How to whitelist which websites can be opened in IE 11 from admin act.


  1. Posts : 153
    Windows
       #1

    How to whitelist which websites can be opened in IE 11 from admin act.


    I'm looking for a solution for a small business. Due to some proprietary software that they have (required to service their hardware) the following had to be done on this Windows 7 Pro installation:

    - Turn off UAC
    - Log in as administrator

    So there's no way around the stipulations above.

    I'm looking for a solution to restrict which web sites a user can visit. Kind of like white-listing. The only web browser installed on that system is IE 11. Users are restricted from installing any software via local group policies.

    The only users on that desktop are two women in their 60's that will not try to do "bad things" on purpose. They did not grow up with computers, so they are struggling to understand basic online security principles.

    My goal is to prevent them from going to any web sites that can exploit a zero-day vulnerability in IE, or in some way harm the computer. I can't just block the internet, because their job requires going to some specific websites to retrieve reports, as well as to Amazon.com for occasional business-related purchase. Disabling JavaScript unfortunately wouldn't work because it is required in the web sites that they have to use.

    PS1. I tried to enable family safety in IE settings, but unfortunately it refused to work as I had to log in to that account as administrator.


    PS2. Here's what happened this month. One of the women called me up and told me that she can't close a web site. When I came over she had IE open on some strange page that had a popup saying that computer is infected. Closing the popup didn't make it go away. Moreover, trying to terminate IE with the Task Manager did not work. There were two copies running side by side, so when I killed one, the other one restarted it. (The only way to kill it was possible by using Sysinternal's tool Procexp by suspending both IE processes.) After that, I could see that there were some changes done to IE, and namely downloading files no longer worked and caused an error, which was not happening before.

    After this incident I immediately cleared the temp files as well as IE cache and ran all system files via Virus Total scan. I did not find any infections.

    When asked what caused that popup the woman said that she went to Google and searched for a product to buy at Home Depot. After that she clicked the first item on top of the Google search and got this popup. Like I said, the user was quite computer-illiterate for me to instruct her any further or to expect a different behavior. Thus my intentions to whitelist websites in the web browser.
      My Computer


  2. Posts : 2,465
    Windows 7 Ultimate x64
       #2

    dc2000 said:
    Due to some proprietary software that they have (required to service their hardware) the following had to be done on this Windows 7 Pro installation:

    - Turn off UAC
    - Log in as administrator

    So there's no way around the stipulations above.
    This is your cancer. Those are completely ridiculous requirements that under no way can be ever be accepted. Doing so will give everything in the computer full power to do anything it likes, which is a terrible thing to do security-wise. Put simply, no company will ever accept those requirements if they care about security, which you seem to do.

    Reasons for asking for this is poorly designed software, careless or incompetent developers or terribly outdated software that doesn't accounted for changes in the last 10 years. A more reasonable design is to ask for administrator access to that program only, and a proper software would only ask for admin only when its absolutely needed.

    Without employing proper security practices, it's impossible to keep a safe system. That's the exact message you're getting from parental controls. My first suggestion would be to get in contact with the developer of this buggy software and get it fixed. Find a way around that ridiculous requirement first, then parental controls can easily deal with your requirement.
      My Computer


  3. Posts : 153
    Windows
    Thread Starter
       #3

    Alejandro85 said:
    This is your cancer. Those are completely ridiculous requirements that under no way can be ever be accepted....

    Reasons for asking for this is poorly designed software, careless or incompetent developers or terribly outdated software that doesn't accounted for changes in the last 10 years. ....
    Thanks for your input. I totally agree.

    Here it is, SiteLink Web Edition, you can see it for yourself. They kinda downplay it with that message.

    I also tried to contact their developers, but it's a total dead-end. It's a small market niche software and everyone seem to be kissing their ____ so they can get anyway with it. Plus people who pay the monthly bill for that software (the owner of the company) has no idea what all this UAC, administrator account "nonsense" is. What matters for him is the balance sheet for the company. So I'm back to square one...
      My Computer


  4. Posts : 2,465
    Windows 7 Ultimate x64
       #4

    That's very bad for them to not provide good software at all. Problem is that blindly following their suggestion leads directly to an insecure system, there is no way around security if you're running with full admin permissions.

    Seems like you're on your own here. Probably you can reenable UAC, downgrade to a regular user account and try to run this particular program as admin instead of the whole system. Basically, experimenting on your own. Your other options would be to try to run this program on a virtual machine (so that this one is the only compromised thing) or just accept that yon can't possibly achieve a secure system while accepting the ridiculous restrictions this system impose.

    Yeah, managers only care about money and couldn't care less about administrative things, permissions and the like. The only possible defense to that would be to point them out that running an insecure system could lead to privacy problems, and maybe downtime if some malware slips though it can cause issues and even downtime, which costs money down the road. Usually non technical people only care about that once everything is already broken
      My Computer


  5. Posts : 25,847
    Windows 10 Pro. 64/ version 1709 Windows 7 Pro/64
       #5

    If Ransomware hits that system, accounting will wake up quick.

    It reminds me of baseball and a great shortstop.
    His record show he is not a great batter.
    But when you figure in the runs he has stopped from the other team because of his great defense he is a great player.

    Stopping problems is cheaper than removing problems.
    The bean counters don't know how to put that into a P&L statement.

    Just my thoughts.

    Jack
      My Computer


  6. Posts : 153
    Windows
    Thread Starter
       #6

    Thank you, guys.

