Thursday, December 24, 2009

Endian - How to disable flash videos (.flv)

This is a topic which had been annoying me for sometime. As internet resources weren't enough, after all I had to find my own solution.

I have to remark that, not only for Flash video (.flv), this solution can be used for ALL file types which are not to be downloaded. Its quite helpful for stopping users downloading games, mp3s, etc directly from the internet.

Here is the general problem:
After Youtube, Flash Video based sites such as Metacafe, google.video, Dailymotion, Facebook etc started to haunt the internet and its backbones. Its not really a problem for home users, but, for companies with limited bandwith and resources, viewing of online flash videos reduces their connectivity resources drastically. Even with content filtering such as websense or dansguardian, everyday a new site opens up and you just cant keep up with users.

The solution is actually about how to do it instead of "is it possible?". Luckily the creators of Dansguarian (the source system in Endian, Smoothwall etc.), thought of the solution, but preferred to keep it disabled as default.

If you try to disable Flash video MIME, as the MIME standards are rather out of date, it generally disables all flash based activity in pages including .swf,  related bank and other flash integrated web services which is a useless solution.

Here is the firm SOLUTION:
Flash videos are mostly .flv extensioned files which are embeded into the html or java code. There is no separate MIME type for Flash .flv files. But it has an extension called .flv.

Although it doesn't show directly on Endian interface, its underside software Dansguardian, fully supports ban of extensions via a ban list stated deep inside the linux file system. At this point I must warn that although Endian's filters are built on Dansguardian, their folders are in different locations.


Here is how:
For Dansguarian (Linux installations)

1.  Open a telnet connection to your linux server with root access.
2.  Goto /etc/dansguardian/
3.  nano dansguardianf1.conf
4.  Add the line bannedextensionlist = '/etc/dansguardian/profiles/1/bannedextensionlist'
5.  Save the file and exit to prompt
6.  Goto /etc/dansguardian/profiles/1/ and type nano bannedextensionlist to edit the file.
7.  If the file doesn't exist, when you open it with above command, it will allow you to save it with the same name on exist.
8.  As the file is disabled, there is probably no content inside it.
9.  Simply add the line according to the file extension you want to ban such as below:
.flv # Flash Video
.exe # Executable Files
.mp3 # mp3 audio
.wma # wma audio
.asf # asf live audio
.ra # real player audio
10.  Save and exit the file to prompt.
11.  I strongly advise for you to reboot the linux system for the changes to take effect.

For Endian Systems:
1.  Open a telnet connection to your linux server with root access.
2.  Goto /etc/dansguardian/
3.  Type nano dansguardianf1.conf
4.  Add the line bannedextensionlist = '/etc/dansguardian/profiles/1/bannedextensionlist'
5.  Save the file and exit to prompt
6.  Although uptill now, the method is the same, Endian for some reason uses a banlist actually formed at  /var/efw/dansguardian.
7.  So open the file at location by typing nano /var/efw/dansguardian/bannedextensionlist
8.  If the file doesn't exist, when you open it with above command, it will allow you to save it with the same name.
9.  As the file is disabled, there is probably no content inside it.
10.  Simply add the line according to the file extension you want to ban such as below:
.flv # Flash Video
.exe # Executable Files
.mp3 # mp3 audio
.wma # wma audio
.asf # asf live audio
.ra # real player audio
11.  Save and exit the file to prompt.
12.  I strongly advise for you to reboot the linux system for the changes to take effect.
Posted by at 2 comments:
Labels: , ,

How to disable access to USB Storage via GPO

By default, Group Policy does not offer a facility to easily disable drives containing removable media, such as USB ports, CD-ROM drives, Floppy Disk drives and high capacity LS-120 floppy drives. However, Group Policy can be extended to use customised settings by applying an ADM template. The ADM template in this article allows an Administrator to disable the respective drivers of these devices, ensuring that they cannot be used.
Open a notepad exe file and paste the below script code into it and rename it so USBSTOR.ADM:


Import this administrative template into Group Policy as a .adm file. See the link in the More Information section if you are unsure how to do this.

CLASS MACHINE
CATEGORY !!category
 CATEGORY !!categoryname
  POLICY !!policynameusb
   KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
   EXPLAIN !!explaintextusb
     PART !!labeltextusb DROPDOWNLIST REQUIRED
 
       VALUENAME "Start"
       ITEMLIST
        NAME !!Disabled VALUE NUMERIC 3 DEFAULT
        NAME !!Enabled VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
  POLICY !!policynamecd
   KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
   EXPLAIN !!explaintextcd
     PART !!labeltextcd DROPDOWNLIST REQUIRED
 
       VALUENAME "Start"
       ITEMLIST
        NAME !!Disabled VALUE NUMERIC 1 DEFAULT
        NAME !!Enabled VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
  POLICY !!policynameflpy
   KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
   EXPLAIN !!explaintextflpy
     PART !!labeltextflpy DROPDOWNLIST REQUIRED
 
