Good content blocker/site blocker for Vista workstation?

Discussion in 'Windows Vista Security' started by Leythos, Feb 7, 2009.

  1. Leythos

    Leythos Guest

    I have a client with a stand alone vista workstation that would like to
    block almost all websites from anyone using the laptop. I don't use
    workstation level products and this is a case outside my normal scope -
    can anyone recommend a product that allows an Admin to setup permitted
    sites for "user" level accounts on a vista workstation?
    Leythos, Feb 7, 2009
    1. Advertisements

  2. Leythos

    Dan Guest, also call your police state director for advice.
    Dan, Feb 7, 2009
    1. Advertisements

  3. Leythos

    Leythos Guest

    How is ensuring workers are not abusing the resources a "Police State"?
    If you give people a set of rules and don't do anything to enforce them
    you are giving them permission to violate them.
    Leythos, Feb 7, 2009
  4. Leythos

    Dan Guest

    If you don't trust your workers, they will reciprocate. Plus you may
    groom a bunch of non-thinking "heil" types that stab each other in the back.

    But if you are a server guru, why not configure the PC to connect
    through a proxy server and lock it down at the proxy?
    Dan, Feb 7, 2009
  5. Leythos

    jaf Guest

  6. Leythos

    Leythos Guest

    And if you trust your workers and never check on them you are bound to
    be screwed many times.

    Many people do just fine with enforced technology constraints, and many
    people abuse the network resources when they have only WORDS to restrict
    There is NO server and no true firewall, this is a stand alone PC that
    some people can take home to remote into the office - it's not my
    solution, would never do this, but I have to work with what I don't like
    Leythos, Feb 7, 2009
  7. Leythos

    Leythos Guest

    Leythos, Feb 7, 2009
  8. Can you control the laptop's DNS lookups? Not the hosts file,
    but the primary and secondary servers? Just thinking out loud
    here, but a proxy DNS could function as a whitelist couldn't it?
    FromTheRafters, Feb 7, 2009
  9. Leythos

    Dan Guest

    If you could remove IE and Outlook that would be were to start. Then
    the person could only IPSEC/SSL into corporate net where its network
    policy is enforced.
    Dan, Feb 8, 2009
  10. Leythos

    VanguardLH Guest

    That's how OpenDNS works (if you open a [free] account with them).
    Rather than have the router configured to use the ISP's DNS server (via
    DHCP), configure it by entering the IP addresses for OpenDNS' DNS

    However, it is likely that the user gets a dynamic IP address for their
    host (or their router) from their ISP. The OpenDNS account has to know
    which IP address is yours to know the settings for which account to
    apply to traffic from that IP address. They have their own reporter
    client (or you can modify the one from DynDNS if you happen to also use
    them to provide an IP name for external access to your router or host so
    you don't need, for example, an IP address to use Remote Desktop or
    VNC). You run their reporter client on one of your hosts in your
    intranet (i.e., on the LAN side of your router). It will report the
    router's WAN-side IP address to OpenDNS to update your account with
    them. Then when your router connects to them, it sees that IP address
    and knows to apply your account's settings to its traffic. Settings
    include blacklisting of domains and blacklisted categories.

    Alas, OpenDNS lets you filter out domains or categories of them but does
    not let you filter in a particular whitelist of okay domains. You can
    filter by:

    Always block (a domain)
    Never block (a domain)
    Block by category

    I have not tried using wildcards to specify a domain, so I don't know if
    you could "Always block *" and then whitelist by "Never block <domain>".
    If that works, you would end up blocking all domains except those you
    whitelisted using the "Never block" rule. Of course, you could open a
    support ticket to ask them if the above method works to provide a
    filter-in only scheme, plus they have forums where you can ask.

    A caveat is that this is blocking at the DNS server. That means there
    actually has to be a DNS lookup. If the user enters an IP address, as
    in (for, then there is no DNS lookup
    required. This is how a user can bypass this DNS filtering. However,
    often that only lets them get to the home page of a site and often there
    is content missing in that home page and they may not be able to use any
    links of that home page to navigate to other pages in the site. That's
    because many of the links or linked content will still have IP names in
    them that require a DNS lookup. Also, the user must somehow already
    know the IP address of the target host.
    VanguardLH, Feb 8, 2009
  11. Leythos

    Leythos Guest

    At this time the laptop is uncontrolled, not part of a domain, and the
    laptop is used at homes as well as their construction trailer where
    there is just a ATT wireless DSL setup. While they remote into the
    Terminal Server they have found many times when people are surfing the
    net and doing questionable things online - there is no real firewall
    appliance and it's just an off-the-shelf (cheap) Vista laptop with no
    important files stored on it.

