Help locking down firefox in a school

[THRILLHOv]

I work in a middle school and the students have finally found out that firefox is better than MSIE, the problem is, we keep them behind our proxy at school AND when they take the laptop home. now that they have firefox they are unable to use it at school, but the home use is unfiltered.
the problem with the firefox installer is that it can install to any directory that they have write access, and apparently doesnt appear as an "installer" to windows because as restricted users, they can still run the installer.
i thought about just setting up their log on script to block the process, but tested out changing the name of the .exe and it changes the name of the process too.
it wont take the kids long to figure that one out.
any suggestions?
thanks a lot.

 

[Zugzwang152]

possibly install a software firewall that can filter processes allowed out by name? Or allow only essential processes and/or ones you can control, ex: iexplore.exe

 

[JustAnAverageGuy]

Block net access to everything EXCEPT IEXPLORE.exe and maybe your teacher's mail programs?

 

[THRILLHOv]

hmmm net access but a white list huh... interesting. where can i find info on that
right, i thought of filtering out the process... but all the kids have to do is figure out thats what we are doing, and rename firefox.exe.
thanks for the quick replies guys.

 

[THRILLHOv]

also, the teachers are in a different group. so the policies will be seperate.

now i just have to figure out how to make a white list for access to the internet.

 

[Malak]

Tell them they lose points on every assignment if you catch them using it. Give them detention for not following the rules. Don't just try to prevent it, enforce it.

 

[hans030390]

I think schools should use FF....

Anyways, Like they said, if you block the every program (except IE and mail stuff) from the network, it shouldn't be able to get on, even if they rename the file...i think....

 

[Malak]

Originally posted by: hans030390
I think schools should use FF....

Anyways, Like they said, if you block the every program (except IE and mail stuff) from the network, it shouldn't be able to get on, even if they rename the file...i think....

No, they shouldn't use FF. You can lock down IE easily, you can't do the same with FF. IE is more well known, more used, and easy to secure, FF isn't.

If ANY alternative should be used, it's Opera, being more functional, more secure, and has a lot less to worry about.

 

[BlueWeasel]

Originally posted by: Malak

Originally posted by: hans030390
I think schools should use FF....

Anyways, Like they said, if you block the every program (except IE and mail stuff) from the network, it shouldn't be able to get on, even if they rename the file...i think....

No, they shouldn't use FF. You can lock down IE easily, you can't do the same with FF. IE is more well known, more used, and easy to secure, FF isn't.

If ANY alternative should be used, it's Opera, being more functional, more secure, and has a lot less to worry about.

Do you ever shut up with the Opera crap? I swear, I think you're on their payroll sometimes.

There's plenty of people on these boards who like Opera. Yet, you seem to be the only trolling the browser threads just waiting for an opportunity to throw in your Opera plug.

 

[Malak]

Originally posted by: BlueWeasel

Originally posted by: Malak

Originally posted by: hans030390
I think schools should use FF....

Anyways, Like they said, if you block the every program (except IE and mail stuff) from the network, it shouldn't be able to get on, even if they rename the file...i think....

No, they shouldn't use FF. You can lock down IE easily, you can't do the same with FF. IE is more well known, more used, and easy to secure, FF isn't.

If ANY alternative should be used, it's Opera, being more functional, more secure, and has a lot less to worry about.

Do you ever shut up with the Opera crap? I swear, I think you're on their payroll sometimes.

There's plenty of people on these boards who like Opera. Yet, you seem to be the only trolling the browser threads just waiting for an opportunity to throw in your Opera plug.

Read the forum sometime. Every week another FF thread pops up with more problems with the browser. People get spyware through it and get all confused, thinking they were safe. There are a lot of mistruths on this browser. People need to know that if they really want a safe browser they have to go with one that is proven safe, not one that is only rumored to be safe.

I live by a philosophy, that when you've got something to say, you say it. I don't stand for ignorance. Opera is 100x better than FF in every respect. More secure, more functional, faster. FF offers nothing over Opera that a user needs. Should I be at fault for looking out for the user? I think not.

