Job: Well for one thing, you could remove public execute status for firefox and any other browsers on the system, put all www-enabled users in a common group, and only allow that group to execute those programs. They could still send and receive email though, which I assume you'd still want. That would go for other individual programs. Most system utilities that still show on the menus prompt for the root password before they will run. Scully -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Job Cacka Sent: Friday, February 24, 2006 4:52 PM To: RedHat Mailing List Subject: Lock down WWW Access In the past we have restricted WWW access for individual logins by allowing or denying access to the proxy server for an individual login. This has worked great for Windows boxes. On a Redhat ES 4 server we have enabled X11 and we are using various thin clients to connect to the server. We are using KDE to provide a desktop. We have removed most of the menu options although if the user was sofisticated enough they could add them back to the panel or create an icon to provide them selves access to the WWW, Games, and various other distractions that we would rather not leave open. Right now we are securing by obscurity, and we would like to get away from this. What I would like to do is: 1. Remove all games from the Red Hat server or at least non-root access to them. 2. Have the option to allow or deny WWW access per login. Without restricing local browser functionality. 3. Allow or deny access to individual menu items per login. So how do I do this? What is the most efficient method? I will need to be able to do this for 100+ logins spread over 3 servers in the future. This is in limited production now and is working well with less than a dozen logins. Job Cacka Network Administrator -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