    At this time the DSL assigns 192.168 addresses and we have no real
    option to install a firewall or other hardware at this location.
    Leythos, Feb 8, 2009
  12. Leythos

    Leythos Guest

    I was considering OpenDNS, and I think they have a client tool that you
    can install on the laptop/computer, but I've not had time to look today.

    If we had a nice firewall this would be done, already resolved, but,
    since the laptop can be in multiple locations I was looking for some
    simple software that might work - not having ever used those types of
    products I was wondering what others have used.
    Leythos, Feb 8, 2009
  13. Leythos

    Dan Guest

    You need to provide more details.
    Dan, Feb 8, 2009
  14. Leythos

    Dan Guest

    So you have a WiFi router and the laptop connects to it via WiFi? Or
    you have a 3G card for the laptop?
    Dan, Feb 8, 2009
  15. Leythos

    Leythos Guest

    Laptop, Vista, could be used anywhere, need to limit what sites and
    content any user of the laptop can get to. All users would be "limited"
    users, none would be local admins.

    No domain, no network, just laptop connected into any network they
    happen to have handy.
    Leythos, Feb 8, 2009
  16. Leythos

    Leythos Guest

    Could be both, as the user can move from network to any other network,
    depending on if they are at home or at the office or at a WiFi spot,

    This has to be a solution that works at the laptop, no hardware
    Leythos, Feb 8, 2009
  17. I was thinking of a loopback to a proxy DNS on the laptop. Not sure
    if anyone has written such a thing - or if it is even feasible. If an AV can
    proxy/filter outgoing SMTP why can't a program proxy/filter outgoing
    DNS requests and onlylet certian ones through.
    FromTheRafters, Feb 9, 2009
  18. Leythos

    Dan Guest

    use and then set up a
    whitelist. Do not allow user to modify netnanny or install/config other
    Dan, Feb 9, 2009
  19. Leythos

    VanguardLH Guest

    You want a client-side solution (so it moves with the mobile computer).
    Well, that sure sounds like you are trying to find censorware (i.e.,
    software you install on the host to control to where it can connect).
    It also sounds like the abusive users of this laptop are NOT given
    limited user accounts or made to share a general-purpose limited user
    account. Find some censorware, like NetNanny, install using an admin-
    level account, and enable password-protect on the censorware (if it
    doesn't already restrict non-admin users from changing its settings).

    That won't prevent the abuser from booting using a live CD to load a
    different OS (or the same OS but a different instance of it) and use
    that to make the Internet visitations to the porn sites. The laptop
    owner will need to go into BIOS to enable a BIOS password (to prevent
    users from entering the BIOS to make changes), and perhaps even enable
    the system password in BIOS (to prevent unwanted users from booting the
    laptop to load the OS). Then configure the BIOS to use the hard disk as
    the first bootable device (and deselect any other device as a boot
    device). The admin for the laptop will probably also want to disable
    auto-play in Windows.

    I've heard of some censorware, like NetNanny, but never used any.
    However, getting back to OpenDNS, you don't have to install any software
    to use OpenDNS and you can use it no matter to whose network you happen
    to connect at the time. You configure the TCP parameters to use the
    OpenDNS server. Whether at someone's home, in the construction trailer,
    while travelling, or wherever, that laptop will still be using the
    OpenDNS server to resolve IP name-to-address lookups. Because the
    laptop will likely be getting a dynamic IP address from whomever's DHCP
    server is available on the current network, you need to use a DNS
    reporter client on the laptop to tell your OpenDNS account what is your
    current IP address. Then when you connect using that IP address,
    OpenDNS knows to apply your account's settings to your network traffic.
    Obviously the abusive employees must be using a limited user account so
    they cannot alter the TCP setup (to revert to DHCP-assigned DNS servers
    and get away from using the OpenDNS servers). Since you're talking
    about Windows Vista, again, no software install is needed. Just create
    a limited user account (LUA) that all the non-admin users must share (or
    give them each their own LUA account).

    Of course, if the company were really interested in controlling what
    their employees do with the company's property, like the laptop, then
    they should establish policies and enforce them. To that end, and since
    it is the company's property, they could install monitoring software to
    see just where their employees are visiting on the Net. I've heard of
    SpectorSoft as one vendor of spy software (never used it, though).
    VanguardLH, Feb 9, 2009
  20. Leythos

    Leythos Guest

    I'm aware of OpenDNS, and I'm aware of the client tool for dynamic
    clients, but it was a concern that they could stop the client and still
    surf or other method. Not having used the client, I wasn't sure how it
    would work if they didn't run it - I would assume that the DNS would
    fail if the client wasn't running, at least I would hope so.
    If the company was able to put money into this project I would have
    already completed the solution, but they have several issues and are
    moving and etc.... They don't want to "Monitor" them, just block all
    except approved sites.

    Thanks for the discussion - I think that NetNanny may be the route to
    take this one.
    Leythos, Feb 9, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.