# Need help securing workstations



## blizzardwolf (Nov 30, 2008)

I'm trying to secure three computers at my job from unwanted access and changes, and I've run into a little snag. First, here's the information on what I've got and what I've done:

3 workstations running Windows XP Professional
I have administrator access
I do not have access to the router or the server.

My objectives are: 1. to prevent any changes being made to the computers, such as through the installation of new software, or the removal of existing software, or the ability to turn off things like Microsoft Security Essentials. 2. Prevent employees from visiting certain websites, while leaving other sites available and unaffected.

Some requested sites are Facebook, Youtube, CWTV, Google, Yahoo, Weather.com, Mapquest, etc. I work at a hotel, so these sites are commonly used for info access and a little goofing around. Banned sites are anything with flash games, pornography, ad heavy sites, the usual things a business wants closed.


At the moment, I've been requested to leave all the computers operating under one administrator account, so creating limited accounts for employees is out for now. I've also been asked to leave only a single browser, Internet Explorer 8, on the computers. 



Solutions I've tried:

Using a combination of the HOSTS file and the restricted sites option in IE, I tried to block a series of sites. Unfortunately, Windows has stopped reading the HOSTS file, and some sites slip right through the restriction setting in IE. I've tried several troubleshooting options for the HOSTS file, such as rebuilding it, flushing the DNS cache, stopping the DNS server, making sure the host name resolution order is correct, and making sure the path location is right in the registry. None of them worked, and I don't have access to the Windows XP disc to reload the original HOSTS file from the /i386 folder. I tried applying a fake proxy in IE, and adding the requisite sites in the exceptions list, except the various ads and banners those sites use are different addresses and keep showing up corrupted, and I need to leave the requested sites unaffected. I was told to do this without purchasing software, so I need to use the security settings in XP Pro to make all of this work.

Second, to prevent users from making changes, I implemented group policy under gpedit. I disallowed all software changes under the software security policies folder, and created a path rule exception for the C:\Program Files folder, so we can keep using the installed software, like IE and printers. So far, so good, except now we run into the second snag I’ve hit.
The hotel uses a software called ChoiceAdvantage to manage its inventory of guests. Reservations, check ins, check outs, etc. This software is entirely web based, with no local software on the computer except IE. There is a function in this software I’ve been told to leave alone called Live Support, which is just a chat window that opens up and lets employees chat with a support rep. This is accessed through the browser like any chat applet, except when it loads, the browser downloads a small .exe to the temp files folder in IE and runs it to open the chat window. Worse, it does this for each individual chat session, and deletes the .exe after. This means a hash rule in gpedit doesn’t work. I tried a path rule to the temp folder of IE, but that didn’t work either, though I don’t know why. And I don’t know quite know how to use the other rules in gpedit. 

So those are my problems, and my objectives. Suggestions please, would be greatly appreciated, since I’be been racking my brain to figure out what to do with this mess.


----------



## Wand3r3r (Sep 17, 2010)

Windows doesn't stop reading the hosts file. It caches it upon bootup. If you put an extension on the file it will not be read.

With everyone as local admin the hosts file is a waste of time.

If you don't have access to the router your next step would be to bring up a proxy server and use it to filter all internet access. It would be between the router and switch connection all the pcs.

Concerning the pcs config see if steadstate will work for you
Windows SteadyState - Wikipedia, the free encyclopedia
or 
consider a product like Deep Freeze
Deep Freeze Standard


----------



## blizzardwolf (Nov 30, 2008)

I thought it might be the fact that HOSTS had an extension, but I checked that too, and still didn't get anywhere. Regardless, the problems with windows and the HOSTS file are another topic for another time.

I spoke to the manager of the hotel and suggested a proxy server, and while he said he'd consider it, but for now, would like me to try and effect security without it. I also suggested deep freeze, since that looks like a good option, and while that was approved, the computers aren't rebooted very often, usually once a month or so, and our manager saves important business documents to these computers that she can't afford to lose.

I don't like the fact that everyone has to be an administrator and we have a web-based property management system, but my bosses have hamstrung me. They've suggested very strongly I need to do this with the native windows resources if at all possible, and only seek outside methods when local resources are proven inadequate. So please, keep the suggestions coming.


----------



## Wand3r3r (Sep 17, 2010)

They can't get there from here
Manager is being dumb storing files locally and not on the server that I expect is being backed up nightly. If not being backed up he is not dumb but stupid.

guess your only option instead of a proxy is hosts file. can you provide a section for review?

web based property management? Then why are they local admins at all??? That makes no sense.


----------



## blizzardwolf (Nov 30, 2008)

To my knowledge, since we've moved to an online-based property management system, we're not actually using our local server anymore. I'll suggest again not letting everyone run as administrators, but in my experience, even when under a limited account, users can still do certain things they shouldn't be able to, like install some programs. I'm not all that trustworthy of a limited account, at least by itself, for security measures.

I'd really like to do this through group policy, but I need to figure out why the live support executable isn't working. I really don't want to add .exe to the list of file type exceptions, since that kind of defeats the whole purpose of security through GP.

The HOSTS file. I've managed to get it working again, and I'm not sure what the problem was. I think it's because I entered the sites wrong in some cases, specifically including www when the DNS itself didn't. Still, I remember checking that before and it didn't work, so here's what I tried when it wasn't working, and I'll include a sample of the hosts file below.

