• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

using hosts file as http whitelist

sao123

sao123

Lifer
I have some public accessworkstations, which I need to limit to certain internet websites. To accomplish this, i am disabling DNS, and setting up a hosts file to enable certain permitted sites to be browsed.
However, doing this, will prevent windows updates from being downloaded.

Does anyone know the proper entries neeeded for my hosts file to re-enable windows update?
 
try these

download.windowsupdate.com
v5.windowsupdate.microsoft.com

also, if it doesn't work, deploy your own SuS?
 
Last edited:
Make sure you disable nslookup as well then. Anyone who knows anything about how the internet works will simply bring up a command window and do a nslookup to 4.2.2.1 (or any of the original base DNS servers on the net), get the IP and then enter the IP in the browser...
 
sao123 said:
I have some public accessworkstations, which I need to limit to certain internet websites. To accomplish this, i am disabling DNS, and setting up a hosts file to enable certain permitted sites to be browsed.
However, doing this, will prevent windows updates from being downloaded.
Click to expand...

That's not a good solution. You really should be making them browse through a proxy and then setup a whitelist on the proxy. That also ensures that no one brings in their own machine and uses that intead.

Fallen Kell said:
Make sure you disable nslookup as well then. Anyone who knows anything about how the internet works will simply bring up a command window and do a nslookup to 4.2.2.1 (or any of the original base DNS servers on the net), get the IP and then enter the IP in the browser...
Click to expand...

Which will likely fail anyway because without the HTTP Host header given it'll just return the default website for that server which may or may not be the one you're aiming for.
 
seconded on the proxy and wsus suggestions. a wsus server is really easy to set up (though, with thousands of updates to filter from the start, can be tedious) and clients can be configured easily with a GPO. if you have a server that needs some action and has some disk space, a wsus server is worth setting up.
 
guess I have to be a bit more specific.

These systems are located at each of 40 semi-secure locations. (each essentially a 8x8 wooden shed with an attached outhouse on government property)
Each location has a single DSL/Cable/Verizon Aircard, and a netgear/linksys/dlink wired 4 port router.

Each location has 2 foreman each having a laptop which require full internet access. The above described desktop is to be a restricted weather terminal for all the non-foreman employees to use. it has guest level priviliges only with no logon password, and the internet is to be restricted to only our 4 permitted weather sites. (weather data is critical to our business).

due to the large number of sites, and complete lack of servers, I cant do SuS.
Due to the foremans requirements I cant do this at the router level...well at least not with $40 walmart routers.
 
Doesn't MS automagically whitelist their update servers inside their internet-related .DLLs, anyways? At least, I think that they have since Vista.
 
Check pi-hole site for whitelisting.

If the machine is fast enough, maybe pi-hole in vm player as dns.

Also, I thought you can restrict browsers to only existing bookmarks?
 
Last edited:
You must log in or register to reply here.

TRENDING THREADS

Back
Top