Help locking down firefox in a school

Page 2 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.

JustAnAverageGuy

Diamond Member
Aug 1, 2003
9,057
0
76
Originally posted by: oupei
why don't you just block access to www.getfirefox.com? or redirect it to a message that says that FF is not allowed? assuming that they have to download firefox using IE before installing it...

He's referring to the Live Firefox versions that you can stick on a USB drive if I'm not mistaken.

They can download that at home and bring it in.
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Originally posted by: THRILLHOv
thats my first impulse.
of course i planned on blocking www.mozilla.org &.com
so that kinda exemplifies the idea that there are many many sources they can be DLing from.
so no dice.
1) who's your security vendor. If it's McAfee and you have VS Enterprise 8.0i then I know plenty of tricks for you. Forbidding creation/execution of **\*mozilla*.* and **\*firefox*.* would be a start, plus forbidding creation/execution of some of the core files that are required to run. Forbidding creation/execution of .zip files and .jar files within the user's profile directory, forbidding execution of ANYTHING from drive E: or whatever a USB drive would come out as... yeah, you can make it nice and tough for your lil' geniuses :evil: Obviously you would lock and password-protect the VirusScan Console settings and preferably hide it from the Start menu and from the system-tray options list, both of which can be done with Installation Designer 8.1 if you want.

1.5) It would also be a snap to block Port 80 access to anything but iexplore.exe using the Port-Blocking Rules, although if they can rename their browser "iexplore.exe" then that would be a workaround. So don't allow creation of new files named iexplore.exe either :D

2) You could always resort to the Run Only Allowed Windows Applications route (assuming WinXP Professional Edition here), then whitelist precisely what you want to run. This would involve some work.


 

THRILLHOv

Senior member
Jan 14, 2003
397
0
0
thanks for all the great info mechBgon, we dont use mcafee.
every laptop is running XPpro, i assume "1.5" depends on vs enterprise 8.0 right... i liked that one a lot :( any way to do that with other methods...

can you point me in the right direction to find some instructions on how to pull off #2?..... but is that global, or just for net access, if its global that will turn into a huge hassle every time we have to install new software or updates.
im def gonna look into your other suggestions and ways to achieve that when i get up tomorrow.
thanks again.

edit... they have symantec enterprise editon on the laptops, not mcafee
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Originally posted by: THRILLHOv
thanks for all the great info mechBgon, we dont use mcafee.
every laptop is running XPpro, i assume "1.5" depends on vs enterprise 8.0 right... i liked that one a lot :( any way to do that with other methods...

can you point me in the right direction to find some instructions on how to pull off #2?..... but is that global, or just for net access, if its global that will turn into a huge hassle every time we have to install new software or updates.
im def gonna look into your other suggestions and ways to achieve that when i get up tomorrow.
thanks again.

edit... they have symantec enterprise editon on the laptops, not mcafee
I'm not familiar with Symantec EE but it might have similar behaviour-blocking / port-blocking stuff? If you haven't rummaged around through all the options, then take a look and/or drop SagaLore a PM, I know he has Symantec in his fleet and could probably tell you whether Symantec does that stuff.

For #2, you could use local Group Policy Editor: http://pics.bbzzdd.com/users/mechBgon/GPEDIT_RUN_ONLY_ALLOWED_APPS.gif

 

doornail

Senior member
Oct 10, 1999
333
0
0
I don't know if I would spend a lot of time trying to lock down the laptops, really. I would develop a way to *easily* re-image any problematic systems back to a known good image -- which I would invoke with extreme prejudice. Let them know that if they dork it up they are getting it back working but blanked.

Can you elaborate on why you make them go through your proxy from home? Is it a liability issue? Are these limited-use because of how they were funded?





 

darom

Senior member
Dec 3, 2002
402
0
0
As far as I understood the issue, you want the kids to use IE, because the web filtering software supports only IE.

If I were you, I would install an open-source firewall/proxy with Dansguardian filters and route all http/https traffic through it. In this case it wouldn't matter which browser you use, they will have to define the proxy settings for your box anyway. I have one at home running a FreeBSD server which takes care of it for my kids.

squid + squidguard + dansguardian lists = excellent free solution

FreeBSD makes a nice server, actually any Linux flavor will run it as well. The filtering lists updates take place automatically. You also have a nice log of what your kids are browsing (if your school allows it). Then you can add different networks, or IPs and define what each are allowed to 'see' (for ex., administrative IPs are allowed to connect to all xxx, gambling sites etc., while student IP range - not allowed).

If this doesn't work for you (for ex., Dansguardian has a paid subscription), there are a few more lists available for free for non-profit organizations. Actually, your school management might even pay a small fee for this.

Good luck!



 

CTho9305

Elite Member
Jul 26, 2000
9,214
1
81
SpyorDie007 tells me administrators can use Software Restriction Policies to restrict execution of programs only to certain directories. That way, users could't just copy the firefox EXE to their desktop and run it there.
 

THRILLHOv

Senior member
Jan 14, 2003
397
0
0
Originally posted by: doornail
I don't know if I would spend a lot of time trying to lock down the laptops, really. I would develop a way to *easily* re-image any problematic systems back to a known good image -- which I would invoke with extreme prejudice. Let them know that if they dork it up they are getting it back working but blanked.

Can you elaborate on why you make them go through your proxy from home? Is it a liability issue? Are these limited-use because of how they were funded?


oh the re-imaging thing is clearly in place, if you have questionable material on your laptop, it gets wiped out asap. but that still is only dealing with the symptoms, not the problem.

its a public magnet school, so we are providing the proxy as a service to the parents who are not prepared to monitor or set up blocks at home. for many of the students, the laptop is the only computer in the house, and the parents dont know how, or cant afford to do it themselves.

also, when the students had unrestricted access, i was bieng handed laptops weekly to look for pron, the kids would be showing it to others in class, then the students would go home and look up the same thing.
we had maybe 40 6th graders one week looking at the same set of pages, and this led to other searches.