Restricting a "kids PC" to www only

Discussion in 'Broadband' started by Peter, Nov 28, 2003.

  1. Peter

    Peter Guest

    Hi,

    I know a fair bit about computing (manage a few NT4SP6a & win2k
    machines, via Cisco 803 routers) but I am not up to date on this.

    I need to set up a PC (win2k) for use by my two boys (aged 7,10) for
    occassional internet access. They will be supervised but it cannot be
    done 100%, obviously. And kids are very clever and VERY quick in
    crazily clicking on everything that pops up - that's what they do at
    school (but the school server is very restricted).

    I need to

    - limit that PC to www access only
    - no file downloads (if e.g. Flash is required I need to be able to do
    that myself)
    - virus protection
    - dodgy websites excluded as far as poss
    - if poss, cannot see other PCs on the LAN
    - email if any will be done via a yahoo.co.uk mailbox (www)

    The PC will access the internet via a Cisco 803 router (BTHH ISDN),
    configured with a pretty strict access list (but not http only because
    I use it too on another PC). So I need a www-only-limit on *that* PC
    only.

    I have both Norton and McAfee AV software, latest versions, and can
    use either. Normally I use Norton but it messes up some PCs so I use
    the other one on those.

    I gather Zonealarm etc can achieve the www-only function. Can it
    prevent executable downloads though?

    Are active-x a real risk? I have configured my own browser to ask on
    any active-x control and I usually say No, which doens't seem to have
    much of an effect on most sites. I have also disabled 3rd party
    cookies.

    What s/w is best for site blocking? 10 year old boys nowadays go
    straight to Google, type in PORN, and click away...

    Any views/suggestions would be much appreciated.


    Peter.
     
    Peter, Nov 28, 2003
    #1
    1. Advertisements

  2. Peter

    David Mahon Guest

    How much are you prepared to spend and/or do you already have a spare PC
    you can leave on 24/7 acting as a proxy/firewall?
     
    David Mahon, Nov 28, 2003
    #2
    1. Advertisements

  3. Peter

    Pete Smith Guest

    <snip>

    I'd start by running a web proxy on your PC, and making sure that their PC
    only uses that web proxy, rather than a gateway.

    You're immediately stopping all traffic other than WWW.

    You can then add a list of addresses to your hosts file (as I have done)
    that stops all traffic from known dodgy sites.

    I've based my list on the one provided by Kazaa Lite, stripped out the
    duplications, and added some of my own. I was using Astalavista to check
    for security holes with the old version of Apache (which I run on this
    machine, and didn't want it to become a security risk), and kept
    redirecting me to streetblowjobs.com and bangbus.com(!)

    I added these to my hosts file, telling it that they resolve to 127.0.0.1,
    and then those sites, plus 95% of the adverts just fade into the
    background, giving a 404 error (because obviously my local server doesn't
    house hardcore porn onna-bus.

    You should also set their accounts to "Limited", so they can't change any
    of the settings.

    There's also parental filter software out there that you could also use.
    The previous method is only as good as the list of disallowed sites. The
    parental filter software should be configurable. My wife's school use
    Cyberpatrol. You could start looking there.

    HTH.

    Pete.
     
    Pete Smith, Nov 28, 2003
    #3
  4. Peter

    Ian Stirling Guest

    Active-x is a real security risk.
    It's saying not only that you trust who signed the control, but you
    trust them to make 100% bug-free code.
    If someone finds an exploitable bug in an active-X control signed
    by microsoft, then all they need to do is to put it on their page, along
    with the data that does the exploit, and they are in.

    An active-X control basically has total access to your computer, unlike
    java, which at least attempts to keep it in its own space.
    I'd be considering a simple linux box.
    Practically any distribution can be installed easily if you just want
    something as simple as a browser on a LAN, and nothing else.
    This would also add an extra layer of security, as even if they did manage
    to download a program, it wouldn't run.
     
