Jump to content











Photo
- - - - -

Blocking Internet access for LIMITED users on Windows XP


  • Please log in to reply
31 replies to this topic

#1 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,392 posts
  • Location:India
  •  
    India

Posted 12 May 2011 - 03:20 PM


Is there any way to block Internet access for LIMITED users on a Windows XP machine WITHOUT using any third party software ? By googling, I've found certain guides which instructs some mechanism either using any third party tool or talks about policies which will only prevent an user from surfing if Internet Explorer is used but not other browsers. Please note that either of the solutions will not work for me.


To my knowledge, Internet access can be prevented by one of the following methods:

1) If your organisation is using a proxy server(e.g. SQUID) for its internal network, then you can make that proxy ask for authentication, failing which one won't be able to access Internet.

2) You can install a web filter software which installs a filter driver on ur machine. That driver starts at Windows startup & rejects all network access requests dynamically. One such free, yet good tool is "K9 Web Protection". But I'm not sure whether it's configurable on a per-account basis.

3) You can force users to use specific browsers & then set those browsers' proxy settings to an invalid one. IE's proxy settings page can be made disappear from the view with some tweaks.

Now, I'm not sure whether my friend's office does not use a proxy. So, option (1) is ruled out for the time being. They don't wan't to use any third party tool apart from what is provided with Windows. It makes me reject option (2) also. The problem with (3) is, it only prevents IE users from accessing Internet. But, they have other browsers installed. Here, I'm stuck now.


#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,438 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 12 May 2011 - 03:35 PM

It depends on how "solid" you want this to be and on the permissions the users are granted.

If you configure TCP/IP and have no Gateway set (and the user cannot access the "advanced" TCP/IP settings), it could work.
You need static IP settings obviously, and to run (for the users that are actually allowed) *something* to set the gateway.
Or you can use Windows internal firewall.
Something you might find of use (as a start/base idea):
http://ss64.com/nt/netsh.html
http://ss64.com/nt/runas.html

:)
Wonko

#3 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,392 posts
  • Location:India
  •  
    India

Posted 12 May 2011 - 03:47 PM

If you configure TCP/IP and have no Gateway set (and the user cannot access the "advanced" TCP/IP settings), it could work.

FYI, the office uses private static IPs for hosts with a predefined Gateway already set.
How can I configure a connection without setting any Gateway? Did you mean DHCP ? Even if I do that, then the same settings will be applied to Admin accounts also. Won't they? I mean, aren' t network configuration settings in Win XP applied for all the accounts?

BTW, it feels so good to meet my Italian friend after a long time.

#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,438 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 12 May 2011 - 04:12 PM

I mean, aren't network configuration settings in Win XP applied for all the accounts?

Sure :), but you can run a "login script" to either delete or set the gateway on a "on-the-fly" and "per-user" basis, as said NOT "secure".

Another way is to setup a fake proxy:
http://www.tomshardw...or-account-only
but it will take as well all of 5 minutes to a smart user to find it....

;)
Wonko

#5 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,392 posts
  • Location:India
  •  
    India

Posted 12 May 2011 - 04:16 PM

Sure :), but you can run a "login script" to either delete or set the gateway on a "on-the-fly" and "per-user" basis, as said NOT "secure".

But when I'm logging in to a LIMITED account, do I (the login script) still have the permission to set gateway? Doesn't it need admin privileges?

#6 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,438 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 12 May 2011 - 04:24 PM

But when I'm logging in to a LIMITED account, do I (the login script) still have the permission to set gateway? Doesn't it need admin privileges?

You need static IP settings obviously, and to run (for the users that are actually allowed) *something* to set the gateway.


Obviously at logout the settings (from the account that has the privileges) need to be reset.
If you prefer the machine NEVER has a Gateway set UNLESS when an Admin (or anyway "authorized" user is logged on).

OR:

http://ss64.com/nt/runas.html


:)
Wonko

#7 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,392 posts
  • Location:India
  •  
    India

Posted 12 May 2011 - 04:28 PM

Obviously at logout the settings (from the account that has the privileges) need to be reset.
If you prefer the machine NEVER has a Gateway set UNLESS when an Admin (or anyway "authorized" user is logged on).

Well, I thought about the idea earlier. But it contains a fatal flaw. There are people who tend to restart the machine straightaway without going through the "formal" shut down / restart mechanism. If that guy is an admin, the setting will remain as it is for the next LIMITED user who'll log on.

#8 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,438 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 12 May 2011 - 04:41 PM

Well, I thought about the idea earlier. But it contains a fatal flaw. There are people who tend to restart the machine straightaway without going through the "formal" shut down / restart mechanism. If that guy is an admin, the setting will remain as it is for the next LIMITED user who'll log on.

And AGAIN, you can run the "gateway removing" script through RUNAS at EVERY boot/login, even from the non-authorized account or run it in some other way, like as a Startup script:
http://www.microsoft...s.mspx?mfr=true

Compare with:
http://support.micro...kb/198642/en-us
"LocalSystem" should be powerful enough :).

