Locking Windows Down, to Single App/URL (Secure Virtual Desktop, OPSWAT)

[Vini]

I'm wondering if anyone has any suggestions into locking down/crippling Windows, limiting it to a single URL, and then if possible, single Application.

In the past I've struggled to achieve this solely using GPO. I've had a quick play with an OPSWAT device, that provides a secure virtual desktop environment.

Unfortunately, it's pretty much a steady state/sandbox environment with little restriction IN the SVD instance.

The goal is to prevent Joe Bloggs from downloading from Box.com and then reuploading to Google Drive. Restricting the user to *.box.com

If we can go further and limit the user to Microsoft Word, then that would be great.


I started to play with AppLocker a couple of days ago, and might be able to get close with a mixture of AppLocker and GPO. However, AppLocker requires Ultimate/Enterprise+ editions of Windows 7/8 and that makes it less than ideal.

I'm looking for suggestions/products that might help/assist with this requirement.

[Splash]

I've no expertise in SVD or OPSWAT particularly, but it sounds like just preventing the user from launching a browser at all would be handy... Am I underthinking it?

[Agent]

You can use the hosts file to block sites and even TLDs: http://discussions.virtualdr.com/sho...hp?113406.html

3rd / last post. It should work, although there are a lot of TLDs these days: https://en.wikipedia.org/wiki/List_o...-level_domains

[Agent]

This is untested. You'll need to add the allowed website in using the notion of the rules going from top to bottom.

This is from the Wikipedia page I linked, made into a useable hosts file format.

Code:

10.0.0.1 .academy
10.0.0.1 .aero
10.0.0.1 .bike
10.0.0.1 .biz
10.0.0.1 .build
10.0.0.1 .builders
10.0.0.1 .cab
10.0.0.1 .camera
10.0.0.1 .careers
10.0.0.1 .cat
10.0.0.1 .center
10.0.0.1 .ceo
10.0.0.1 .christmas
10.0.0.1 .clothing
10.0.0.1 .club
10.0.0.1 .com
10.0.0.1 .company
10.0.0.1 .computer
10.0.0.1 .construction
10.0.0.1 .contractors
10.0.0.1 .coop
10.0.0.1 .diamonds
10.0.0.1 .directory
10.0.0.1 .domains
10.0.0.1 .email
10.0.0.1 .enterprises
10.0.0.1 .equipment
10.0.0.1 .estate
10.0.0.1 .eus
10.0.0.1 .gallery
10.0.0.1 .gift
10.0.0.1 .graphics
10.0.0.1 .guitars
10.0.0.1 .guru
10.0.0.1 .holdings
10.0.0.1 .info
10.0.0.1 .int
10.0.0.1 .jobs
10.0.0.1 .kitchen
10.0.0.1 .land
10.0.0.1 .lighting
10.0.0.1 .limo
10.0.0.1 .link
10.0.0.1 .management
10.0.0.1 .menu
10.0.0.1 .mobi
10.0.0.1 .museum
10.0.0.1 .name
10.0.0.1 .net
10.0.0.1 .org
10.0.0.1 .photo
10.0.0.1 .photography
10.0.0.1 .photos
10.0.0.1 .pics
10.0.0.1 .plumbing
10.0.0.1 .post
10.0.0.1 .pro
10.0.0.1 .recipes
10.0.0.1 .sexy
10.0.0.1 .shoes
10.0.0.1 .singles
10.0.0.1 .solutions
10.0.0.1 .systems
10.0.0.1 .tattoo
10.0.0.1 .technology
10.0.0.1 .tel
10.0.0.1 .tips
10.0.0.1 .today
10.0.0.1 .training
10.0.0.1 .travel
10.0.0.1 .uno
10.0.0.1 .ventures
10.0.0.1 .voyage
10.0.0.1 .wed
10.0.0.1 .xxx
10.0.0.1 .edu
10.0.0.1 .gov
10.0.0.1 .mil
10.0.0.1 .asia
10.0.0.1 .berlin
10.0.0.1 .kiwi
10.0.0.1 .neustar
10.0.0.1 .ac
10.0.0.1 .ad
10.0.0.1 .ae
10.0.0.1 .af
10.0.0.1 .ag
10.0.0.1 .ai
10.0.0.1 .al
10.0.0.1 .am
10.0.0.1 .an
10.0.0.1 .ao
10.0.0.1 .aq
10.0.0.1 .ar
10.0.0.1 .as
10.0.0.1 .at
10.0.0.1 .au
10.0.0.1 .aw
10.0.0.1 .ax
10.0.0.1 .az
10.0.0.1 .ba
10.0.0.1 .bb
10.0.0.1 .bd
10.0.0.1 .be
10.0.0.1 .bf
10.0.0.1 .bg
10.0.0.1 .bh
10.0.0.1 .bi
10.0.0.1 .bj
10.0.0.1 .bm
10.0.0.1 .bn
10.0.0.1 .bo
10.0.0.1 .br
10.0.0.1 .bs
10.0.0.1 .bt
10.0.0.1 .bv
10.0.0.1 .bw
10.0.0.1 .by
10.0.0.1 .bz
10.0.0.1 .ca
10.0.0.1 .cc
10.0.0.1 .cd
10.0.0.1 .cf
10.0.0.1 .cg
10.0.0.1 .ch
10.0.0.1 .ci
10.0.0.1 .ck
10.0.0.1 .cl
10.0.0.1 .cm
10.0.0.1 .cn
10.0.0.1 .co
10.0.0.1 .cr
10.0.0.1 .cs
10.0.0.1 .cu
10.0.0.1 .cv
10.0.0.1 .cw
10.0.0.1 .cx
10.0.0.1 .cy
10.0.0.1 .cz
10.0.0.1 .dd
10.0.0.1 .de
10.0.0.1 .dj
10.0.0.1 .dk
10.0.0.1 .dm
10.0.0.1 .do
10.0.0.1 .dz
10.0.0.1 .ec
10.0.0.1 .ee
10.0.0.1 .eg
10.0.0.1 .eh
10.0.0.1 .er
10.0.0.1 .es
10.0.0.1 .et
10.0.0.1 .eu
10.0.0.1 .fi
10.0.0.1 .fj
10.0.0.1 .fk
10.0.0.1 .fm
10.0.0.1 .fo
10.0.0.1 .fr
10.0.0.1 .ga
10.0.0.1 .gb
10.0.0.1 .gd
10.0.0.1 .ge
10.0.0.1 .gf
10.0.0.1 .gg
10.0.0.1 .gh
10.0.0.1 .gi
10.0.0.1 .gl
10.0.0.1 .gm
10.0.0.1 .gn
10.0.0.1 .gp
10.0.0.1 .gq
10.0.0.1 .gr
10.0.0.1 .gs
10.0.0.1 .gt
10.0.0.1 .gu
10.0.0.1 .gw
10.0.0.1 .gy
10.0.0.1 .hk
10.0.0.1 .hm
10.0.0.1 .hn
10.0.0.1 .hr
10.0.0.1 .ht
10.0.0.1 .hu
10.0.0.1 .id
10.0.0.1 .ie
10.0.0.1 .il
10.0.0.1 .im
10.0.0.1 .in
10.0.0.1 .io
10.0.0.1 .iq
10.0.0.1 .ir
10.0.0.1 .is
10.0.0.1 .it
10.0.0.1 .je
10.0.0.1 .jm
10.0.0.1 .jo
10.0.0.1 .jp
10.0.0.1 .ke
10.0.0.1 .kg
10.0.0.1 .kh
10.0.0.1 .ki
10.0.0.1 .km
10.0.0.1 .kn
10.0.0.1 .kp
10.0.0.1 .kr
10.0.0.1 .kw
10.0.0.1 .ky
10.0.0.1 .kz
10.0.0.1 .la
10.0.0.1 .lb
10.0.0.1 .lc
10.0.0.1 .li
10.0.0.1 .lk
10.0.0.1 .lr
10.0.0.1 .ls
10.0.0.1 .lt
10.0.0.1 .lu
10.0.0.1 .lv
10.0.0.1 .ly
10.0.0.1 .ma
10.0.0.1 .mc
10.0.0.1 .md
10.0.0.1 .me
10.0.0.1 .mg
10.0.0.1 .mh
10.0.0.1 .mk
10.0.0.1 .ml
10.0.0.1 .mm
10.0.0.1 .mn
10.0.0.1 .mo
10.0.0.1 .mp
10.0.0.1 .mq
10.0.0.1 .mr
10.0.0.1 .ms
10.0.0.1 .mt
10.0.0.1 .mu
10.0.0.1 .mv
10.0.0.1 .mw
10.0.0.1 .mx
10.0.0.1 .my
10.0.0.1 .mz
10.0.0.1 .na
10.0.0.1 .nc
10.0.0.1 .ne
10.0.0.1 .nf
10.0.0.1 .ng
10.0.0.1 .ni
10.0.0.1 .nl
10.0.0.1 .no
10.0.0.1 .np
10.0.0.1 .nr
10.0.0.1 .nu
10.0.0.1 .nz
10.0.0.1 .om
10.0.0.1 .pa
10.0.0.1 .pe
10.0.0.1 .pf
10.0.0.1 .pg
10.0.0.1 .ph
10.0.0.1 .pk
10.0.0.1 .pl
10.0.0.1 .pm
10.0.0.1 .pn
10.0.0.1 .pr
10.0.0.1 .ps
10.0.0.1 .pt
10.0.0.1 .pw
10.0.0.1 .py
10.0.0.1 .qa
10.0.0.1 .re
10.0.0.1 .ro
10.0.0.1 .rs
10.0.0.1 .ru
10.0.0.1 .rw
10.0.0.1 .sa
10.0.0.1 .sb
10.0.0.1 .sc
10.0.0.1 .sd
10.0.0.1 .se
10.0.0.1 .sg
10.0.0.1 .sh
10.0.0.1 .si
10.0.0.1 .sj
10.0.0.1 .sk
10.0.0.1 .sl
10.0.0.1 .sm
10.0.0.1 .sn
10.0.0.1 .so
10.0.0.1 .sr
10.0.0.1 .ss
10.0.0.1 .st
10.0.0.1 .su
10.0.0.1 .sv
10.0.0.1 .sx
10.0.0.1 .sy
10.0.0.1 .sz
10.0.0.1 .tc
10.0.0.1 .td
10.0.0.1 .tf
10.0.0.1 .tg
10.0.0.1 .th
10.0.0.1 .tj
10.0.0.1 .tk
10.0.0.1 .tl
10.0.0.1 .tm
10.0.0.1 .tn
10.0.0.1 .to
10.0.0.1 .tp
10.0.0.1 .tr
10.0.0.1 .tt
10.0.0.1 .tv
10.0.0.1 .tw
10.0.0.1 .tz
10.0.0.1 .ua
10.0.0.1 .ug
10.0.0.1 .uk
10.0.0.1 .us
10.0.0.1 .uy
10.0.0.1 .uz
10.0.0.1 .va
10.0.0.1 .vc
10.0.0.1 .ve
10.0.0.1 .vg
10.0.0.1 .vi
10.0.0.1 .vn
10.0.0.1 .vu
10.0.0.1 .wf
10.0.0.1 .ws
10.0.0.1 .ye
10.0.0.1 .yt
10.0.0.1 .yu
10.0.0.1 .za
10.0.0.1 .zm
10.0.0.1 .zw
10.0.0.1 .arpa