 

[theMan]

ok, but howcome, whenever i open up IE, my antivirus pops up, saying something is installing trojans, or my antispyware pops up, but in FF this never happens. i have never had a problem with FF. never. maybe all these "problems" people are posting, are due to the fact that most of the people here probably use FF, and people that use IE just expect things to go wrong so there is no point in posting anything about it.

 

[Ichigo]

Originally posted by: Malak

Originally posted by: BlueWeasel

Originally posted by: Malak

Originally posted by: hans030390
I think schools should use FF....

Anyways, Like they said, if you block the every program (except IE and mail stuff) from the network, it shouldn't be able to get on, even if they rename the file...i think....

No, they shouldn't use FF. You can lock down IE easily, you can't do the same with FF. IE is more well known, more used, and easy to secure, FF isn't.

If ANY alternative should be used, it's Opera, being more functional, more secure, and has a lot less to worry about.

Do you ever shut up with the Opera crap? I swear, I think you're on their payroll sometimes.

There's plenty of people on these boards who like Opera. Yet, you seem to be the only trolling the browser threads just waiting for an opportunity to throw in your Opera plug.

Read the forum sometime. Every week another FF thread pops up with more problems with the browser. People get spyware through it and get all confused, thinking they were safe. There are a lot of mistruths on this browser. People need to know that if they really want a safe browser they have to go with one that is proven safe, not one that is only rumored to be safe.

I live by a philosophy, that when you've got something to say, you say it. I don't stand for ignorance. Opera is 100x better than FF in every respect. More secure, more functional, faster. FF offers nothing over Opera that a user needs. Should I be at fault for looking out for the user? I think not.

Funny how the guy decided not to say anything about the one who was 'advertising' FF.

 

[JustAnAverageGuy]

Originally posted by: Malak
If ANY alternative should be used, it's Opera, being more functional, more secure, and has a lot less to worry about.

While I agree entirely 100%, he isn't asking about which alternative browsers are safer or better, he's asking how to prevent ANY other browser from being used.

So, while this is good information, it isn't pertinent to this thread.

Originally posted by: BlueWeasel
Do you ever shut up with the Opera crap? I swear, I think you're on their payroll sometimes.

There's plenty of people on these boards who like Opera. Yet, you seem to be the only trolling the browser threads just waiting for an opportunity to throw in your Opera plug.

Malak is no worse any FireFox fanboi. The only difference is that there are more people trying to convert people to FireFox. If you were one of them, then I could insert more witty comments about how hypocritical you are, but I don't feel like researching your post history.

 

[itachi]

Originally posted by: JustAnAverageGuy

Originally posted by: BlueWeasel
Do you ever shut up with the Opera crap? I swear, I think you're on their payroll sometimes.

There's plenty of people on these boards who like Opera. Yet, you seem to be the only trolling the browser threads just waiting for an opportunity to throw in your Opera plug.

Malak is no worse any FireFox fanboi. The only difference is that there are more people trying to convert people to FireFox. If you were one of them, then I could insert more witty comments about how hypocritical you are, but I don't feel like researching your post history.

i would say that BlueWeasel is just as bad as Malak.

you're doing the exact same thing that malak is.. he's trying to push his view that opera is the best browser onto people, and you're trying to push your view that he should just let people decide for themselves. you're a hypocrite.
--

the simplest solution would probably be setting up a firewall. you can use the one that comes with sp2. it won't matter if they rename the exe.. the only way they'd be able to use it is if it its explicitly set in the firewall configuration.

 

[sandorski]

Originally posted by: Malak

Originally posted by: BlueWeasel

Originally posted by: Malak

Originally posted by: hans030390
I think schools should use FF....

Anyways, Like they said, if you block the every program (except IE and mail stuff) from the network, it shouldn't be able to get on, even if they rename the file...i think....

No, they shouldn't use FF. You can lock down IE easily, you can't do the same with FF. IE is more well known, more used, and easy to secure, FF isn't.

If ANY alternative should be used, it's Opera, being more functional, more secure, and has a lot less to worry about.

Do you ever shut up with the Opera crap? I swear, I think you're on their payroll sometimes.

