Forgot your password?
typodupeerror

Whitelisting Websites with Windows? 83

Posted by Cliff
from the a-non-end-user-changable-policy dept.
Nimey asks: "I support two computers which need Internet access to one website; they also are used to drive scientific instruments and so have proprietary scientific data. They run Windows XP SP2 because the instrument software requires IE, an ActiveX control, and .NET 1.1. Both machines are in a Windows 2003 active directory. Because of policy, it's not possible to redirect their network traffic to another box for filtering, but they are NATed. I want to restrict their network access to that one website (HTTP/HTTPS, possibly FTP) and to the file servers on the network (SMB). Can I enforce this in a way that's not changeable by a user?"
This discussion has been archived. No new comments can be posted.

Whitelisting Websites with Windows?

Comments Filter:
  • Easy (Score:2, Informative)

    by Henry V .009 (518000)
    Editing system32/drivers/etc/hosts should do what you want. Direct everything (except windows update, maybe nist) to that one site.
    • Re:Easy (Score:2, Informative)

      does the hosts file actually let you specify wildcards?

      And also, if the users have admin access, they can edit the hosts file

      Or you could set this up on whatever's doing the NAT
      • Re:Easy (Score:3, Informative)

        by Henry V .009 (518000)
        You're right, you can't specify wildcards in hosts. I've used it for some special things, but never read the documentation on it. It looks like this solution won't work at all.

        On the other hand I assume his users don't have admin access, if he wants to do something to the computer that the "users can't change."
    • Re:Easy (Score:5, Informative)

      by MarkusQ (450076) on Saturday August 12, 2006 @09:01AM (#15893904) Journal

      That won't stop them from going wherever they want via IP addresses. And, in any case, doing it on the boxes themselves is the wrong approach--its known as "honor system security."

      The real solution, as another poster suggested, is to do it on the NATing box. For that matter, if the systems are that important and that vulnerable, I would sure hope there's a firewall in the picture somewhere, either on the NATing box or somewhere outward from there. Do it in the firewall. After all that's what firewalls are for.

      --MarkusQ

      • I seem to remember a program for managing WAP access. I think it's called NOCATAUTH. Anyway, I haven't looked at the specifics, but it seem to me that you could use a WRT-54G (V1-4 or VL) to redirect all network traffic to a specific IP address for the purpose of authentication. Why couldn't you just redirect everyone to that specific IP address?

        Now, while a technological measure might be easiest, thing about this from a manager's standpoint. Log all the IP addresses accessed. Log the machine the IP re
      • Re:Easy (Score:2, Informative)

        by rhandir (762788)
        First, a question,
        You wrote:
        Because of policy, it's not possible to redirect their network traffic to another box for filtering, but they are NATed.

        Policy? As in "active directory/groups policy"? Or "management policy"? Or "the University/Corporate IT department policy"?

        Anyway as the above poster has said (among many others), if you have access to the NAT box, do it there, if you don't ask IT to do it there. Any protective software on the boxen themselves can be comprimised by stuff that isn't deterre

    • The hosts thing is a bit funky, it would mean turning the DNS off the local boxes, which is easy to spot by a novice.

      This is usually obscure enough that nobody is even going to realize that thay can do it..

      type in: ROUTE PRINT

      It will show you a bunch of routes.

      You want to delete the 0.0.0.0 entry.. ie ROUTE DELETE 0.0.0.0

      Then add entries for all of the destinations you want to talk to..... ie ROUTE ADD 10.0.69.69 MASK 255.255.255.255 192.168.0.1 METRIC 10

      Where the 10.0.69.69 is your DNS server and th

    • There are forums and mailinglists for simple (and more advanced) firewall setups. I fail to see why this deserves to be in slashdot.

      New technology? no
      Advanced special usage of something? no
      Something that needs to be review by thousands of serious (and less serius techies)? no

      Can someone pleeease explain to me why this accepted!?

      And for you who posted the question, search for what you can do with dhcpd, bind and your favorite firewall.
      • It was included in slashdot to see if you knew the answer. And no RTFM wasn't the corect answer.

        Ps.. could you add something constructive? This appraoch is somewhat interesting to quite a few of us. This doesn't neccesarily mean we cannot google either. Lets recap the question in case you didn't understand it.

        the poster wished to,

        Limits the web surfing to maybe two sites and still allow domain browsing.
        Has the problem of being windows XP sp2 computers,
        has the problem of being on a win2003 active directory d
  • Here is a way (Score:5, Informative)

    by giorgiofr (887762) on Saturday August 12, 2006 @08:56AM (#15893895)
    In the TCP/IP properties of the netowkr adapter they use, select Advanced -> Options -> TCP/IP filter. "Allow only" the IP addresses you want. Maybe it's not a flexible solution (OK... without "maybe") but it's a simplistic IP filter that will get your particular job done. HTH
    • You can enter IP addresses now in their TCP/IP filter?