Further readings:
http://vlaurie.com/c...licy_editor.htm


;)
Wonko

#9 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,392 posts
  • Location:India
  •  
    India

Posted 12 May 2011 - 04:51 PM

So many links, let me take some time to digest..................................

#10 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,438 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 12 May 2011 - 04:56 PM

So many links, let me take some time to digest..................................

Yep ;), the general idea is to digest answers BEFORE pointing out "fatal flaws" in them :)

:(
Wonko

#11 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,392 posts
  • Location:India
  •  
    India

Posted 13 May 2011 - 12:42 PM

Yep :worship:, the general idea is to digest answers BEFORE pointing out "fatal flaws" in them :thumbsup:

Ideas "chewed" & "digested" Posted Image

I think that this approach will work fine - I'll run a startup script to invalidate the gateway settings. Since, it'll run on every startup irrespective of the user going to log on, it'll act globally for all accounts. Then, for admin account(s), I'll run a logon script to reset the gateway settings to its original value.The first script will run from Local SYSTEM privilege & the second one with admin privilege.So, on the whole, privilege will not be a problem.

Now,
  • Is there a better way of doing that?
  • Can I automate the task of setting the startup & logon script through scripting or programming so that everything can be done without any user intervention, just with a double click?


#12 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,438 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 13 May 2011 - 01:39 PM

Now,

  • Is there a better way of doing that?
  • Can I automate the task of setting the startup & logon script through scripting or programming so that everything can be done without any user intervention, just with a double click?

#1 yes/no, who knows? Sure you have posed initial limitations that are quite restricting.
#2:
On a "test machine":
  • Snapshot system Registry AND backup it
  • Run gpedit.msc manually
  • Verify the changes/script work
  • Snapshot again Registry
  • Compare snapshots
  • Reproduce Registry changes via batch script or whatever
  • Revert to previous Registry
  • Test batch

:thumbsup:
Wonko

#13 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,392 posts
  • Location:India
  •  
    India

Posted 13 May 2011 - 02:27 PM

#1 yes/no, who knows? Sure you have posed initial limitations that are quite restricting.
#2:
On a "test machine":

  • Snapshot system Registry AND backup it
  • Run gpedit.msc manually
  • Verify the changes/script work
  • Snapshot again Registry
  • Compare snapshots
  • Reproduce Registry changes via batch script or whatever
  • Revert to previous Registry
  • Test batch

Hmm, but there is a chance of some changes external to the registry........like registry.pol or files like that. May be that only registry snapshot won't be able to capture all the changes.

#14 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,438 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 13 May 2011 - 03:24 PM

Hmm, but there is a chance of some changes external to the registry........like registry.pol or files like that. May be that only registry snapshot won't be able to capture all the changes.

Just do it. :worship:
If it doesn't work, then (and only then) try something additional.

Don't worry to much :cheers:, at the most you will fail and need to add steps, in the time it took you to worry and think of additional hypothetical problems you could have already tested the approach and KNOW if it works or not.... :thumbsup:

:(
Wonko

#15 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,392 posts
  • Location:India
  •  
    India

Posted 14 May 2011 - 04:53 AM

Wonko, tell me one point - Do all Windows services run with SYSTEM privilege?

#16 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,438 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 14 May 2011 - 05:19 PM

Wonko, tell me one point - Do all Windows services run with SYSTEM privilege?

NO, if you mean localsystem, most do, but not all of them, and only a few actually need to run as localsystem.

Example:
http://support.micro...kb/255281/en-us

But, as a general rule NEVER change the actual account for a service (unless you are doing tests or you actually know what you are doing, as getting an unbootable system at next boot is a rather common result of this).

Read :thumbsup::
http://msdn.microsof...0(v=vs.85).aspx
and links within.

:cheers:
Wonko

#17 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,392 posts
  • Location:India
  •  
    India

Posted 14 May 2011 - 06:19 PM

NO, if you mean localsystem, most do, but not all of them, and only a few actually need to run as localsystem.

Hmm, got it. The reason for me asking this was - To my understanding, your idea of "snapshot-registry-then-compare" as proposed few posts back, is theoretical. So, I thought to code a Windows service which'll start after a user logs on, checks users privilege (i.e. whether admin/non-admin) & either sets or resets gateway settings accordingly. If the proposed service runs from LocalSystem account, then it'll have requisite privilege to alter the network settings. Just verifying the practicality of my idea.

#18 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,438 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 15 May 2011 - 10:19 AM

Hmm, got it. The reason for me asking this was - To my understanding, your idea of "snapshot-registry-then-compare" as proposed few posts back, is theoretical. So, I thought to code a Windows service which'll start after a user logs on, checks users privilege (i.e. whether admin/non-admin) & either sets or resets gateway settings accordingly. If the proposed service runs from LocalSystem account, then it'll have requisite privilege to alter the network settings. Just verifying the practicality of my idea.


