Win8.1 HOST file question

Monopoly money comes in many flavors: 7, Vista, XP, 2K, ME, 98, etc.

Moderators: Flying Fox, Ryu Connor

Win8.1 HOST file question

Postposted on Fri May 30, 2014 4:15 pm

If I setup multiple users on a shared Win8.1 laptop, is there any built-in way to let the admin be able to go anywhere on the internet, while forcing all other users to use a HOST file that has a lot of sites blackholed?

The Netgear they're using for a WRAP won't let me selectively block for certain devices. It's all or nothing, there.
Hz so good
Gerbil Elite
 
Posts: 731
Joined: Wed Dec 04, 2013 5:08 pm

Re: Win8.1 HOST file question

Postposted on Fri May 30, 2014 4:34 pm

Think for yourself, schmuck!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|1.5TB 7200.11|1988 Model M|Saitek X-45 & P880|Logitech MX 518|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
bthylafh
Grand Gerbil Poohbah
 
Posts: 3232
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: Win8.1 HOST file question

Postposted on Fri May 30, 2014 5:00 pm

bthylafh wrote:http://www.thewindowsclub.com/enable-content-advisor-internet-explorer-10-11


They prefer FF and Chrome. Can I force all non-admin users to only use IE11, and can I make the content ratings take effect per user, or is that gonna be global? The admin/owner needs to be able to go anywhere and do everything. All the other accounts need to be heavily restricted, and I intend on forcing them to use the fingerprint scanner to sign on, so they'll stop sharing passwords.
Hz so good
Gerbil Elite
 
Posts: 731
Joined: Wed Dec 04, 2013 5:08 pm

disclaimer: I permanently think enterprise

Postposted on Fri May 30, 2014 5:30 pm

Hosts file is not good enough, especially with windows.

Deploy the blacklist at the proxy/fw/perimeter control devices (ideally also nameserver, point them all to a blackhole, bonus points for logging queries) and give the admin an elevated account on the proxy, dedicated tunnel, seperate VLAN w/ "internal VPN" or similar solutions. Ideally also let him use outside dns instead so you can lock down the main one properly.

Better for security that way, also helps with a common scenario where a computer is trying to go places with "nobody" logged in or a malware-hijacked admin account, rootkit that doesn't care about your host file etc. Also helps when someone plugs another computer into LAN as well, poor man's limited port security.

You can't trust the local computer/account/whatever to behave.
I'm going to assume you can't say "no" to the owner, so be sure to get a written & documented CYA from this particular admin/owner that "needs" to go everywhere so when he goes somewhere he shouldn't and all the data gets jacked you have that CYA. These types have a tendency to know too much for their own good.
blah blah blah signature blah blah blah
Bauxite
Gerbil Elite
 
Posts: 619
Joined: Sat Jan 28, 2006 12:10 pm
Location: electrolytic redox smelting plant

Re: disclaimer: I permanently think enterprise

Postposted on Fri May 30, 2014 6:02 pm

Bauxite wrote:Hosts file is not good enough, especially with windows.

Deploy the blacklist at the proxy/fw/perimeter control devices (ideally also nameserver, point them all to a blackhole, bonus points for logging queries) and give the admin an elevated account on the proxy, dedicated tunnel, seperate VLAN w/ "internal VPN" or similar solutions. Ideally also let him use outside dns instead so you can lock down the main one properly.

Better for security that way, also helps with a common scenario where a computer is trying to go places with "nobody" logged in or a malware-hijacked admin account, rootkit that doesn't care about your host file etc. Also helps when someone plugs another computer into LAN as well, poor man's limited port security.

You can't trust the local computer/account/whatever to behave.
I'm going to assume you can't say "no" to the owner, so be sure to get a written & documented CYA from this particular admin/owner that "needs" to go everywhere so when he goes somewhere he shouldn't and all the data gets jacked you have that CYA. These types have a tendency to know too much for their own good.



Oh, believe me, if I could deploy all that, I already would've. There's literally zero budget. Long story short, the laptop belongs to a very non-techie friend of mine, and she lets everybody and his brother borrow it. It gets even worse, since despite her 10GB monthly data cap, she let's everybody use her WiFi, and routinely has 6 devices connected at any given time.


*edit* Basically, I'm locking down the laptop first, then I'm going to see what type of control that Netgear R6100 can exert over the other devices, priority/QoS wise.
Hz so good
Gerbil Elite
 
Posts: 731
Joined: Wed Dec 04, 2013 5:08 pm

Re: Win8.1 HOST file question

Postposted on Fri May 30, 2014 7:08 pm

Fascinating topic. Please keep us posted. :)
BIF
Gerbil Jedi
Gold subscriber
 
 
Posts: 1627
Joined: Tue May 25, 2004 7:41 pm

Re: disclaimer: I permanently think enterprise

Postposted on Fri May 30, 2014 7:20 pm

Hz so good wrote:Oh, believe me, if I could deploy all that, I already would've. There's literally zero budget. Long story short, the laptop belongs to a very non-techie friend of mine, and she lets everybody and his brother borrow it. It gets even worse, since despite her 10GB monthly data cap, she let's everybody use her WiFi, and routinely has 6 devices connected at any given time.


Sorry, but you can't fix stupid.
Think for yourself, schmuck!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|1.5TB 7200.11|1988 Model M|Saitek X-45 & P880|Logitech MX 518|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
bthylafh
Grand Gerbil Poohbah
 
Posts: 3232
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: disclaimer: I permanently think enterprise

Postposted on Fri May 30, 2014 7:49 pm

bthylafh wrote:
Hz so good wrote:Oh, believe me, if I could deploy all that, I already would've. There's literally zero budget. Long story short, the laptop belongs to a very non-techie friend of mine, and she lets everybody and his brother borrow it. It gets even worse, since despite her 10GB monthly data cap, she let's everybody use her WiFi, and routinely has 6 devices connected at any given time.


Sorry, but you can't fix stupid.



Don't I know it... Still, I feel obligated to try *something*.
Hz so good
Gerbil Elite
 
Posts: 731
Joined: Wed Dec 04, 2013 5:08 pm

Re: Win8.1 HOST file question

Postposted on Fri May 30, 2014 8:58 pm

For the other devices, convince her to buy a cheap Tomato-capable router and attach it forward of the existing one in dual-NAT configuration. Lockdown its defaults and access restrictions and move the others to it.

For the borrowers, you could try configuring a dual-boot system on a new partition on her laptop with the borrowers' accounts segregated on the more restrictive OS image.

You could also try to default all access through a non-ecrypted VPN connection to the restrictive router, then instruct the admin to disconnect the VPN when she's logged on. This is less involved than dual-booting but is also easier to defeat.
trackerben
Gerbil Elite
Silver subscriber
 
 
Posts: 639
Joined: Mon Jun 15, 2009 12:28 am


Return to Windows

Who is online

Users browsing this forum: No registered users and 1 guest