      The last time I looked (not at XP), you could enter port numbers, but not IP addresses.

      The best approach would be to manually modify the routing table, assuming, of course, that is possible with XP.
  • Network Layer (Score:3, Insightful)

    by paulywog (114255) on Saturday August 12, 2006 @08:59AM (#15893898)
    I'd look at doing at the network infrastructure level. They're connected to network hardware of some kind. If you have some kind of router on their subnet manages the traffic, start setting up filtering rules. You said something about "not being allowed to intercept their traffic with another box," but the network itself has to have some infrastructure in it, so you should have an option there.
  • by linuxbert (78156) on Saturday August 12, 2006 @09:09AM (#15893919) Homepage Journal
    IE has a built in content filter that accepts wildcards. Turn it on, Click on tools, go to options. click on the restricted sites tab. and add a wildcard * and click never. Then add the one site you want to have people go to click Allways. Under general youll probably also want to disable Supervisors can enter a password to see site (it makes users less cranky thinking someone else is allowed, but not them.

    when you close the dialouge box - it will ask for a password, and your done.

    Microsoft has released a shared computer toolkit for places like labs and librarys that has some neat tools - including a good one to restrict access to only certain applictaion. you may wish to look into that as well
    • And if they just bring in a disk with firefox on it? Ya.
      • Hehe, what if they bring an Ubuntu Live CD/DVD? What if they plug in a bootable USB/Firewire disk? What if they move the network cable to a laptop they control? What if they replace the master SATA/IDE disk and put the old one into slave mode?

        At some point you have to realize the old security axiom: There is no security that can protect you if your attacker has physical access to the box. However, you can lock down the default software state to something that limits access w/o extraordinary efforts. So
    • Unfortunately a quick peruse of the registry allows a user to simply turn it off. Judging by what the submitter has told us, I'm willing to be the software requires an Administrator class account, simply to work magic with the system's ports.
  • 1) Use an external firewall
    2) Change their domain policy so they can't
    3) Install a desktop solution with firwall capabilities they can't change (for instance this [iss.net] although you have to have the full siteprotector suite to use it so it's overkill for just 2 computers).
  • Audit (Score:5, Insightful)

    by PIPBoy3000 (619296) on Saturday August 12, 2006 @09:29AM (#15893970)
    It sounds like your concern is that people using the equipment will surf the web inappropriately, potentially compromising the machine and losing valuable data.

    How about making a 3x5 sign and tape it on the machine that lets them know that their web surfing is being monitored and if they fiddle with the machine to go anywhere else, they'll be fired. Periodically audit the weblogs at your firewall and see if anyone at that device is doing anything.

    I run into this problem all the time. People ask for some security measure when it's easier to simply make and enforce a policy. I work with medical records and the question is always "how do you keep people from looking at records inappropriately?" The thing is, if there's any false positive and the information isn't easily available, someone could die. So we audit. Lots and lots of auditing. And fire people when they're idiots.
  • If you be come their DNS resolver then you have control over any site they want to visit. Just turn everything except what they need to null.
  • by Keruo (771880) * on Saturday August 12, 2006 @09:40AM (#15894002)
    Use the firewall built-in Windows, it does pretty much everything you need.
    Instructions here: http://homepages.wmich.edu/~mchugha/w2kfirewall.ht m [wmich.edu]
  • Microsoft Windows products come with an excelent website for support. Their technical team is always there for you and will help you solve all your problems with their product. However, if you still have unsolved problems, please try Windows Live OneCare [windowsonecare.com].
  • Wicked Easy (Score:3, Informative)

    by og-emmet (994099) on Saturday August 12, 2006 @10:09AM (#15894060)
    Privoxy [privoxy.org]. Install, set whitelist and restart. Done. All for free.
  • Sure. Set the homepage to your site and then prevent users from changing that setting. As long as you don't have any external links and lock IE down with policies, you're ok. You'll also need to prevent users from accessing the command line and explorer. Everything would have to be driven by what icons you place on the desktop and start menu. You should google around for terms such as "kiosk mode".
    • No, this is a bad idea.

      There are lots of ways to sneek past this. For instance you can browse the web using the help function in windows and many other places.

      You would have to prove you caught them all

      • Well, this may not be too bad of an idea after all. First, disable the DNS entry on the network interface. Set up the proxy server to forward domain browsing to the domain controler then block eveything except the sites wanted.

