Help me set up a whitelist computer
March 11, 2015 5:09 AM   Subscribe

I would like to set up a computer for my internet-addicted teenage son (windows 7 or 8, let's say) where internet access is constrained by a "whitelist" of sites. Blacklist-based parental control schemes do not work for tl;dr reasons. Help me re-introduce the internet gradually to my son so he can start afresh.

I need to block all access to the internet for my son except for sites that he needs for school, for his real-world hobbies, and for other sites we might add as we rebuild mutual trust. Yes, we tried the regular parental control avenues. Yes, we tried honest open communication, etc. I'm not looking for parenting advice here. We're currently working with a therapist for internet addiction and we need to move on from a complete internet ban to controlled, gradual internet access. I'm lacking the technical knowledge of how to set up a computer we can use for a gradual re-introduction of internet access.

Constraints:
I have other people who use our router and who do not have such restrictions. I do not want to block them.
I need this to work independent of the browser he uses. It needs to be a whitelist that affects the whole machine at least

Thanks for your help.
posted by cross_impact to Computers & Internet (12 answers total) 3 users marked this as a favorite
 
What you need is Microsoft Family Safety, which is part of Windows Essentials. The Family Safety thing integrates with the Parental Controls built into Windows and adds the necessary whitelisting capability.
posted by pipeski at 5:22 AM on March 11, 2015 [1 favorite]


A warning: whitelisting rarely works since websites rely on CDNs and pull in resources from multiple places. A technical solution to this problem is going to require a lot of your time.
posted by devnull at 5:56 AM on March 11, 2015 [6 favorites]


Seconding what devnull said.

I tried to set up a computer for my nine year old son with a whitelist of websites he could access. Unfortunately, more often than not when he tried to access one of those sites, his browser would need to pull in information from one or more auxiliary sites. These were often sites with long machine-constructed URLs on Amazon web services or Microsoft's content distribution network.

What this meant was that whenever he tried to go to one of his approved web pages, he'd end up calling out to me to approve these additional sites. I'd go over and type in the admin name and password two or three times (once for each site) to approve them. Because the CDN sites are assigned dynamically, this wasn't a matter of just doing it once to get it done. It happened every time. Eventually I gave up on the whitelisting.

Now this doesn't happen with every website. If there are specific websites that your son needs to use for school you could test those out. But it might turn out to not be possible.
posted by alms at 6:22 AM on March 11, 2015 [2 favorites]


Personal caveat here - I have not done this personally, so I can't speak to experience as to how well it works, but you might want to consider something like a Skydog router. It allows you to control access by user and device, giving you the ability to restrict access for your child without impeding anyone else. It is a little pricey, but it sounds like it might do what you want it to.

One tip from my own struggles with this several years ago - Regularly scan the wireless networks that are available in your home. I discovered that my former step-son was tunneling out through an unsecured wifi network that our neighbor had set up.
posted by Crocosaurus at 6:28 AM on March 11, 2015


I don't think CDNs are as big of a deal as others are making them out to be -- if you're whitelisting by domain rather than IP, traditional CDNs are only going to be used for hosting static resources like images. Whitelisting them as a whole shouldn't be an issue (e.g., *.akamai.com), because they have limited value to the internet addicted if you can't access the web pages that are embedding that content. Dual purpose clouds like Amazon and Azure get a little more sticky,

There are plenty of businesses that work off of Internet whitelists. This can be done if you're willing to get in the weeds of assessing and approving sites, and figuring out what's being blocked and why.

I would recommend bluecoat, but that's simply because it's what I use at work and I'm comfortable with the feature set and mostly comfortable with its categorization. It looks like they have a free for home use proxy app. The way to do this would likely be to a) create a rule to block everything (default deny), then b) approve what you want to add in.

Just be smart about it for yourself as well -- if you find yourself in alms' scenario where you're repeatedly approving AWS or Azure services, make sure you think about whether your child needs that exact site or can use something that offers the same resources but without CDN use. Make sure you think about whether it's a worthwhile tradeoff to whitelist the CDN and monitor logs (reactive rather than proactive, detective rather that preventive).
posted by bfranklin at 7:13 AM on March 11, 2015


Do you have a large budget for this project?