    Ian Stirling, Nov 28, 2003
    #4
  5. Peter

    Tim Bradshaw Guest

    I think you're basically doomed. If you can't trust them, then you've
    lost. Your best chance is to be able to know what happens and repair
    the damage quickly.

    What I'm going to do (when I get round to it) is several things in
    combination:

    1. Have the PC sitting isolated from our proper network, behind some
    kind of NAT firewall. This only matters if you have a proper
    network, of course! We're already behind a firewall, but I want
    the PC isolated so if anything bad happens to it, then it can't sit
    there watching our internal network traffic for instance.

    2. Have a single-command reinstallation for the PC. Either via vmware
    or ghost or something like that. The aim is to be able to blow a
    known-good windows image onto the PC from a read-only source at
    fairly frequent intervals.

    3. Use KPF on the PC to try and stop anything awful. (KPF can
    certainly restrict outgoing traffic (so you could set it up to only
    allow port 80 traffic, with no incoming traffic at all). The new
    version (4.x), which I don't have, seems to have application stuff
    as well. The old one at least seems to be way less intrusive and
    overcomplex than some other personal firewall products.)

    4. Only allow port 80 & other needed stuff outgoing from the PC on the
    NAT box (which will be a separate bit of HW thus less easily
    compromised than the PC). Insist that at least port 80 goes only
    to a web proxy we own.

    5. This web proxy will not restrict anything, but will log addresses.
    We will periodically look at these logs. If we find anything bad
    we'll ask the child to explain themselves, and if they can't give
    them a serious telling-off.

    This probably seems like overkill, but the aim is to protect our
    machines (which our business depends on), to make a best-attempt to
    protect the PC but to be able to reinstall it painlessly when that
    fails (as I expect it will), and finally not to restrict what goes on,
    which seems to me both futile and likely to cause the child to try
    harder to get around the restrictions, but to be able to *know* what
    goes on, so we can be fierce if anything bad happens.

    FWIW we also (will) do stuff like this for things like banking access
    where the bank will only support IE (we use Firebird internally).

    --tim

    --tim
     
    Tim Bradshaw, Nov 28, 2003
    #5
  6. Peter

    Peter Guest

    The problem is that many websites were developed only for IE6.x


    Peter.
     
    Peter, Nov 28, 2003
    #6
  7. Peter

    Peter Guest

    They would be using a dedicated PC; money on software isn't a problem.
    I don't want to dedicate a PC to run 24/7.


    Peter.
     
    Peter, Nov 28, 2003
    #7
  8. Peter

    Ian G Batten Guest

    Put it behind a web proxy, running on a distinct machine (any old tat
    will do: I use an old 233MHz laptop with a broken screen). Put decent
    firewalling on that machine, plus squid in transparent proxy mode (and
    the squidguard filter if that's your taste). Restrict access to the
    firewall machine to ssh with public key authentication, and either kill
    the getty on the console (for the brave) or lock the lid of the laptop
    down in a tamper evident way.

    My kids aren't that age yet, but I'm planning in advance :)

    ian
     
    Ian G Batten, Nov 28, 2003
    #8
  9. Peter

    Peter Guest

    Doesn't this mean that I need to explicitly enable each website they
    want to access?


    Peter.
     
    Peter, Nov 28, 2003
    #9
  10. Peter

    Ian G Batten Guest

    The set of web sites I've had problems with using Mozilla 1.latest is
    vanishingly small.

    ian
     
    Ian G Batten, Nov 28, 2003
    #10
  11. Peter

    Ian G Batten Guest

    Why not? Get an old laptop: silent, minimal power consumption, minimal
    space.

    ian
     
    Ian G Batten, Nov 28, 2003
    #11
  12. Peter

    Colin Wilson Guest

    Doesn't this mean that I need to explicitly enable each website they
    No, you explicitly "disable" sites you want blocked in the hosts file
     
    Colin Wilson, Nov 28, 2003
    #12
  13. Peter

    Colin Wilson Guest

    My kids aren't that age yet, but I'm planning in advance :)

    LOL you`re not kidding either !
     
