Morning all,
feeling lazy so thought I'd consult with the brains trust.
Does anyone know of a web browser that effectively runs as a sandbox on the users machine? and that the settings for the box can be controlled to stop them from leaving files around and printing?
I know systems like Cisco Secure Desktop exist, but I havent got budgie for a whole new system, so thought i'd explore from the otherside.
Cheers
Si
What OS?
Well, I've not tried any of the options, but searching google for "firefox kiosk" throws up a few agreeably simple-looking options.
For the Rolls Royce solution, set up a virtual machine on your desktop, then you can run any browser you wish inside the virtual machine. Microsoft VM (Among others, google is your friend) is a free download & can run Linux or any 32 bit windows version. You'll need a fair bit of free HD space, though.
When you've finished, just unload it without saving changes & you've a clean install for next time.
Mind you it does depend on how savvy your restricted users are, if they are very computer savvy and you want to restrict them further, then you need to do more work, e.g. remove the print dialogue as this can be used sometimes to execute programmes, and set it as their desktop shell so if they close the window with alt-F4 then it logs them out. I think the r-kiosk plugin removes the location bar so they can only go to bookmarked pages and pages that are linked to from there. For kids, r-kiosk in its basic form is probably fine but it's hard to disable so set it up in a separate account for them.
I was going to suggest vmware with the non-persistent disc option, but the problem with any of those options is that you have to prevent the user from being able to exit from the virtual machine and gain access to the normal desktop, which is an issue.
Mind you if it's a windows box he's using, then firefox in kiosk mode still can be exited giving access to the desktop with the insecure and unrestricted internet explorer available so perhaps he needs to look for a restricted mode for explorer, or set firefox up as the login shell on the windows box (a registry edit is needed I think).
Another option would be a proxy that needs to be used to access the internet, with a whitelist of permitted sites, but that really needs an additional machine to do it properly.
Boot from a customised Live CD, running Firefox or Opera in kiosk mode?
If that's all the machine's to be used for, that's possibly the safest option.
We're getting rather rapidly away from the simple option here though ;-)
If it's just for stopping kids getting to sites they shouldn't do, then it's not needed to go quite that far, one of the browsers forced into kiosk mode should be enough, how you stop people running IE under windows though isn't something I've ever tried myself, my only involvement in kiosk modes under Windows has been in breaking out of them and I've not done any of that kind of work for a few years now.
Glad to see everyone thinking along the same lines I did.
What its for is that the latest batch of Cabinet Office guidance makes it difficult to use some web based solutions. Trouble is, its these very web based solutions that allow work to take place.
I had a bit more of a delve, and I was thinking Live CD, as I can make the browser identification string unique, and then only let the browser connect to the web server with the right string. Not a fab control, but at least it would mean I had control of my users and their browser. In turn with that, I can enforce what the browser gives them in terms of print services (nuttin!) and likewise I can let them work on a file, but if they cant mount a drive other than the memory, then when they switch off no lapsed files.
Only issuette would be in terms of how people connect to the internet
- but hey, thats an IT issue :-)
thanks all
Si
Hmm, quite easy to get around though if they can see what string's in use, if you're on a network where people can plug their own machines in but the official machines are locked down, then SSL certificates might be a better bet, so the client can't connect to the server unless the client's SSL certificate is on the server. That would only allow someone to connect if they had managed to steal the certificate files from one of the authorised client machines.
It's quite hard to know what can be done without actual detailed knowledge of the restrictions and the surrounding network and a whole host of other things, and from the sound of it you've got some quite stringent requirements so might be best to get some professional help. Stopping people mounting USB drives might be hard for example, especially if you have USB keyboard and mouse. There's probably a way to do it, I only do the breaking-in part, not so much of the actual securing.
However a basic system might be client-side certificates, a browser in kiosk mode set to execute as the login shell so quitting it logs you out. Then superglue something into the USB ports ;-)
Browsers are very hard to control though, particularly internet explorer. One job I worked on used the Opera browser that had been custom modified by the Opera folks to chop out much of the functionality, e.g. save pages, load pages from disc, print dialogue and so on, but I still kept finding ways out, it took them 3 years of regular 6-monthly updates to stop me :-P They based their kit on linux to get around the problems with Windows being almost uncontrollable. I've seen plenty of attempts to lock down windows and I've always been able to get to places I shouldn't.
Chairman Bill has a lot to answer for :-)
My main driver behind this is allowing staff to work remotely on projects. The latest Cabinet Office guidance says they can't if the "system will allow printing of restricted information" and "if restricted data can be saved onto an unauthorised disk"
Hence my thoughts that a customised (ish) browser, yes as I said not fab, but its a start, on a system where you can't install a printer, and you cant mount any drives, and only have access to the applications I give you is about as good as I can get without a mega spend.
I find windows is just a right PITA, and have a dislike of it whenever anyone mentions "security". Sitting as a bog standard user where I am now I can see far too much thanks to 'Doze :-)
Si
Am I understanding this right that the guidelines you are trying to follow say that users shouldnt be able to save anything onto external media, or print, and you want to limit what websites they can access?
Sounds like you need to do more than just sandbox the browser.
If you use a windows domain you can easily lock down all the printing and drive access stuff, and prevent access to the settings to change it back - or you could do it on a local machine by messing with the local group policies. You could set up a linux box similarily. The only decent way to stop access to much of t'internet would be to setup your machine on a network such that it has no external access other than through a proxy server. Set said proxy to only allow out to sites on a whitelist. This is easily done with something like smoothwall with dansguardian/squid.
I think i must have misdescribed -
what I have is a web based application that is our application. IN order to control what the users can do, in terms of remote working, with a more or less zero budget and an unhelpful IS division, then my plan is to set the web server so it will only accept connections from my customised browsers. As I have said, not brilliant, but a start (and before anyone else starts, yes I have lots of other security goodies to authenticate peeps).
The users will then trundle home with their cd, whack it in their home machine, boot up, and have a secure desktop that will let them access the application, but not to print it and save files.
Windows domains would be bugger all good as it isn't the windows domain side.
Hence my start point of a browser that had its own sandbox, couldnt find one (found an app called sandboxie, but it would still allow printing) so developed through the you want to use this web app, you use my OS for it approach.
Si
Right, in this case, I might be tempted to try out VMWare Player, you prepare a VMWare image with all the goodies required, then users can run it on their normal PC but the vmware image you give them will only do what you tell it to do. You can distribute VMWare Player for free and use VMWare Server to create the virtual machines in the first place, also for free.
But I'd certainly use client-certificates to stop traffic being snooped, captured or redirected, when files are transferred across an HTTP connection it's quite easy to capture them, programmes even existthat sit in the background sniffing a network, capturing such filetransfers from HTTP, network shares, FTP etc. There's no way youcould stop a user from capturing such files without encrypting thedata as it's transferred.
Even if such a system could be built to a sufficient standard, they (or someone else) can still photograph the screen.
as may be, but the rules I have to worry about are only concerned with print and file :-)
Clearly what you need is a computer without a monitor !
Steve
Oh if only I could get that one through then I'd be on a winner!
It gets somewhat annoying, sitting in "boards" with a group of numpties who have no idea what the f*ck they're talking about, who's only concern is "has anyone been sacked yet?" where data security is concerned.
The vmware idea has got a degree of possibility, except it requires the OS to be licensed, and in the timeframes i've got I wont be able to get the purchase through.
Back to a live cd - nearly finished making it
Ian, as I said I have an awful lot of other goodies in place, I am just simplifying the browser string to one item as something that is out of the box.
Si
MotorsForum website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.