I see that you are into needlessly making complex something otherwise easy-peasy. :rofl:

The given suggestion was to let you learn WHAT changes are made in the "normal" way, i.e. gpedit.msc does to the Registry, and have them replicated programmatically without using the policy editor.

As you might see, this is needed anyway, you need to know WHAT to do long before choosing WHICH way to do it.

Your approach is IMNSHO actually VERY theoretical (I might say pointless, but I am in a bright day :thumbsup: ), you are going into the trouble of writing a service (in itself not easy) in order to do something that you don't actually exactly know about (yet :cheers:). :w00t:

:cheers:
Wonko

P.S.: JFYI:
http://blogs.technet.../23/378726.aspx

Change network gateway

wmic nicconfig where index=9 call setgateways("192.168.16.4", "192.168.16.5"),(1,2)



#19 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,392 posts
  • Location:India
  •  
    India

Posted 16 May 2011 - 12:53 PM

#1 yes/no, who knows? Sure you have posed initial limitations that are quite restricting.

Here is presented the flaw in my idea - Suppose, an Admin logs into the system. So, the gateway is set properly by the LogOn script, Right? Now, If he logs out of the system & a LIMITED user logs in, what he'll "inherit" is a network setting with the gateway value set correctly. Damn...........

Now, a small rectification to the strategy I suggested - Run a LogOff script which will reset back the gateway to some incorrect value when an Admin logs out. Now, what's the problem with this? The above problem is resolved, no doubt. But, still it's not foolproof in the sense that if an Admin, instead of logging off the system, switches the user to some LIMITED account, THAT user will get a properly set network settings. So, the scheme is also vulnerable.

BTW, my cyber-mentor is getting old Posted Image. Giving me fairly good marks for an answer which deserves a big zero. Posted Image

#20 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,438 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 16 May 2011 - 01:23 PM

Sorry double post (server timeout)

:)
Wonko

#21 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,438 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 16 May 2011 - 01:25 PM

Now, a small rectification to the strategy I suggested - Run a LogOff script which will reset back the gateway to some incorrect value when an Admin logs out. Now, what's the problem with this? The above problem is resolved, no doubt. But, still it's not foolproof in the sense that if an Admin, instead of logging off the system, switches the user to some LIMITED account, THAT user will get a properly set network settings. So, the scheme is also vulnerable.

And how is the demented Admin supposed to "switch" to another user without logging off (and mainly without logging in again :) ) as the "other user"? :unsure:

Admin Logon script: No matter which gateway is set, set a good one
Admin Logoff script: No matter which gateway is set, set a bad one
Other user Logon script: No matter which gateway is set, set a bad one
Other user Logoff script: No matter which gateway is set, set a bad one
Booting script (before Logon): No matter which gateway is set, set a bad one

I presume that the above would be enough.... :cheers:

BTW, NO "marks" were given.

:cheers:
Wonko

#22 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,438 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 16 May 2011 - 01:26 PM

Sorry, double post.

:)
Wonko

#23 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,392 posts
  • Location:India
  •  
    India

Posted 16 May 2011 - 01:46 PM

Sorry, double post.

Post # 20, 21, 22 - double TRIPLE post, I guess Posted Image

#24 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,392 posts
  • Location:India
  •  
    India

Posted 16 May 2011 - 02:03 PM

And how is the demented Admin supposed to "switch" to another user without logging off (and mainly without logging in again :) ) as the "other user"? :cheers:



Apart from "dementia", one more factor could be there which is called "carelessness". BTW, Start->Log Off->Switch User is perfectly safe from security standpoint but the plan proposed earlier will fall flat unfortunately.

Admin Logon script: No matter which gateway is set, set a good one
Admin Logoff script: No matter which gateway is set, set a bad one
Other user Logon script: No matter which gateway is set, set a bad one
Other user Logoff script: No matter which gateway is set, set a bad one
Booting script (before Logon): No matter which gateway is set, set a bad one



So, may I safely assume that the new idea of introducing a LogOff script is approved & the previous idea as suggested here was flawed & needs modification?


Other user Logon script: No matter which gateway is set, set a bad one
Other user Logoff script: No matter which gateway is set, set a bad one


May I know how will THAT other user (Non-Admin, I presume) can execute scripts which fiddles with network settings yet the user, themselves are not permitted doing so? RunAs ? Is it really a safe way as it implies that you have to store admin credentials somewhere & you are solely responsible for managing them? Again, if Admin password is changed, you need to capture them separately for the purpose of running a script which does nothing but blocks Internet access for LIMITED users?

BTW, NO "marks" were given.


Posted Image

#25 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,438 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 16 May 2011 - 02:28 PM

Nothing is safe. :)

But if you are referring to "Fast User Switching", that's one of the first thing you learn to disable when installing XP and you want to have it a tiny small bit less insecure than normal.

:cheers:
Wonko




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users