I'd suggest visits to www.barracuda.com or www. sonicwall.com. I don't work IT anymore, but this is just the kind of job I'd pay someone else to do. I mean, you could learn all about how to DAPE (Deny All, Permit Exception) at the Windows Firewall level, if you wanted to. You could lock down any recent install of Windows to operate as a "kiosk." You might be able to stay ahead of your child in terms of systems administration competence, which is what we're talking about here.

... or you could job it out. I don't think you want to spend the time to learn all of that stuff. So job it out. Buy a small-biz-grade firewall with the right functionality, pay the annual support fee to get the phone support you'll need to set this up and keep it kid-proof.

It might cost less than therapy.
posted by BrunoLatourFanclub at 9:09 AM on March 11, 2015 [1 favorite]


I went poking around the internet looking into the Skydog router (because I have a similar issue with a teenage boy) and it looks like the router is no longer available for purchase.
posted by elmay at 9:57 AM on March 11, 2015


Since it sounds like there might be challenges with doing it the whitelist route - you may consider reverse engineering this a bit, where all of the websites visited are tracked. So he may get to inappropriate sites once, but you'll be alerted and trust is nixed, and access is shutdown....

Just another option to consider, and may be easier?
posted by Toddles at 10:18 AM on March 11, 2015


Well, shoot.

A less expensive alternative, if your current router has ethernet ports, would be to get a second router specifically to create a network for the child. It's a lot less expensive than getting a fancy router, and you can simply configure that router to use the OpenDNS Parental Controls.

I'd definitely get a router that logs usage and monitor it, though. Kids can be incredibly creative when it comes to getting around internet restrictions.
posted by Crocosaurus at 10:57 AM on March 11, 2015 [3 favorites]


How technically sophisticated is your son? Blind trust in a blocking solution is letting technology do your parenting for you. Not only is this a bad idea in general, it will prove ineffective if the kid's motivated to get around the blocking. Believe me, they tried everything on me, I beat it all. Nowadays it's even easier. When I was a kid, there weren't a million tutorials on how to defeat blocking software just sitting around on the net.

What you need to do is monitor what he's doing online. This will be good practice for when he has a job and IT guys like me look him up for accessing the wrong stuff on work hours. It will also keep you focused on your role. If you don't check the logs that day and he gets away with visiting a place you don't like, you're mutually responsible, and that's how it should be.

Now, getting around logging is pretty trivial, you just need to use a VPN and all your traffic is obscured, but if you've got a machine with no externally accessible services, physically inaccessible to the kid behind a locked door, which monitors and records all your network activity, you'll be able to tell if your kid employs such a solution and confront him with it, and aside from that, you'll be able to monitor all his internet activity. Not just web browsing, but other services too. There are various software packages for doing this, I recommend trying several until you find one you like. They all do basically the same thing, just have different UIs.

The fact that you're not giving details on why the kid's use is problematic or any other history raises a red flag or two for me. I mentioned before I'd circumvented blocks while I was growing up... these were mostly instituted by people who didn't understand what I was doing with the computer, and who therefore feared it, and me. I sincerely hope you've determined that your kid is doing actual harm to himself with his usage and not just fear-based imagined harm.
posted by signsofrain at 2:02 PM on March 11, 2015 [1 favorite]


What if he knew that you'll check what websites he visits?

Get your logs from your router, review them, and then review them with him.
posted by at at 3:25 PM on March 11, 2015


If he's got unsupervised access to a computer he will find away around whatever technical measures you put in place, whether that's via a VPN, Tor, an SSH tunnel, proxies, whatever. You can log everything, which will work right until the first time you confront him with logs, and after that he'll hide his activity. That's probably good traning for a career in IT but probably not what you're trying to achieve.

If you pay someone else to set this up for you, unless you're paying commercial IT security contractor rates (unlikely), they may tell you it's done and take your money but it won't be done.

I think if you only allow use for a limited time per day, and only on a computer in a communal area, that might be good enough.
posted by dickasso at 1:46 AM on March 12, 2015


« Older Spotify alternative for buying mp3's?   |   What are fun new activities my husband and I can... Newer »
This thread is closed to new comments.