locked
Dynamic Whitelist RRS feed

  • Question

  • I am trying to determine if there is a way to make the whitelist of websites update dynamically with windows steadystate. 

     

     

    I've determined that these websites are stored in the HKCU hive in plain text. 

     

    My original plan was to download a profile with wget, then import that profile from the commandline, something like this

     

    wget myprofile.ssu

     

    sctui /import c:\myprofile.ssu myprofile password

     

    The problem is that if the user already exists steadystate issues an error, and since it locks the profiles, it displays "access is denied" on subsequent attemps

     

    I've tried to delete the user first 'net user myprofile /delete" and then re-import the user.. not any luck..

     

    Maybe i'm over looking something and there's an easy way update just the registry key with vbs or a batch file, but i'm lost on this one, any help would be greatly appreciated.

    Tuesday, July 24, 2007 6:05 PM

Answers

  •  

    Hi Frank_CCI,

     

    The allowed web addresses will be saved  to the following location in the registry:

     

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\  Value: ProxyOverride

     

    Thus, we can add addresses through the REG ADD command, like the following example:

     

    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d www.test1.com;www.test2.com /f

     

    Note: The value data will be added to SteadyState simultaneity. The previous value will be overwritten.

     

     

    Actually, there is better method. When you set the “Prevent Internet access (except Web Sites below)” option, the system will set the proxy server in IE to a non-exist one (NoInternetAccess) and add web sites allowed to the “Exceptions”. The “Use the same proxy server for all protocols” option is checked. In this way, all web site access except for those allowed sites are blocked.

     

    With this concept, we can easily add all the allowed addresses with proxy group policy:

    ------------------------------

    1. Click Start and then Run. Type in gpedit.msc and press Enter.

    2. Navigate to the following branch:

     

    User Configuration\Windows Settings\Internet Explorer Maintenance\Connection

     

    3. Double click “Proxy Settings”.

    4. Select “Enable proxy settings” Type in An invalid proxy server address after HTTP. (Such as 1.0.0.0), select “Use the same proxy server for all protocols”.

    5. Type in allowed addresses in the Exceptions panel.

     

    Note: This group policy will overwrite SteadStead’s allow list.  The “Prevent Internet access (except Web sites below)” option will be unchecked either. However, the result is the same: only the web addresses in the allowed list can be accessed.

     

     

    If the above policy doesn’t apply, please also check the status of the following policy:

     

    [Computer Configuration\Administrative Templates\System\Group Policy\Internet Explorer Maintenance Policy Processing]

     

    Please make sure this policy is enabled and configured as "Process even if the group policy objects have not changed". This option will force the group policy to be applied even when there are no changes to the GPO. You can also refer to the following Knowledge Base article to change related registry keys manually:

     

    Internet Explorer Maintenance Group Policies do not apply during subsequent logons procedures

    http://support.microsoft.com/?id=306915

     

    Hope the above information is useful to you.

     

    Best Regards,

    Thursday, July 26, 2007 9:36 AM
  • Hi,

     

    In SteadyState, we can use the “/import” and “/export” options for sctui.exe to import SteadyState settings for a user. Here is the help for /import and /export (available via "sctui.exe /?"):

     

    IMPORT

            [username] [password] [Location to export to]

     

    Example:

            sctui.exe /Import Guest Password123 c:\guest.ssu.

     

    EXPORT

            [username] [Location to export to]

           

    Sample:

    sctui.exe /import UserName Password123 "C:\Documents and Settings\Administrator\My Documents\Unlocked.ssu"

     

     

    Based on the current situation, we can create a new user profile and then export to a SSU file. After that, we can import it to all the other computers. To do so, you may consider creating a startup item (import.bat) for each user which contains the following content:

     

    sctui.exe /import UserName Password "\\NetworkShare\SharedProfile.ssu"

     

    When you want to change the SteadyState settings, you can configure the desired settings on a reference user and export the settings to a .ssu file in the \\NetworkShare. You  can then use the above command line to update restriction settings.

     

    If you would like to use original user name, we have to delete the original user profile before importing the new one. We can delete a user profile with the following command:

     

    Net user username /delete

     

    Please make sure you have sufficient privilege to run the above commands and access the network location. You also need to make sure Windows Disk Protection is set to “Retain all changes permanently”. Otherwise, the changes may not be saved properly.

     

    Please understand that under workgroup environment, it will be impossible to centrally deploy group policies. That’s why Active Directory is developed. In addition, the best practice is set all the restrictions and add all the possible required web addresses to the allow list before locking the profile and turning on Disk Protection to “Remove all changes at restart”. Otherwise, such as the current situation, it will be a little complex to modify the configurations on all computers.

     

    FYI, if some command are needed to run remotely, the following tool will be very helpful:

     

    PsExec v1.84 & Usage

    http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx

     

    Regards,

     

    Friday, July 27, 2007 10:34 AM

All replies

  •  

    Hi Frank_CCI,

     

    The allowed web addresses will be saved  to the following location in the registry:

     

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\  Value: ProxyOverride

     

    Thus, we can add addresses through the REG ADD command, like the following example:

     

    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d www.test1.com;www.test2.com /f

     

    Note: The value data will be added to SteadyState simultaneity. The previous value will be overwritten.

