Best way to restrict a computer to one website and block intruders. 1

[nate2345]

We need to give out computers to clients so that they can access our website. There are 2 issues: 1)Since they will have a constant internet connection we need to install a firewall. 2) We need to restrict them to all but one website.

Can anyone suggest the most efficient way to accomplish this? One thing I must add, it needs to be setup so that even if they get the administrator password they should not beable to change these 2 critical requirements. So they would need their own passwords.

Thanks,
Nate

 

[bcastner]

. Use the native SP2 firewall. Use Group Policy to control access to the settings.

. See:

http://www.pcmag.com/article2/0,1759,1386896,00.asp

 

[nate2345]

bcastner,

That was a really cool idea. The only problem is that someone who gets the local administrator password or changes it (which I think is pretty easy to crack these days)can disable the firewall.

I'm not sure a software firewall would do the trick either since it could probably be uninstalled with the admin account even though it has it's own user name and password for configuring. I'm still hoping you have some other innovative idea or just a recommendation even if it will cost us some money.

By the way what do network administrators do to prevent some computer kid from using a password changer utility to crack the admin password (I'm not talking about changing it remotely - just changing the password at the physical computer)?

Thanks,
Nate

 

[bcastner]

They do not let "some computer kid" near their physical workstations or servers.

If you permit access to the physical machine, then there is no security.

As Bill Gates said about the issue: "Fundamentally, physical access to the computer means there is no security, other than buying a large and angry dog."

If you concern is that these changes can be effected remotely, you need to rethink your basic security. If your concern is that someone with physical access to the device can "crack" it open, yes they can.

 

[nate2345]

If your concern is that someone with physical access to the device can "crack" it open, yes they can."

That is what I'm referring to when I said "a computer kid", I just meant someone who uses the computer everyday but knows alot about computers. So you're saying that there is no good way to secure the computer.

Remember we are giving these computers to clients. We're not so concerned about our own security it's just that for compliance issues we can't allow any other use of this computer other than to get information off our website (which contains sensitive information). What would you do in our situation?

 

[bcastner]

SSL on your website.

You cannot do much about a notebook given out in terms of security, but you can ensure your website is not hacked.

 

[aquias]

I would follow Bcast's recommendation. If a system is stolen or someone else sits at it, you're kinda hosed, no matter what security you put into place.

The only recommendation I can make to you, is to force everyone to authenticate to a Citrix or Terminal Services session. It's more secure, in the fact that no information is stored locally, but the local system can and always will be open to attack if someone is at it.

 

[bcastner]

You might consider talking with the Microsoft Developer folks about embedded or Windows CE.

In this case you would write a single purpose application that would survive a physical access attack.

I know only the perimiters of this as an option, but I suspect it might work in your instance:

http://msdn.microsoft.com/embedded/usewinemb/xp/

 

[nate2345]

Our website has ssl, so it would appear that the option which makes sense is to use the firewall and use group policy.

Thanks for the idea and your time!

Nate

 

[bcastner]

You are very welcome.

Do consider offering a lower cost embedded device in the future to your clients.