White list internet browsing

Discussions around the setup, operation, replacement, and disposal of clerk computers, not to include using MLS
evocomps-p40
New Member
Posts: 7
Joined: Wed Feb 13, 2008 7:59 pm
Location: Oklahoma
Contact:

Mac solution

#21

Post by evocomps-p40 »

I'm always disappointed with the amount of people that use Macs but if you are using a Mac and would like a free, simple way to set up a proxy, look into SquidMan.

It's a free GUI to Squid, a *NIX-based proxy server.

I needed a way to keep my son safe while he surfed so I created my own white/black lists to keep him safely surfing.

Here is the link to my write-up:
http://cg.evocomps.com/archive.php?id_num=21

My 2 cents.
User avatar
WelchTC
Senior Member
Posts: 2085
Joined: Wed Sep 06, 2006 8:51 am
Location: Kaysville, UT, USA
Contact:

#22

Post by WelchTC »

Let's make sure to keep this discussion focused on Church networking and specifically this thread on White Listing at the Church network.

Thanks,

Tom
jdlessley
Community Moderators
Posts: 9861
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#23

Post by jdlessley »

If you check out my thread titled LDSAccess, Odyssey Client and Desktop 5.5 you will see that I have white list filtering on an administrative computer. While the topic for the thread is on getting administrative computers networked using LDSAccess I found that white list filtering was a by-product of some unknown software install.

If you would like to know the configuration that is enabling the white list filtering I will collect the information about the changes that are there. It looks like a few changes to the internet options control console as well as either a registry edit (not recommended unless you really know what you're doing) or group policy configurations will do the trick. Note however that because administrative computers use profiles with administrator privileges that any configuration changes you make can be easily modified to circumvent the white list filtering.
russellhltn
Community Administrator
Posts: 34422
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#24

Post by russellhltn »

jdlessley wrote:Note however that because administrative computers use profiles with administrator privileges that any configuration changes you make can be easily modified to circumvent the white list filtering.
Not unless you strip that particular user of the rights to make those changes. <evil grin>

For example I've stripped "clerk" of the rights to change the system time to prevent folks who use the Windows date set as a handy reference calendar from messing up the date and royally messing over MLS.

If they need to make a correction, they can still go into the BIOS and set the time there.
jdlessley
Community Moderators
Posts: 9861
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#25

Post by jdlessley »

RussellHltn wrote:Not unless you strip that particular user of the rights to make those changes. <evil grin>

For example I've stripped "clerk" of the rights to change the system time to prevent folks who use the Windows date set as a handy reference calendar from messing up the date and royally messing over MLS.

If they need to make a correction, they can still go into the BIOS and set the time there.

I've never tried limiting an administrator account in any way. I assume you logged onto another administrator profile and made those restrictions, right? Did you use group policy to do this?
russellhltn
Community Administrator
Posts: 34422
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#26

Post by russellhltn »

joylessly wrote:I assume you logged onto another administrator profile and made those restrictions, right?
It would be bad form to limit all Admin accounts - you may need to undo it.

joylessly wrote: Did you use group policy to do this?
Depends on exactly what needs to be restricted. For the time restriction, I think that was under "Local Security Policy". I added other Admin logins as being able to set the time and then removed the Administrators group. Granted, "clerk" could undo it - if they knew how. But I think there's ways of restricting access to the Local Security Policy.
jdlessley
Community Moderators
Posts: 9861
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#27

Post by jdlessley »

loughe wrote:Does anyone know how to establish a "white list" for browsing the internet from a ward clerk's internet-enabled computer?

In dealing with a problem getting administrative computers connected wirelessly to the CCN I have found by chance a working solution to setting up internet filtering using a white list. Of course this solution only applies to administrative computers using Desktop 5.5. The Group Policy editor is used to lock down Internet Explorer. (Note: Most registry settings that have been made by Desktop 5.5 can be undone and then redone using the Group Policy Editor, gpedit.msc.)

I have included as an attachment the file Internet Filtering Using a White List.doc with the instructions.

Please be advised that I have not completely tested the configuration described in the document. It works to filter casual use of Internet Explorer quite well in my testing. The part I have not tested is the ability to circumvent the restrictions. As long as the administrator privileges are available to someone bent on getting through to any site I guess it will happen. If someone knows how to lock-out the use of the Group Policy Editor then I think we can close that door.

There are two lists, Trusted Sites and Restricted Sites, on the Security tab of the Internet Options applet that I need to investigate. On the administrative computers they have quite long lists. I will check out the effect of these lists on the list in the Exceptions box for the proxy server.

After some thought I’m sure there may be more elegant ways to accomplish what I describe in the document instructions. Feel free to throw darts. I have a tough skin.
russellhltn
Community Administrator
Posts: 34422
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#28

Post by russellhltn »

I haven't had a chance to look over the restricted sites list, but it could be a result of "Spybot - Search and Destroy" that's also a part of Desktop 5.5.
User avatar
dajoker
Member
Posts: 99
Joined: Sun May 11, 2008 7:04 pm
Location: Utah, USA

#29

Post by dajoker »

Keep in mind that from a technical standpoint it is all but impossible for a computer to be locked down purely with software on the locked-down computer as long as physical access is available. A whitelist is only as good as the software implementing it and the OS running that software and the security of the hardware hosting that OS. Each Ward may need to take into account their own membership's skills in these cases. For example a mildly-experienced networking professional can get past the security implemented by restrictions implemented solely in DNS, though that's probably the best suggestion besides a whielist implemented on a router or other proxy that is not accessible by anybody besides a trustworthy administrator.

To secure a computer as much as possible the Clerk account (we only have one... not sure if that's how it should be but it's how it was setup) should not be privileged (MLS is just a regular program, Firefox is just a regular program, OpenOffice runs perfectly as a regular user, Picasa is the same, etc.). Booting should only be possible from the hard drive and the BIOS should prevent other options (and be password protected to prevent modifications). Ideally the computer wouldn't even be physically accessible but that's not realistic in most clerk offices.

I think the best bet in these cases is to implement the OpenDNS option or whitelist at the border of the network. Our Stake is implementing routers from Apple because apparently the restriction capabilities per MAC address are fairly significant (no need to browse the Internet during Sacrament, or anytime past ten p.m., etc.). Combining this with the reduced privileges of the clerk account gives a good defense-in-depth implementation to do the best possible with the resources provided.
rmrichesjr
Community Moderators
Posts: 3829
Joined: Thu Jan 25, 2007 11:32 am
Location: Dundee, Oregon, USA

#30

Post by rmrichesjr »

dajoker wrote: ...
To secure a computer as much as possible the Clerk account (we only have one... not sure if that's how it should be but it's how it was setup) should not be privileged (MLS is just a regular program, Firefox is just a regular program, OpenOffice runs perfectly as a regular user, Picasa is the same, etc.). Booting should only be possible from the hard drive and the BIOS should prevent other options (and be password protected to prevent modifications). Ideally the computer wouldn't even be physically accessible but that's not realistic in most clerk offices.
...
I seem to recall a statement in an earlier thread that MLS requires administrative privileges due to some issues in the third-party software embedded in MLS to do transmit/receive operations. I searched for that statement but was not able to find it. While I agree that (in theory) MLS shouldn't need administrative privileges, some research, testing, and caution would be advisable if anyone is considering changing privilege levels from the default setup.
Post Reply

Return to “Clerk Computers”