[MaddAussie]

Why not use a squid proxy and only allow access to the allowed site?

[Vini]

Hey guys thanks for your replies. Restricting the URL is the easy part, we can do this using WebSense/proxy etc...

Restricting the apps is a bigger issue/bigger PITA. I'm having little to no luck with AppLocker at the minute. I'm wondering if a lightweight browser based Linux guest might suit.

[jim]

What if you could disable the Windows shell somehow? If you could prevent explorer.exe from running, then you'd just end up with a desktop. If you had icons on there for web browser, and Word, then that would be all you could open.

Run would still function via WindowsKey+R and likewise, Task Manager could be used, but presumably they could be stopped with GPO. Not saying it's a perfect solution, or that it's even possible, but perhaps another way of solving it?

EDIT: Or let them have Explorer, but get rid of everything on the start menu?

[herulach]

Can't you just set the shell to word? In 7 & 8 you can mount things like box.com as a network drive. Using group policies to hide the rest is fairly easy.

[stilkun]

Make sure the "application identity" service is running as this used by AppLocker to identify file by publisher and the Configure Rule Enforcement that the configured for executable is checked.

If you are using pro version maybe enable "Run only specified Windows applications" for users under User configuration > Administrative Templates > System and add value such as WINWORD.EXE. This mean that only Word will open and all programs including windows program such as command and notepad will not run.

If it is for specific computer, enable loopback so that user configuration is also applied.