1. Tried checking to make sure no extension was applied to HOSTS.
2. Tried checking the registry, and verifying the name resolution order put HOSTS first.
3. Tried checking the pathway for HOSTS in the registry, and made sure the registry key pointed to the right folder.
4. Flushed and rebuilt the DNS cache using nbtstat -R
5. Restored the HOSTS file from a backup I made before jerking around with it
6. Tried rebooting the computer.
7. Tried restoring the computer to an earlier restore point
8. Tried closing and re-opening the browser (Internet Explorer)
9. Tried resolving the HOST addresses with 127.0.0.1, and with 000.0.0.0
10. Verified there was no # sign in front of the addresses indicating an exception
11. Verified at least one space between the address and the IP
12. Made sure to put each address on a separate line
13. Shouted at Windows, and made a goat sacrifice to William Gates under the full moon.


After all of that, HOSTS still didn't work. I'm stumped. Here's my sample:




# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
127.0.0.1 Free Flash Games
127.0.0.1 flashgamesite.com
127.0.0.1 Flash Games - Addicting Games - Free Games
127.0.0.1 Games - Free Online Games at Addicting Games!
127.0.0.1


----------



## Wand3r3r (Sep 17, 2010)

formatting doesn't look right
flashgamesite.com
should be
www.flashgamesite.com

use the host file found here instead. It's been compliled to get most of the bad guys. Add to it as needed.

Trick I use is I go to the site and then copy the www url to the hosts file so I know I have the correct spelling.

Blocking Unwanted Parasites with a Hosts File


----------



## blizzardwolf (Nov 30, 2008)

Sorry for the late reply, I've been busy at work.

I tried MVP hosts shortly after modifying the original registry, and I tried adding it with the batch file, and then by just straight copy & pasting into the etc folder (backing up my original hosts file in both cases of course). Still ran into the same problem.

As far as the incorrect formatting of the address, I did modify it to Free Flash Games, being sure of the proper DNS formatting, and tried both 127.0.0.1 and 000.0.0.0 for the routing, but the site was still slipping through.

An updated scan with Microsoft Security Essentials hasn't revealed any malicious software, and nothing has been installed that has a likely chance of causing conflicts with IE or name resolution. The computers we're doing this on are fairly new with a recently formatted system, so I don't think malware is the most likely culprit, but I'm going to run a boot time scan with Avast! in the next few days to be sure.

My well of ideas is starting to dry up. The HOSTS file is still not working, and I'm still no closer to figuring out why, or how to fix it.


----------



## Wand3r3r (Sep 17, 2010)

that 0.0.0.0 is web based misinformation. so don't do that.

what/why are you modifing the registry???? Using the hosts file requires NO reg mod at all. That reg mod could be why its not working.

what do you mean by "proper DNS formatting"?
entries should be in the form www.domainname.extension

hosts has no extension and has to be placed in the ETC folder only.


----------



## blizzardwolf (Nov 30, 2008)

I will keep in mind the web-based misinformation, and stop trying the 000.0.0.0 address.

1. The registry has NOT been modified in any way. That was a miswording on my part, for which I apologize, where I meant to say "tried MVP hosts shortly after modifying the original *hosts*" instead of "registry." I haven't changed any of the settings there. I was checking the registry to make sure all of the settings relating to the hosts file were entered correctly, and hadn't been modified by someone or something else. One setting I checked and did not modify was the order in which Windows checks sources for domain names. By default, the hosts should (and was) be listed first in that order. The second setting I verified was making sure the registry entry for the location of the hosts file, specifically that located in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath pointed to C:\Windows\System32\Drivers\etc. Again, none of these registry setting have been modified, only checked and verified.

2. When I said DNS formatting, I meant in response to what you commented on, saying the formatting didn't look right. My entries in the hosts file have been fixed to read www.domainname.extension, instead of domainname.extension

3. I've verified that hosts has no extension to it such as .exe or any other extension associating with an application, and I've made triple sure it's in the etc folder located at C:\Windows\System32\drivers\etc

3. I still haven't been able to figure out how group policy is conflicting with the .exe I need to download with live support. To recap this problem: I implemented group policy under gpedit. Specifically, I went into gpedit.msc, and under Local Computer Policy > Windows Settings > Security Settings > Software Restrictions, and set "Disallow" as my default, thus disallowing all software executions by default. I then added a path rule exception for C:\Program Files under Additional Rules in the same location, with the designation "unrestricted". 

Now, each time our web based property management system attempts to initiate Live Support, it downloads a small .exe to the temp files folder of Internet Explorer, which then tries to execute in order to open the chat window. Since group policy is set to disallow, it interrupts this process at the executable.

Solutions I've tried for #3:

I tried adding a second path rule exception under gpedit for the temp files folder of Internet Explorer, but the Live Support .exe still didn't work.

I tried using a hash rule to make an exception for this little .exe, but the .exe gets deleted after one use, and a new chat session prompts a fresh new download of a unique .exe, rendering hash rules useless as I understand them.

The website itself has no certificate I can apply, and uses https. 


I'd like to figure out where the flaw in this security arrangement is, and how to correct it while leaving the group policy intact. As of this moment, all of my changes to group policy have been reverted, and "Allow" is currently the default for software security settings.


----------

