Archive for July, 2012

Preventing Windows 7 users from accessing the internet

Sunday, July 29th, 2012

I was recently asked to help out by implementing a method of preventing users from accessing the internet on AD-joined Windows 7 workstations using any installed software.

The problem is that in many applications under the Help you’ll find a URL which opens in the default browser. So it’s clearly not enough to deactivate keyboard combinations or to remove shortcuts.

The limitations were:
-Solution must be simple to implement and simple to undo
-I don’t have administrative access to the company firewall
-The users have a generic local profile (as compared to a personal user profile) and no administrative access
-It’s only for a limited time e.g. a couple of hours

I played around with the following ideas and tried to implement them:
-Activating parental controls on Windows 7 via GPO
-Put basically all URLs in the restricted sites zone in the Internet Options via GPO
-Replacing the DNS servers in network settings and implementing a customized hosts file
-Reconfiguring the Windows firewall
-Implementing a third party DNS-blocking tool or proxy server

All these methods were either difficult to implement (DNS-blocking tool or proxy server), difficult to configure (parental control, restricted sites zone), basically put the system in an unworkable condition (replacing the DNS servers) or were simply not meant to be (using the Windows firewall to prevent internet access).
For example, replacing the DHCP-assigned DNS servers with 127.0.0.1 and adding two or three entries in a host file, Windows would boot and reboot again when starting the computer. Also, the computer was not reachable anymore in our deployment tool.

In the end, the easiest method was to remove read and execute permissions for users on the installed browsers and similar executables. In our managed environment, that would be Internet Explorer (iexplore.exe), Firefox (firefox.exe) and ftp.exe.

Implemented on the command line, it’s quite simple. takeown.exe can change the owner of a file or folder to you or the administrators group. With icacls, you can change permissions on a file or folder.

Make Mozilla Firefox a non-executable:

REM # gives ownership to the administrators group
takeown /F “\Program Files\Mozilla Firefox\firefox.exe” /A

REM # remove all rights for “Users”
icacls “\Program Files\Mozilla Firefox\firefox.exe” /deny “BUILTIN\Users”:RX

Make Mozilla Firefox executable again:

REM # grant rights again
icacls “\Program Files\Mozilla Firefox\firefox.exe” /grant “BUILTIN\Users”:RX

The same lines of code can be used with ftp.exe, which lives in the System32 folder. Instead of “\Program Files”, you could of course also use environment variables such as %ProgramFiles% or %WinDir%\System32

This seemed to work with Firefox. With Internet Explorer, there was an additional problem: TrustedInstaller, a Windows system account that protects critical files and folders against manipulation. Or as I came to call it: Making life hard for no reason.
If you try to undo the changes with the above lines of code, all you will get is access denied. You have to take some additional steps to make Internet Explorer executable again:

REM # remove rights for TrustedInstaller from executable
icacls “\Program Files\Internet Explorer\iexplore.exe” /remove:g “NT Service\TrustedInstaller”

REM # grant rights for users again
icacls “\Program Files\Internet Explorer\iexplore.exe” /grant “BUILTIN\Users”:RX

REM # grant rights for TrustedInstaller again
icacls “\Program Files\Internet Explorer\iexplore.exe” /grant “NT Service\TrustedInstaller”:F

REM # grant full rights to administrators group
icacls “\Program Files\Internet Explorer\iexplore.exe” /grant “BUILTIN\Administrators”:F

REM # setowner to TrustedInstaller again
icacls “\Program Files\Internet Explorer\iexplore.exe” /setowner “NT Service\TrustedInstaller” /C

REM # reset rights of administrators to RX again
icacls “\Program Files\Internet Explorer\iexplore.exe” /grant:r “BUILTIN\Administrators”:RX

In our deployment tool, I can simply assign a batch file to make ff, ie and ftp unreadable to the users and assign another batch file to return the system back to normal.

I’m not saying this method is fool-proof and perfect. There are probably ways to work around these limitations but I’m confident this is raising the bar high enough to prevent users in a managed computer environment to access the internet when they have only very limited time while being supervised.