       VALUENAME "Start"
       ITEMLIST
        NAME !!Disabled VALUE NUMERIC 3 DEFAULT
        NAME !!Enabled VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
  POLICY !!policynamels120
   KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
   EXPLAIN !!explaintextls120
     PART !!labeltextls120 DROPDOWNLIST REQUIRED
 
       VALUENAME "Start"
       ITEMLIST
        NAME !!Disabled VALUE NUMERIC 3 DEFAULT
        NAME !!Enabled VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
 END CATEGORY
END CATEGORY
 
[strings]
category="Custom Policy Settings"
categoryname="Restrict Drives"
policynameusb="Disable USB"
policynamecd="Disable CD-ROM"
policynameflpy="Disable Floppy"
policynamels120="Disable High Capacity Floppy"
explaintextusb="Disables the computers USB ports by disabling the usbstor.sys driver"
explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver"
explaintextflpy="Disables the computers Floppy Drive by disabling the flpydisk.sys driver"
explaintextls120="Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver"
labeltextusb="Disable USB Ports"
labeltextcd="Disable CD-ROM Drive"
labeltextflpy="Disable Floppy Drive"
labeltextls120="Disable High Capacity Floppy Drive"
Enabled="Enabled"
Disabled="Disabled"


Adding .ADM files to the Administrative Templates in a GPO

In order to add additional .ADM files to the existing Administrative Templates section in GPO please follow the next steps:
  1. Open the Group Policy Management Console (or GPMC) from the Administrative Tools folder in the Stat menu, or by typing gpmc.msc in the Run command.
Note: GPMC is not a built-in part of Windows 2000/XP/2003, and needs to be separately installed. Can be downloaded from Microsoft.
If you do not have GPMC or cannot install it then you'll need to edit the GPO via the regular means, i.e. from Active Directory Users and Computers management tool (dsa.msc).
  1. Right-click an existing GPO (or create an new GPO, then right-click on it) and select Edit.
  2. Expand either the Computer settings or Users settings sections of the GPO. Go to the appropriate Administrative Templates section and right-click it. Select Add/Remove Templates.
  3. In the Add/Remove Templates window click Add.
  4. Browse to the location of the required .ADM file and click Open.
  5. In the Add/Remove Templates window notice that the new .ADM file is listed, then click Close.
  6. Open the Administrative Templates section and browse to the new settings location.

Disabling GPO settings filtering

Many custom Administrative Templates require you to remove the requirement to show policy settings that can be fully managed in the GPO editor. To do so follow the next steps:
  1. After completing the above procedure, browse to the newly added Administrative Template section. Note that the section is indeed listed, however in the right-pane is empty.
  2. Right-click an empty spot in the right pane and select View > Filtering.
  3. In the Filtering window click to un-mark the "Only show policy settings that can be fully managed" option. Then click Ok.
  4. Notice how the available options are now displayed in the right pane.
Posted by at No comments:
Labels: , ,

How to Disable USB Storage function on Windows XP by registry.

This is a subject which causes headaches to many IT managers and supervisors from time to time. As spreading of viruses, illegal software and medias like mp3s, videos and commercial espionage (theft of company confidential information) is generally done by usbsticks or usb disks etc.

When using common sense, may be, the most civilized way of preventing the usage is by IT policy, but, as you are already aware, we humans use the human factor and try to bend the rules whenever possible. So the only solution is to actually disable the regarding service so that risks are prevented automatically. 

Well, the good news is, Microsoft was clever enough to create one service that can disable access to Usb storage without disabling access to other USb devices such as mouse, keyboard etc.

As I'm a lazy sod, I'm going to copy paste the information from a resource I like alot. The site is owned by Daniel Petri, and the original document can be found at www.petri.co.il
It is also explained at http://support.microsoft.com/kb/823732


There are actually 2 ways of disabling Usb Storage access in Windows XP:
  1.  Registry 
  2. GPO (Group Policy Object - Active Directory) 
 In this document I will explain how to do it via registry. I'll write the document on how to do it via GPO in my other how to's.

To block your computer's ability to use USB Removable Disks follow these steps:
  1. Open Registry Editor.
  2. In Registry Editor, navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR
  1. Locate the following value (DWORD):
START and give it a value of 4. Note: As always, before making changes to your registry you should always make sure you have a valid backup. In cases where you're supposed to delete or modify keys or values from the registry it is possible to first export that key or value(s) to a .REG file before performing the changes.
  1. Close Registry Editor. You do not need to reboot the computer for changes to apply.

Enable usage of USB Removable Disks

To return to the default configuration and enable your computer's ability to use USB Removable Disks follow these steps:
  1. Go to the registry path found above.
  1. Locate the following value: Start and give it a value of 3.
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)