Government Security
Network Security Resources

Jump to content

Photo

Disabling Internet Access

windows dns proxy
  • Please log in to reply
45 replies to this topic

#1 oniric

oniric

    Private First Class

  • Members
  • 23 posts

Posted 15 November 2007 - 04:03 AM

Hi, do you know a method to disable internet access on a Windows system? Let me explain.
I would like to prevent the user from accessing the web with any program. The users must be unaware of the change to the system. It's not needed to use a program to change the user configuration, I have local access to the system with administration privs. I thinked about setting a proxy in IE and adding some loopback entries to
 the hosts file just to stop some
services like MSN but that's could be too easy to solve even for an average user. So I thinked the best solution would be blocking DNS requests but I don't know how to do that. What do you think?

Thank you for your attention!

#2 cross

cross

    Corporal

  • Members
  • 157 posts

Posted 15 November 2007 - 07:55 AM

put fake dns servers in. The only way to get anywhere would be by IP then.
Google the Ron Paul Revolution

#3 oniric

oniric

    Private First Class

  • Members
  • 23 posts

Posted 15 November 2007 - 08:11 AM

put fake dns servers in. The only way to get anywhere would be by IP then.


Yes, I can do like that but that's too easy for the users to solve. They aren't so noob :rolleyes:

#4 Little_Dice

Little_Dice

    Staff Sergeant

  • Members
  • 284 posts

Posted 15 November 2007 - 09:25 AM

These are the methods I know of. Granted if the person know what they are doing they could still get around many of these.

1. Uninstall the driver that runs the hardware that they use to connect to the internet. ie. eithernet, wireless.

2. Go into the bios and disable the the device they use to connect. For example on my dell inspiron if I hit fn + f2 it disables my wireless adapters.
a. Then password the bios so they can't go in and change it.

3. Run a firewall that blocks all ports.

4. Their is a registry key that many applications look at that you could change. take a look here hxxp://www.pctools.com/guides/registry/detail/1288/

5. Assign the computer a static ip.

6. Tell their router to either block their mac address or set it so they don't have internet.
a. Change the router password so they can't go in and change it.

#5 rlastinger

rlastinger

    Sergeant

  • Members
  • 220 posts

Posted 15 November 2007 - 12:10 PM

These are the methods I know of. Granted if the person know what they are doing they could still get around many of these.

1. Uninstall the driver that runs the hardware that they use to connect to the internet. ie. eithernet, wireless.

2. Go into the bios and disable the the device they use to connect. For example on my dell inspiron if I hit fn + f2 it disables my wireless adapters.
a. Then password the bios so they can't go in and change it.

3. Run a firewall that blocks all ports.

4. Their is a registry key that many applications look at that you could change. take a look here hxxp://www.pctools.com/guides/registry/detail/1288/

5. Assign the computer a static ip.

6. Tell their router to either block their mac address or set it so they don't have internet.
a. Change the router password so they can't go in and change it.


Building on these:

7. Play with the TCP stack.

8. If you have a machine on the same network, redirect all requests from his ip to somewhere else. Basically, mitm or dns poison. Easy to do if you're on the same network. I don't necessarily recommend it at work or anywhere else, but it's a fun trick to play on your roomie at home. :)

9. Encrypt his hard drive and don't give him the password. lol

10. Pack up his computer in a metal magnetic container, rent a boat, drive out to see, and drop it in the water. I can guarantee he won't get on then. :)

Anymore additions? I'm interested to know what else we come up with here.

#6 oniric

oniric

    Private First Class

  • Members
  • 23 posts

Posted 15 November 2007 - 12:57 PM

These are the methods I know of. Granted if the person know what they are doing they could still get around many of these.

1. Uninstall the driver that runs the hardware that they use to connect to the internet. ie. eithernet, wireless.

2. Go into the bios and disable the the device they use to connect. For example on my dell inspiron if I hit fn + f2 it disables my wireless adapters.
a. Then password the bios so they can't go in and change it.

