I work at a college, and there is a need to have students who are registering or applying to our school to use computers. The problem is that they usually don't have a user name or password. In the past we created an account they could use to log in to a computer, but we discovered that everyone ended up knowing the user name and password. It became a security risk.
After some searching and some asking I discovered a program called ipseccmd.exe. It is included in the Windows XP Service Pack 2 Support Tools. Using this file, you can restrict what the computer can access. For instance, I only want the people using the registration computers to access our registration website.
First, download the files. Once the files are unzipped, you can drop ipseccmd.exe in the C:\Windows\System32\ folder. Then, you can run this script:
REM This first line blocks all network traffic ipseccmd -w REG -p "block all policy" -r "block all" -f0=*.*.*.* -n BLOCK -x REM This line allows all internal traffic ipseccmd -w REG -p "block all policy" -r "allow internal sites" -f0=10.*.*.* -n PASS -x REM This line allows network access to our registration web site ipseccmd -w REG -p "block all policy" -r "allow registration site" -f0=235.112.*.* -n PASS -x
This is a pretty good solution. Now, no one wants to use the registration computers (unless they are new) because they can't access anything.
You can also use the following script to return the networking to normal:
ipseccmd -w REG -p "block all policy" -r "block all" -y ipseccmd -w REG -p "block all policy"
This could also be run from Deployment Console as a script.
Now I feel much better about the security of our computers.