        But in all eventuality, it would likley still allow IP addresses to bypass the filters. maybe if something was done to hide the gateway address or filter there too.
  • Set the Proxy server to a junk value.

    Then add proxy exclusions for the sites that they are permitted to access.

    Then lock down these settings via GPO.
  • Step 1, make sure that these PC's always use the same IP address. Set it statically if you can, and while you're at it, set up a DHCP reservation for their MAC addreses to give them that same address. That way if they switch it to DHCP they get the same thing. Step 2, set up a rule on your firewall for those two addresses that basically says 'allow http and https traffic from these IP addresses only if they are going to this specified address (the web site that they need)'. Put a rule immediately after
  • At work we use a Watchguard [watchguard.com] java applet, which I don't particularly like, but it does the job as you describe. We use it to restrict users/workstations to our own websites and limited tech support sites.
    To enable this access on the client PC, the user opens IE, goes to a local page that contains the applet, and enters their password in the applet. As long as that window is open in the background, they have access to the allowed sites.
    I don't deal with the server end myself but I think it comes in hardware
  • by metamatic (202216) on Saturday August 12, 2006 @11:52AM (#15894420) Homepage Journal
    If you want real security, get the NAT box to null-route anything from those machines unless it's going to one of the approved IP addresses.

    You may need to get a better router to get adequate functionality, or get a WRT54GS and install OpenWRT.
    • The router isn't going to affect their ability to reach other sites in your LAN, just their connections to the outside world. If you've got a LAN switch that supports VLANs, you could restrict the local connections as well.

      The real questions are how much you trust your users not to mess around with the box and why you've got a policy against putting in extra firewall boxes if you need them. The answer may be to get better management :-) If the policy against routing through another box is just a budget

  • by vijayiyer (728590) on Saturday August 12, 2006 @12:13PM (#15894533)
    A scientific instrument or computer that controls them with proprietary data should not be connected to the internet. Period. Place a second machine with internet access in the same room, and users can transfer the data they need, if necessary, using some form of media/external drive.
  • Easy solution (Score:2, Insightful)

    by Sloppy (14984)
    Because of policy, it's not possible to redirect their network traffic to another box for filtering
    Change policy.
  • Firewall (Score:2, Insightful)

    by kalmite (89186)
    Use the site firewall to restrict traffic from those machines to only go to the required sites. As for SMB, use a host based firewall, such as Symatec Client Security. SCS can be locked down through the management console.
  • As silly as this sounds, I would suggest using an IPSEC applied via Group Policy to enforce access/non-access based on port numbers and IP's. An lesser known function of the IPSEC rules is filtering. You'll want to keep in mind the policies are NOT stateful, so make sure to test your rules. Applying the IPSEC policy via Group Policy will ensure consistent re-application (in the event someone figure out how to un-apply the settings... and in that case, pull in HR/management).
  • Well, if they aren't administrators on the machines, then just change the routing tables. "route delete 0.0.0.0" does amazing things to limit internet access from a host. Just do a "route add" for the webserver they need to access, and they'll already have a route in their routing table that lets them talk to servers on the same local network. If the machines are pulling DHCP, this isn't going to survive reboots, of course, but if you can statically assign their IP info, just do that, but don't enter a de
    • argh, should have previewed, formatting got massacred :(

      route -p add "ip of webserver" mask 255.255.255.255 "ip of default gateway"

      Maybe that will survive. Anyhow, the gist was just delete default route, add routes for what they need, and they won't be able to go anywhere else at all.
  • IPCOP + AdvProxy AddOn + URLFilterAddOn
    This will solve your problem only if you feel like changing your current firewall for IPCOP (OpenSource, Top choice IMHO ). You get a stateful fireall plus content filtering. If you want micromanagement capabilities you would need MS ISA (overkill for your setup)
    If you decide for IPCOP then you are set for the future. You can then implement DMZ for your servers, VPN, QoS, and much more either using the builtin services or trhough addons.
  • My wife and I have a five year old. He's quite good on a computer: we set him up with a few websites (Thomas the Tank Engine, Sesame Street, etc) but he's since figured out how to use the search bar in Firefox to look for things he likes. This is mostly Thomas and animals, which has led him to Wikipedia.

    Most of Wikipedia is fine, but it links to lots of places that aren't fine, at least for a five year old. I'd like to restrict him to a know whitelist, but I don't want my and my wife's accounts to have

  • The answer is yes, trivially. We are not telling you how because you are evil.

There's got to be more to life than compile-and-go.

Working...