    Colin Wilson, Nov 28, 2003
    #13
  14. Peter

    Peter Guest

    Can't I use e.g. Zonealarm to enable only www access, disable active-x
    in IE6, use Net-Nanny (or similar) to block a load of sites? I haven't
    got Zonealarm but presumably it has a password protection feature so
    people can't easily disable it.

    Great point about easy restore - that will be the case. There will be
    a second win2k install (on another partition) with networking
    configured, so I will be able to restore this PC from a DDS3 tape
    drive on another PC.


    Peter.
     
    Peter, Nov 28, 2003
    #14
  15. Peter

    Ian G Batten Guest

    In general, anyone with physical access to a machine can bypass any
    services which run on it, absent things like cryptographic filestores.

    ian
     
    Ian G Batten, Nov 28, 2003
    #15
  16. Peter

    Ian G Batten Guest

    It strikes me that if you're going to do a job, you should do it
    reasonably securely. I've had this setup for a few years now, and I'm
    glad of it as my elder (7) is using google more. At the moment it's
    just effective filtering (and it knocks off IM and all that sort of
    tat). Later it's effective and unbypassable filtering.

    ian
     
    Ian G Batten, Nov 28, 2003
    #16
  17. Peter

    Don Pearce Guest

    Can they reach as high as the keyboard? If so, they probably know how
    to spoof an IP by now.

    d

    _____________________________

    http://www.pearce.uk.com
     
    Don Pearce, Nov 28, 2003
    #17
  18. Peter

    Peter Guest

    Yes, this I know. But I don't have a problem with somebody doing
    something deliberate and clever like that, because they will get
    caught and there will be no more internet access!!

    What I need security against is a kid *randomly* clicking on web
    links. On an open system, they can execute programs (.exe, active-x,
    java), install screensavers (.scr; .exe basically) - a lot of kids
    sites are full of downloadable crap like screensavers. Then there are
    viruses which get installed simply by clicking on a link.

    I think there is also a way to disable Control Panel under win2k...


    Peter.
     
    Peter, Nov 28, 2003
    #18
  19. Peter

    Sam Albrow Guest


    Use windows XP, it will allow almost total lockdown.
    No sure about that
    An anti virus progam set to update automatically.
    Not sure about this. Some sort of net nanny product. Also I saw on Google
    Free Bar something about blocking popups, not sure if it will do filtering
    also, I know it has a normal adult content protector on search results -
    investigate.
    They won't be able to.
    Fair enough.
    By http:// only do you really mean not ftp etc. They *shouldn't* be able to
    download too many programs, and you will obviously notice if they do try and
    are they really going to try ftp?

    Perahaps some sort of firewall will allow port 80 only but there is a limit
    to locking down and still having a computer that is usable. Play with XP and
    it will do alot of things.



    Google has adult content filter but it won't stop porn and still be usuable.
    it is a fact of the net either put up with it or don't let them use the net.
    They should be trusted not to go and totally mess up their computer -
    otherwise they shouldn't have one. Also make them feel too restricted and
    they may rebel and be more likely to abuse.

    sam
     
    Sam Albrow, Nov 28, 2003
    #19
  20. Peter

    John Rumm Guest

    If you create a (non admin) account for them under Win2k or XP then you
    can tie it down as much or as little as you like using the group policy
    editor, and the security policy editor.

    From a command line enter:

    "start gpedit.msc" for the Group policy editor
    "start secpol.msc" for the security policy editor


    --
    Cheers,

    John.

    /=================================================================\
    | Internode Ltd - http://www.internode.co.uk |
    |-----------------------------------------------------------------|
    | John Rumm - john(at)internode(dot)co(dot)uk |
    \=================================================================/
     
    John Rumm, Nov 29, 2003
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.