Whitelisting Websites with Windows?

Nimey asks: "I support two computers which need Internet access to one website; they also are used to drive scientific instruments and so have proprietary scientific data. They run Windows XP SP2 because the instrument software requires IE, an ActiveX control, and .NET 1.1. Both machines are in a Windows 2003 active directory. Because of policy, it's not possible to redirect their network traffic to another box for filtering, but they are NATed. I want to restrict their network access to that one website (HTTP/HTTPS, possibly FTP) and to the file servers on the network (SMB). Can I enforce this in a way that's not changeable by a user?"

Network Layer

[paulywog]

I'd look at doing at the network infrastructure level. They're connected to network hardware of some kind. If you have some kind of router on their subnet manages the traffic, start setting up filtering rules. You said something about "not being allowed to intercept their traffic with another box," but the network itself has to have some infrastructure in it, so you should have an option there.

Audit

[PIPBoy3000]

It sounds like your concern is that people using the equipment will surf the web inappropriately, potentially compromising the machine and losing valuable data.

How about making a 3x5 sign and tape it on the machine that lets them know that their web surfing is being monitored and if they fiddle with the machine to go anywhere else, they'll be fired. Periodically audit the weblogs at your firewall and see if anyone at that device is doing anything.

I run into this problem all the time. People ask for some security measure when it's easier to simply make and enforce a policy. I work with medical records and the question is always "how do you keep people from looking at records inappropriately?" The thing is, if there's any false positive and the information isn't easily available, someone could die. So we audit. Lots and lots of auditing. And fire people when they're idiots.

Do it at the router

[metamatic]

If you want real security, get the NAT box to null-route anything from those machines unless it's going to one of the approved IP addresses.

You may need to get a better router to get adequate functionality, or get a WRT54GS and install OpenWRT.

Don't connect the machine to the internet

[vijayiyer]

A scientific instrument or computer that controls them with proprietary data should not be connected to the internet. Period. Place a second machine with internet access in the same room, and users can transfer the data they need, if necessary, using some form of media/external drive.

Easy solution

[Sloppy]

Because of policy, it's not possible to redirect their network traffic to another box for filtering

Change policy.

Firewall

[kalmite]

Use the site firewall to restrict traffic from those machines to only go to the required sites. As for SMB, use a host based firewall, such as Symatec Client Security. SCS can be locked down through the management console.