3. Run a firewall that blocks all ports.

4. Their is a registry key that many applications look at that you could change. take a look here hxxp://www.pctools.com/guides/registry/detail/1288/

5. Assign the computer a static ip.

6. Tell their router to either block their mac address or set it so they don't have internet.
a. Change the router password so they can't go in and change it.


Building on these:

7. Play with the TCP stack.

8. If you have a machine on the same network, redirect all requests from his ip to somewhere else. Basically, mitm or dns poison. Easy to do if you're on the same network. I don't necessarily recommend it at work or anywhere else, but it's a fun trick to play on your roomie at home. :)

9. Encrypt his hard drive and don't give him the password. lol

10. Pack up his computer in a metal magnetic container, rent a boat, drive out to see, and drop it in the water. I can guarantee he won't get on then. :)

Anymore additions? I'm interested to know what else we come up with here.



Mmm, can you give some more details on the 7th? And the 8th? :P
I think the 10th and the 9th are a little too invasive for the users, they'll probably notice the change :D
Same thing for uninstalling drivers or disabling hardware and setting a BIOS password. Installing a firewall could be useful if the firewall run as an hidden process. I should test this.

#7 Little_Dice

Little_Dice

    Staff Sergeant

  • Members
  • 284 posts

Posted 15 November 2007 - 07:50 PM

Well from what you are saying i'm guessing you don't have physical accesses to the machine. Am I right? Maybe you could describe the situation a little better.

#8 oniric

oniric

    Private First Class

  • Members
  • 23 posts

Posted 16 November 2007 - 01:51 AM

Well from what you are saying i'm guessing you don't have physical accesses to the machine. Am I right? Maybe you could describe the situation a little better.


I have physical acces to the machine but not to the router.

#9 GroovyDude

GroovyDude

    Sergeant First Class

  • Sergeant Major
  • 597 posts

Posted 16 November 2007 - 05:52 AM

These type of restrictions are best placed in the infrastructure (routers, switches, content filtering). Anything you do on the computer could be reversed by the user, especially if they have elevated privileges, such as local admin. If your users knowledge isn't basic, anything you implement locally would only serve as a temporary measure at best.

#10 rlastinger

rlastinger

    Sergeant

  • Members
  • 220 posts

Posted 16 November 2007 - 09:04 AM

These type of restrictions are best placed in the infrastructure (routers, switches, content filtering). Anything you do on the computer could be reversed by the user, especially if they have elevated privileges, such as local admin. If your users knowledge isn't basic, anything you implement locally would only serve as a temporary measure at best.


Personally, I think 5 is the easiest if you don't have access to the network equipment, but have access to the machine. 7 can get dangerous when corrupting the stack, but you can google that and learn a bit about it. As for 8, google tools like ettercap, cain and abel,etc... There's a few out there that do that. Most of the good one's should be listed at insecure.org's top 100 security tools.

#11 Little_Dice

Little_Dice

    Staff Sergeant

  • Members
  • 284 posts

Posted 16 November 2007 - 09:11 AM

rlastinger could you point me to a good artical on stack corruption, or give me a little more detail so I can run a better search?

#12 oniric

oniric

    Private First Class

  • Members
  • 23 posts

Posted 16 November 2007 - 09:32 AM

These type of restrictions are best placed in the infrastructure (routers, switches, content filtering). Anything you do on the computer could be reversed by the user, especially if they have elevated privileges, such as local admin. If your users knowledge isn't basic, anything you implement locally would only serve as a temporary measure at best.


Personally, I think 5 is the easiest if you don't have access to the network equipment, but have access to the machine. 7 can get dangerous when corrupting the stack, but you can google that and learn a bit about it. As for 8, google tools like ettercap, cain and abel,etc... There's a few out there that do that. Most of the good one's should be listed at insecure.org's top 100 security tools.


5 is too easy to solve. They aren't computer geeks but they will try to solve an IP address related issue and in the end they will succeed, even randomly :lol:  But a more subtle solution would be very difficult for them to solve. I will research something about TCP stack corruption. If you can point me to some good article I'm glad to know :-)

Oh, yes, they have admin access. Some other useful information: the internet connection is wireless and the PC is a portable computer. I think this could make mitm and request redirection more difficult and not so reliable. Am I wrong?

