I would sure hope there's a firewall in the picture somewhere, either on the NATing box or somewhere outward from there. Do it in the firewall. After all that's what firewalls are for.
--MarkusQ
I just wish I could get a job supporting two computers.
IE has a built in content filter that accepts wildcards. Turn it on, Click on tools, go to options. click on the restricted sites tab. and add a wildcard * and click never. Then add the one site you want to have people go to click Allways. Under general youll probably also want to disable Supervisors can enter a password to see site (it makes users less cranky thinking someone else is allowed, but not them.
when you close the dialouge box - it will ask for a password, and your done.
Microsoft has released a shared computer toolkit for places like labs and librarys that has some neat tools - including a good one to restrict access to only certain applictaion. you may wish to look into that as well
It sounds like your concern is that people using the equipment will surf the web inappropriately, potentially compromising the machine and losing valuable data.
How about making a 3x5 sign and tape it on the machine that lets them know that their web surfing is being monitored and if they fiddle with the machine to go anywhere else, they'll be fired. Periodically audit the weblogs at your firewall and see if anyone at that device is doing anything.
I run into this problem all the time. People ask for some security measure when it's easier to simply make and enforce a policy. I work with medical records and the question is always "how do you keep people from looking at records inappropriately?" The thing is, if there's any false positive and the information isn't easily available, someone could die. So we audit. Lots and lots of auditing. And fire people when they're idiots.
Use the firewall built-in Windows, it does pretty much everything you need.t m
Instructions here: http://homepages.wmich.edu/~mchugha/w2kfirewall.h
There are no atheists when recovering from tape backup.
Privoxy. Install, set whitelist and restart. Done. All for free.
Skeptic and Reason
If you want real security, get the NAT box to null-route anything from those machines unless it's going to one of the approved IP addresses.
You may need to get a better router to get adequate functionality, or get a WRT54GS and install OpenWRT.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
A scientific instrument or computer that controls them with proprietary data should not be connected to the internet. Period. Place a second machine with internet access in the same room, and users can transfer the data they need, if necessary, using some form of media/external drive.