There's plenty of people on these boards who like Opera. Yet, you seem to be the only trolling the browser threads just waiting for an opportunity to throw in your Opera plug.

Read the forum sometime. Every week another FF thread pops up with more problems with the browser. People get spyware through it and get all confused, thinking they were safe. There are a lot of mistruths on this browser. People need to know that if they really want a safe browser they have to go with one that is proven safe, not one that is only rumored to be safe.

I live by a philosophy, that when you've got something to say, you say it. I don't stand for ignorance. Opera is 100x better than FF in every respect. More secure, more functional, faster. FF offers nothing over Opera that a user needs. Should I be at fault for looking out for the user? I think not.

A whole lot more people use FF than Opera. Do a Search and you'll ind plenty of Opera issues despite it's low use.

 

[TheVrolok]

Quick question based on what I've heard, even if he creates a whitelist only for necessary processes, he said firefox changes its process name based on .exe name, so what if the kids rename firefox.exe to iexplore.exe in their installed directory? Will the whitelist let it through or can he specificy process by path as well?

 

[CTho9305]

I think there's a way to disallow execution of programs outside of specific directories. You could do that, then lock down those directories.

 

[mechBgon]

So the FireFox installer can be successfully run by a Limited/Restricted-User account? Since when? That doesn't jive with my experience.

BTW if you guys happen to use VirusScan Enterprise 8.0i and ePolicy Orchestrator, then the Access Protection Policies can be used to effectively TKO the FF installer, whole bunch of ways you can do that.

 

[vailr]

OT: Is there a "Portable Opera" version, similar to the "Portable Firefox" version, that is designed to work on USB flash memory drives?

 

[BlueWeasel]

Originally posted by: vailr
OT: Is there a "Portable Opera" version, similar to the "Portable Firefox" version, that is designed to work on USB flash memory drives?

Yes

 

[THRILLHOv]

a lot of good info here (if i weed through the OT fight) can someone point me to a site that explains the white list thing, and how i specify net access.
is it just denying access to port 80 from anything but MSIE, flash, real player, WMP and such?
or is there a setting beyond the port?
i dont need all the info, but when i go in tomorrow, id like to be as prepared as possible. thanks for all of your help.
(and yes, i know FF and Opera are both better browsers, but as people above said, IE is easy to lock down, and we made a commitment to the parents to filter the kids at home from offensive content)

 

[sourceninja]

As long as kids can store their own files in my documents or any writable area they are going to be able to use firefox. The best you can hope for is to make it too complicated for non die hard computer kids to get by. There will be children who can bypass it. Hell, I know I have yet to find a solution for securing a network that I have not been able to find a loophole to bypass. Didn't matter if it was novell, microsoft, or other party solutions. Its simply not going to be possible. I've never thought about this till just now, but what if you write your script to look for the md5 of the firefox exe and delete it? That might actually work. But then the kids can use opera, or galeon, or some other browser (hell there are millions). They could use a linux live cd to browse the web. Another idea I just came up with is forcing all the network connections though a vpn to your school and using the school firewall to filter the porn. Other then that just a firewall/netnanny type software on the machine, but it will be trival for a kid who really wants to get at porn to disable it. Hell even a filter at the school can be bypassed if you allow ssh out of the school.

So again, the best you can hope to do is just make it too hard or annoying for the stupid kids. Thats just how windows is.

 

[THRILLHOv]

oh ive thought about shunnel, and knoppix.... my thought. if they are that good, and its only a couple kids. My hat is off to them.
but this is just far too easy, and even computer novices can do it. In a couple weeks 95% of the students could be doing this.
its just irresponsible of us to turn a blind eye when we have told parents we will try to filter the students at home.
this is a public school, and many parents arent tech savy enough, or have the money to handle filtering solutions themselves.

Now i just need to know how to disable access to port 80 from all but the programs we allow.

 

[oupei]

why don't you just block access to www.getfirefox.com? or redirect it to a message that says that FF is not allowed? assuming that they have to download firefox using IE before installing it...

 

[THRILLHOv]

thats my first impulse.
of course i planned on blocking www.mozilla.org &.com
so that kinda exemplifies the idea that there are many many sources they can be DLing from.
so no dice.