    Yes, I did bring all of that up in front of the management. Do you want know what the response was? "Well, we have Norton on that system, right?" People blindly believe that an AV can protect them.

    When i heard such a statement I couldn't argue any further. With that statement a person clearly demonstrated a fundamental lack of knowledge in computer security.

    As for ransomware, the good thing is that the software in question (SiteLink) is cloud-based, meaning that its database is located in their cloud servers. (Of course the second question that can be raised is this -- seeing how badly their developers comprehend Windows security, one may only guess how well they implemented their cloud) but still in case of a local ransomware infection the thought is that the company will be able to continue using the database from another unaffected terminal. In that case, of course, they will have to pay additionally to restore each affected workstation, which will cost them money.
      My Computer


  7. Posts : 4,776
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
       #7

    You might want to try enabling UAC on one machine as a test then launch that software from an Elevated Shortcut to bypass UAC for that particular app.

    How to Create an Elevated Program Shortcut Any User is able to Run in Vista, Windows 7, and Windows 8

    If the program needs to launch on boot then you'd place the elevated shrortcut in the user's startup folder.

    From Start> Run dialog box or Explorer Address Bar:

    %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
      My Computer


  8. Posts : 153
    Windows
    Thread Starter
       #8

    Callender said:
    You might want to try enabling UAC on one machine as a test then launch that software from an Elevated Shortcut to bypass UAC for that particular app.
    Sorry forgot to mention. I did test it. What happens if I do not disable UAC, that software will begin popping up UAC prompts pretty much for everything you do in it. (Printing a report prompts for UAC.) I did some digging into it, and it looks like the software starts new processes for different functions. I need to mention that it is a very old looking software (something that we've used back in the days of Windows 95.) Thus such an unorthodox approach. For instance, it stores its data files it works with in "C:\Program Files\<CompanyName>" even if it is a 32-bit application. Thus, this is probably one of the main reasons why it needs UAC disabled.

    Secondly, even if you coax it to work and instruct office ladies to ignore UAC prompts (which already defeats the purpose of UAC security if office people start clicking Yes for everything they do) when something stops working and you call tech support for that company, the first thing they do is yell at you for not following their instructions. I went thru this originally. The tech support guy connected to the machine via Logme In remote console and said, "You see. You need to do this!" and showed me how to drag that slider all the way down to disable UAC. So I'm afraid if I enable it and people in that office encounter an issue, the tech support for that SiteLink software will make me into a scapegoat for "not following their instructions."

    Lastly, worse still, some minimal features don't work at all and display an error, something "helpful" like this, "Report failed. Reinstall application."

    So as you can imagine I cannot subject those office ladies to all this. They'll hate it more than if it got a virus.


    As for the other suggestions -- that I forgot to mention in my previous reply -- to install this software in a VM. I looked into it as well. Here is why it will not work:

    - The interface between the VM and the host OS is very clunky. It's OK for advanced users, but not OK for the office ladies that will be using it. For instance, I went as far as downloaded an evaluation copy of Windows Server 2016 Essentials, installed Windows 7 in a hyper-V and made this "Crappy" software run in its own VM. They started complaining almost immediately. Things were slow, jittery and the final nail in the coffin was one evening when they called me up. When I came over they somehow managed to close the VM window off the screen and couldn't find it. (And to bring it up one needed to fire up Hyper-V manager and connect to the VM. Which I obviously cannot expect them to do.) So yeah... Microsoft's Hyper-V is too "advanced" for general public to use at this point.

    And as for VMware Workstation, I use it myself. And even though I haven't tried it in that setting, I can envision the same problems cropping up with it as well -- namely, confusion over open VM window, wrong buttons clicked, closed VM window, stuff running slow, etc.

    - Additionally the software in question needs to interface with the documents folder, printers, Outlook email, etc. That Site Link literally takes over your PC! So even if I moved it to a VM I will have to move the rest of the stuff from the host PC into VM as well, which will defeat the purpose...

    Callender said:
    If the program needs to launch on boot then you'd place the elevated shrortcut in the user's startup folder.

    From Start> Run dialog box or Explorer Address Bar:

    %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
    No, the software doesn't use auto-start. But just FYI, a process that is marked as "elevated" in its manifest will not auto-start from those locations. It's due to security model implemented since Vista. Well, it will if you disable UAC :) One can do it only manually, or via a convoluted Task Scheduler task (in some cases.)
      My Computer


  9. Posts : 4,776
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
       #9

    This launches these programs on boot for me:
    How to whitelist which websites can be opened in IE 11 from admin act.-startup.jpg
    Or this script placed in the same folder to launch programs elevated:
    How to whitelist which websites can be opened in IE 11 from admin act.-startupqueue.jpg
    However if the programs once running launch other processes that require elevation then like you say it's no good.

    Suggest: Look into the possiblity of using malware blocking DNS. Here are two examples.
    Also check out Bidefender TrafficLight browser addon. There are verions for Chrome, Firefox ans Safari.

    Bitdefender TrafficLight for Firefox :: Add-ons for Firefox

    There is also a beta cross browser version that can be installed but I can't comment on it as I only used it briefly before uninstalling it and switching to the browser extension.

    Download BitDefender TrafficLight - MajorGeeks
    Last edited by Callender; 10 Apr 2017 at 14:07. Reason: edit DNS link
      My Computer


  10. Posts : 153
    Windows
    Thread Starter
       #10

    Thanks. I'll check it out.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 17:12.
Find Us