Wednesday, November 16, 2022

Windows 10 - Custom Website Blocking per User via Task Scheduler Without Group Policy

 


Intro:

I have a customer that needs the ability to create individual firewall rules per Windows user without using external software. They do not have enough computers to warrant a domain setup so group policies are out the window.

I looked into doing this with Google Chrome but from what I can tell you cannot do this with Chrome Enterprise via policies. These ADMX policies apply to the computer and not per user since a domain does not exist. I don't really care to use EDGE in this case because this customer requires the ability to load older pages and I have setup IE Tab for Chrome to take care of this. I honestly haven't looked into this with Firefox as it is not installed in this environment.

I chose to do this via Task Scheduler making live edits to the Windows "hosts" file every time a user logs in. This is pretty efficient. If you can think of a better way to do this, let me know in the comments.


Solution:

Ok so what we need to do is create a batch file for each user we want to limit. We then need to place these batch files in a folder somewhere that is accessible to Task Scheduler. It can be hidden to stop users from prying. Next we need to create the event in Task Scheduler so that it runs the batch file upon logon of said user.

*From what I've tested we will need to create a batch file for every single user on the machine. We will be making live automated edits via a batch file as the SYSTEM user to the hosts file when a limited user logs in and we will use another batch file to wipe the hosts file clean when a non-limited user logs in. Kinda crude at the moment until I get time to expand on this. 

**There is no checking of the limited users batch file to see if duplications have occured. This would only happen if the user logged in, then out, then in again, with no non-limited users logging in inbetween.

*Need to come back and check whether or not locked sessions with multiple users will be affected (spelling?).


Creating the batch files:

Create custom batch files (for limited users):

1. Make sure you're an admin.

2. Open Explorer and create a new folder called, "batch files" (come up with something more creative for your environment.

3. Right click on the new folder --> Properties --> Select "Hidden" --> Ok.

4. Create a new text file inside this folder with a file name identifying the user and change the extension of the file to ".bat".

5. Right click on the file --> Edit. This should open it in Notepad.

6. Enter the following string into the batch file and save it. You can add as many lines as you want that start with "echo" and the site you wish to block. In this example, "facebook.com" will be blocked. Replace, "facebook.com" with whatever site you want to block and leave everything else alone.

In this example "fb.com" redirects in the browser to "facebook.com" so blocking the main FQDN will work without needing to block, "fb.com". Most web browsers will come back and say the site has been blocked once it's in play.

@echo off
set hostspath=%windir%\System32\drivers\etc\hosts
echo 127.0.0.1 www.facebook.com >> %hostspath%
echo 127.0.0.1 facebook.com >> %hostspath%
exit

Revert changes to hosts file (for non-limited users):

1. Create another batch file in the same hidden folder called, "Revert hosts file to default.bat" and copy the following contents into the file and save it:

copy "c:\batch files\hosts" "C:\Windows\System32\Drivers\Etc\"
2. Create a file named, "hosts" in the same folder and copy the following contents into the file and save it.

*Below is a copy of what the original Windows 10 hosts file contains:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#	127.0.0.1       localhost
#	::1             localhost

Create the tasks (limited users):

We need to create the tasks for limited users first then non-limited users second so we don't get confused. Remember if you have a domain, go the Group Policy route. This is only for really small office setups and one off custom website blocks.

1. Windows Key + S --> Task Scheduler

2. Click on Task Scheduler Library on the left and create a new folder, called, "Custom Tasks".

3. Right click on this new folder and select, "Create Task".

4. Copy the following settings into the General Tab:

  • Name: user1 - Add Host File Modifications
  • When running the task, user the following user: SYSTEM
    • Change User or Group
    • Type in, "system".
    • Hit, "Check Names".
    • "system" turns into "SYSTEM"
    • Press Ok.
  • Run with highest privileges: YES

5. Copy the following settings into the Triggers Tab:
  • New
  • Begin the Task: At log on
  • Specific User:
    • Change User or Group
    • Type in, "user1".
    • Hit, "Check Names".
    • "user1" turns into "computername\user1"
    • Press Ok.
6. Copy the following settings into the Actions Tab:
  • New
  • Start a program
  • Browse --> Select, "user1.bat"
  • Press Ok.
7. Leave everything unchecked in the Conditions Tab.

8. Make sure only the following are selected in the Settings Tab:
  • Allow task to be run on demand.
  • Stop the task if it runs longer than 1 hour.
  • If the running task does not end when requested, force it to stop.
  • Do not start a new a new instance.
9. If different users need different blocking rules then go back and create the exact same task (different task name obviously) for all the users you want to limit and select their appropriate batch file. You can also export the task, copy and edit the XML file to potentially speed things up. Then import the task into the Custom Tasks folder in Task Scheduler.

**If you have multiple users and wish to block ex. 5 users from going to facebook.com then you can just add their logon to the Triggers Tab. Remember to add a description to show which task action does what so you can keep track of what task does what.


Creating the Tasks in Task Scheduler:

Create the tasks (non-limited users):

*This is identical to the steps above however you'll be selecting the users that are not limited, the task will have a different name, and changing the action to run the batch file to restore the default hosts file.


1. Windows Key + S --> Task Scheduler

2. Right click on this new folder and select, "Create Task".

3. Copy the following settings into the General Tab:

  • Name: Restore Default hosts File
  • When running the task, user the following user: SYSTEM
    • Change User or Group
    • Type in, "system".
    • Hit, "Check Names".
    • "system" turns into "SYSTEM"
    • Press Ok.
  • Run with highest privileges: YES

4. Copy the following settings into the Triggers Tab:
  • New
  • Begin the Task: At log on
  • Specific User:
    • Change User or Group
    • Type in, "user2".
    • Hit, "Check Names".
    • "user1" turns into "computername\user2"
  • Press Ok.
5. Copy the following settings into the Actions Tab:
  • New
  • Start a program
  • Browse --> Select, "Revert hosts file to default.bat"
  • Press Ok.
6. Leave everything unchecked in the Conditions Tab.

7. Make sure only the following are selected in the Settings Tab:
  • Allow task to be run on demand.
  • Stop the task if it runs longer than 1 hour.
  • If the running task does not end when requested, force it to stop.
  • Do not start a new a new instance.
8. If different users need different blocking rules then go back and create the exact same task (different task name obviously) for all the users you want to limit and select their appropriate batch file. You can also export the task, copy and edit the XML file to potentially speed things up. Then import the task into the Custom Tasks folder in Task Scheduler.

**If you have multiple users that you want no hosts file restriction on then you can just add their logon to the Triggers Tab. Remember to add a description to show which task action does what so you can keep track of what task does what.


Testing:

Make sure you login as the users you just created the tasks for and make sure it works before rolling this out.


Conclusion:

This is a pain in the ass way to delegate control but it works in a pinch if management is too cheap to buy Windows Server or if the office is super small and doesn't really warrant a domain.



πŸ‘½

at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)