#13 Jeremy

Jeremy

    Commander in Chief

  • Retired Admin
  • 2,459 posts

Posted 16 November 2007 - 01:35 PM

A WiFi jammer will do it.

#14 blackhat420

blackhat420

    Private First Class

  • Members
  • 36 posts

Posted 16 November 2007 - 02:52 PM

First off, what is your purpose in disabling the ability to browse websites from one computer? The reason I ask is if you are able to have admin on this specific PC, why can't you access the router? Are you somehow trying to force an unknown party to unlock or let you in to the router by messing up their HTTP access? If that is the case there are better ways to accomplish it, anywho here is my explanation of how to accomplish your goal.

I believe the most efficient way to block the access to websites, locally without access to the router/firewall, would be one of two ways..

First go to your network adapter properties (Click Start, Right Click on My Network Places, then hit properties).
At this screen right click on the *network adapter that is used* to access the internet, and hit properties once again.
Okay now you should be at a screen that at the top says Local Area Connection (or whatever the name of yours was) Properties. At this point you should see a window with 3 tabs (atleast) named General, Authentication, and Advanced. You should also see a row of buttons that say Install, Uninstall, and Properties.
Now what you need to do, is right above the row of buttons (Install, Uninstall, Properties) there are some items with check boxes next to them.
Click on the one that says Internet Protocol (TCP/IP) or Internet Protocol Version 4 (TCP/IP).
Now with that item highlighted hit the Properties button. This brings you to another screen where we can manually configure TCP/IP settings, we will call it SCREENALPHA.

The first, easist, way to disable web browsing is this..
From that screen you will see a few options, they mostly deal with adjusting your IP & DNS settings, for this work-around we won't even have to touch those. Hit the button at the bottom that says Advanced. This brings you to another window titled 'Advanced TCP/IP Settings' with four tabs to choose from. They are IP Settings, DNS, WINS, and Options. The tab I want you to select is Options. From there you should see an Optional Setting labeled TCP/IP filtering. Single Click that and hit the Properties button located just below. You are at yet another window.. (this one titled TCP/IP Filtering)
Here what we want to do is first of all, check the box that is at the top labeled Enable TCP/IP Filtering (All Adapters). Then make sure the following are selected, above TCP Ports, check PERMIT ONLY. The other's should remain at Permit All (for UDP Ports & IP Protocols). Then just add in the ports you WANT to allow, however I reccomend adding atleast ONE port like 161 (SNMP), just to make sure the Filtering kicks in. Also be sure you do not type in port 80 though, because that is what we are trying to block, and would totally defeat the whole purpose of this. Don't forget to apply settings when done.


A second way to disable it is...
Back to SCREENALPHA. Because we don't want them accidently fixing these settings somehow through an IP release/renew action we are going to leave the IP address as being automatically obtained. To do this make sure there is a dot in the Top Radio Button field titled 'Obtain an IP address automatically.' What we will do, is modify the DNS settings. Check the Radio box that says 'Use the following DNS server addresses'. Then enter in the address 127.0.0.1 What this does is makes it so that when the user types in an address, it sends a request to itself trying to resolve the character name to an IP address. Hit apply and then click the start button, go to Run, and type cmd. Press enter and you will be at a command prompt. Now just type ipconfig /flushdns and you are all set.

#15 oniric

oniric

    Private First Class

  • Members
  • 23 posts

Posted 16 November 2007 - 03:28 PM

Yeah blackhat420, your first solution is very good! It's a pretty unknown Windows feature so average users should not be aware of it. And also it's a subtle change, the wireless connection will act as it is working normally but without the internet access really work as I want.

Another good solution I have come up with is to configure the wireless drivers to only use a specific wi-fi standard. For example if I want to stop the access to the internet through a 802.11g network I can set up the wireless card to only work in 802.11b mode. The user will only notice that some networks are simply gone. Drivers for my integrated Intel IPW2200 have this feature, I think many others have it too.





Also tagged with one or more of these keywords: windows, dns, proxy