     

     

    Actually, there is better method. When you set the “Prevent Internet access (except Web Sites below)” option, the system will set the proxy server in IE to a non-exist one (NoInternetAccess) and add web sites allowed to the “Exceptions”. The “Use the same proxy server for all protocols” option is checked. In this way, all web site access except for those allowed sites are blocked.

     

    With this concept, we can easily add all the allowed addresses with proxy group policy:

    ------------------------------

    1. Click Start and then Run. Type in gpedit.msc and press Enter.

    2. Navigate to the following branch:

     

    User Configuration\Windows Settings\Internet Explorer Maintenance\Connection

     

    3. Double click “Proxy Settings”.

    4. Select “Enable proxy settings” Type in An invalid proxy server address after HTTP. (Such as 1.0.0.0), select “Use the same proxy server for all protocols”.

    5. Type in allowed addresses in the Exceptions panel.

     

    Note: This group policy will overwrite SteadStead’s allow list.  The “Prevent Internet access (except Web sites below)” option will be unchecked either. However, the result is the same: only the web addresses in the allowed list can be accessed.

     

     

    If the above policy doesn’t apply, please also check the status of the following policy:

     

    [Computer Configuration\Administrative Templates\System\Group Policy\Internet Explorer Maintenance Policy Processing]

     

    Please make sure this policy is enabled and configured as "Process even if the group policy objects have not changed". This option will force the group policy to be applied even when there are no changes to the GPO. You can also refer to the following Knowledge Base article to change related registry keys manually:

     

    Internet Explorer Maintenance Group Policies do not apply during subsequent logons procedures

    http://support.microsoft.com/?id=306915

     

    Hope the above information is useful to you.

     

    Best Regards,

    Thursday, July 26, 2007 9:36 AM
  • Thanks for response! This information is very usefull, however, these computers will not be on a domain, and will be deployed at approx. 80 sepeate sites.  Now, I know I could use steady state to launch an updating script that would update the 'Proxy Overide' key, however how can I import the profile?  If we were able to dynamically update the XML profile for each user, then we could change just more than a whitelist.  Is this possible?

     

     

    Thanks again for  your response, any help would be appreciated.

     

     

    Thursday, July 26, 2007 1:34 PM
  • Hi,

     

    In SteadyState, we can use the “/import” and “/export” options for sctui.exe to import SteadyState settings for a user. Here is the help for /import and /export (available via "sctui.exe /?"):

     

    IMPORT

            [username] [password] [Location to export to]

     

    Example:

            sctui.exe /Import Guest Password123 c:\guest.ssu.

     

    EXPORT

            [username] [Location to export to]

           

    Sample:

    sctui.exe /import UserName Password123 "C:\Documents and Settings\Administrator\My Documents\Unlocked.ssu"

     

     

    Based on the current situation, we can create a new user profile and then export to a SSU file. After that, we can import it to all the other computers. To do so, you may consider creating a startup item (import.bat) for each user which contains the following content:

     

    sctui.exe /import UserName Password "\\NetworkShare\SharedProfile.ssu"

     

    When you want to change the SteadyState settings, you can configure the desired settings on a reference user and export the settings to a .ssu file in the \\NetworkShare. You  can then use the above command line to update restriction settings.

     

    If you would like to use original user name, we have to delete the original user profile before importing the new one. We can delete a user profile with the following command:

     

    Net user username /delete

     

    Please make sure you have sufficient privilege to run the above commands and access the network location. You also need to make sure Windows Disk Protection is set to “Retain all changes permanently”. Otherwise, the changes may not be saved properly.

     

    Please understand that under workgroup environment, it will be impossible to centrally deploy group policies. That’s why Active Directory is developed. In addition, the best practice is set all the restrictions and add all the possible required web addresses to the allow list before locking the profile and turning on Disk Protection to “Remove all changes at restart”. Otherwise, such as the current situation, it will be a little complex to modify the configurations on all computers.

     

    FYI, if some command are needed to run remotely, the following tool will be very helpful:

     

    PsExec v1.84 & Usage

    http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx

     

    Regards,

     

    Friday, July 27, 2007 10:34 AM
  • I understand how the import function works, and need to deploy it across workstation machines.  (in different physical areas) If I try to delete the user first using the Net user command, it throws an eror when re-importing the user, and since just using the net command doesn't delete hte profile my documents and settings folder fills up quite quick.  Is this the intended function? From what you're saying, I SHOULD be able to delete the user then re-import the profile.. which i've tried several times with no results.

    Friday, July 27, 2007 1:08 PM
  •  

    Hi,

     

    What error message was received when re-importing the ssu profile? Based on my test, although the net user command cannot delete the profile folder under “Documents and Settings”, we can import a new SSU profile with the same user name.

     

    In addition, please make sure the operator has administrator privilege. If possible, we can also restart the remote computer before importing the new SSU profile.

     

    Best Regards,

    Monday, July 30, 2007 9:24 AM