He's referring to the Live Firefox versions that you can stick on a USB drive if I'm not mistaken.
They can download that at home and bring it in.
He's referring to the Live Firefox versions that you can stick on a USB drive if I'm not mistaken.
They can download that at home and bring it in.
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
1) who's your security vendor. If it's McAfee and you have VS Enterprise 8.0i then I know plenty of tricks for you. Forbidding creation/execution of **\*mozilla*.* and **\*firefox*.* would be a start, plus forbidding creation/execution of some of the core files that are required to run. Forbidding creation/execution of .zip files and .jar files within the user's profile directory, forbidding execution of ANYTHING from drive E: or whatever a USB drive would come out as... yeah, you can make it nice and tough for your lil' geniuses :evil: Obviously you would lock and password-protect the VirusScan Console settings and preferably hide it from the Start menu and from the system-tray options list, both of which can be done with Installation Designer 8.1 if you want.
1.5) It would also be a snap to block Port 80 access to anything but iexplore.exe using the Port-Blocking Rules, although if they can rename their browser "iexplore.exe" then that would be a workaround. So don't allow creation of new files named iexplore.exe either
2) You could always resort to the Run Only Allowed Windows Applications route (assuming WinXP Professional Edition here), then whitelist precisely what you want to run. This would involve some work.
thanks for all the great info mechBgon, we dont use mcafee.
every laptop is running XPpro, i assume "1.5" depends on vs enterprise 8.0 right... i liked that one a lot any way to do that with other methods...
can you point me in the right direction to find some instructions on how to pull off #2?..... but is that global, or just for net access, if its global that will turn into a huge hassle every time we have to install new software or updates.
im def gonna look into your other suggestions and ways to achieve that when i get up tomorrow.
thanks again.
edit... they have symantec enterprise editon on the laptops, not mcafee
every laptop is running XPpro, i assume "1.5" depends on vs enterprise 8.0 right... i liked that one a lot
any way to do that with other methods... can you point me in the right direction to find some instructions on how to pull off #2?..... but is that global, or just for net access, if its global that will turn into a huge hassle every time we have to install new software or updates.
im def gonna look into your other suggestions and ways to achieve that when i get up tomorrow.
thanks again.
edit... they have symantec enterprise editon on the laptops, not mcafee
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
I'm not familiar with Symantec EE but it might have similar behaviour-blocking / port-blocking stuff? If you haven't rummaged around through all the options, then take a look and/or drop SagaLore a PM, I know he has Symantec in his fleet and could probably tell you whether Symantec does that stuff.Originally posted by: THRILLHOv
thanks for all the great info mechBgon, we dont use mcafee.
every laptop is running XPpro, i assume "1.5" depends on vs enterprise 8.0 right... i liked that one a lot
can you point me in the right direction to find some instructions on how to pull off #2?..... but is that global, or just for net access, if its global that will turn into a huge hassle every time we have to install new software or updates.
im def gonna look into your other suggestions and ways to achieve that when i get up tomorrow.
thanks again.
edit... they have symantec enterprise editon on the laptops, not mcafee
For #2, you could use local Group Policy Editor: http://pics.bbzzdd.com/users/mechBgon/GPEDIT_RUN_ONLY_ALLOWED_APPS.gif
I don't know if I would spend a lot of time trying to lock down the laptops, really. I would develop a way to *easily* re-image any problematic systems back to a known good image -- which I would invoke with extreme prejudice. Let them know that if they dork it up they are getting it back working but blanked.
Can you elaborate on why you make them go through your proxy from home? Is it a liability issue? Are these limited-use because of how they were funded?
Can you elaborate on why you make them go through your proxy from home? Is it a liability issue? Are these limited-use because of how they were funded?
As far as I understood the issue, you want the kids to use IE, because the web filtering software supports only IE.
If I were you, I would install an open-source firewall/proxy with Dansguardian filters and route all http/https traffic through it. In this case it wouldn't matter which browser you use, they will have to define the proxy settings for your box anyway. I have one at home running a FreeBSD server which takes care of it for my kids.
squid + squidguard + dansguardian lists = excellent free solution
FreeBSD makes a nice server, actually any Linux flavor will run it as well. The filtering lists updates take place automatically. You also have a nice log of what your kids are browsing (if your school allows it). Then you can add different networks, or IPs and define what each are allowed to 'see' (for ex., administrative IPs are allowed to connect to all xxx, gambling sites etc., while student IP range - not allowed).
If this doesn't work for you (for ex., Dansguardian has a paid subscription), there are a few more lists available for free for non-profit organizations. Actually, your school management might even pay a small fee for this.
Good luck!
If I were you, I would install an open-source firewall/proxy with Dansguardian filters and route all http/https traffic through it. In this case it wouldn't matter which browser you use, they will have to define the proxy settings for your box anyway. I have one at home running a FreeBSD server which takes care of it for my kids.
squid + squidguard + dansguardian lists = excellent free solution
FreeBSD makes a nice server, actually any Linux flavor will run it as well. The filtering lists updates take place automatically. You also have a nice log of what your kids are browsing (if your school allows it). Then you can add different networks, or IPs and define what each are allowed to 'see' (for ex., administrative IPs are allowed to connect to all xxx, gambling sites etc., while student IP range - not allowed).
If this doesn't work for you (for ex., Dansguardian has a paid subscription), there are a few more lists available for free for non-profit organizations. Actually, your school management might even pay a small fee for this.
Good luck!
SpyorDie007 tells me administrators can use Software Restriction Policies to restrict execution of programs only to certain directories. That way, users could't just copy the firefox EXE to their desktop and run it there.
Havent read the thread in too much depth but here is some information on using software restriction policies to stop them from running unauthorized code:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
You can configure and control from a group policy what they can run based on path, hash, certificate or zone (Internet/Intranet)
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
You can configure and control from a group policy what they can run based on path, hash, certificate or zone (Internet/Intranet)
oh the re-imaging thing is clearly in place, if you have questionable material on your laptop, it gets wiped out asap. but that still is only dealing with the symptoms, not the problem.
its a public magnet school, so we are providing the proxy as a service to the parents who are not prepared to monitor or set up blocks at home. for many of the students, the laptop is the only computer in the house, and the parents dont know how, or cant afford to do it themselves.
also, when the students had unrestricted access, i was bieng handed laptops weekly to look for pron, the kids would be showing it to others in class, then the students would go home and look up the same thing.
we had maybe 40 6th graders one week looking at the same set of pages, and this led to other searches.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes Discussion Threads
- Started by Tigerick
- Replies: 21K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter