Is it possible to restrict website geographically ?



Marlon
07-09-2005, 10:53 PM
Imagine I need to publish a website for a K-12 institution that gives people
access to grades. I am sure that only users from my State area would need to
access such site.

Is there any method to reliably let only people from, let's say, my State or
pehaps the US utilize such website ?

I figured that I could greatly minimize the surface of attack if I make this
site unavailable to the rest of world.

Galen
07-09-2005, 10:53 PM
In news:%23tmQJCuaFHA.1088@TK2MSFTNGP14.phx.gbl,
Marlon <marlon-nospam@hotmail.com> had this to say:

My reply is at the bottom of your sent message:

> Imagine I need to publish a website for a K-12 institution that gives
> people access to grades. I am sure that only users from my State area
> would need to access such site.
>
> Is there any method to reliably let only people from, let's say, my
> State or pehaps the US utilize such website ?
>
> I figured that I could greatly minimize the surface of attack if I
> make this site unavailable to the rest of world.

Can it be done? In theory to some extent it could be. It would be
ineffective and block out legitimate users though. I, for example, use a
piece of compression software (I'm on dialup with no other alternatives that
are acceptable to me) which will make my IP address appear to be from New
Hampshire while I'm actually in Maine. Beyond that many IP addresses are
sub-leased to other countries or companies. Even generic IP resolution to
address is no longer as effective as it once was.

You could prevent the indexing of the site and caching of the site with meta
tag information for starters. You could assign a generic user/password
(changing monthly or so) via the .htaccess if you wanted. Trying to block an
entire world with the exception of a single state/geographical area is not
going to be very effective probably and will be far too difficult to
impliment. You could also block some domains, say .co.uk, .ru, .ca, etc as
those likely aren't in your state and the IP should not resolve to that -
though, again who's to say someone isn't using a proxy server for legitimate
reasons?

Galen
--

"And that recommendation, with the exaggerated estimate of my ability
with which he prefaced it, was, if you will believe me, Watson, the
very first thing which ever made me feel that a profession might be
made out of what had up to that time been the merest hobby."

Sherlock Holmes

andy smart
07-09-2005, 10:53 PM
Marlon wrote:
> Imagine I need to publish a website for a K-12 institution that gives people
> access to grades. I am sure that only users from my State area would need to
> access such site.
>
> Is there any method to reliably let only people from, let's say, my State or
> pehaps the US utilize such website ?
>
> I figured that I could greatly minimize the surface of attack if I make this
> site unavailable to the rest of world.
>
>

Your question 'should' be, how do I only allow authorized people,
regardless of location, to access the grades on my website.

Malke
07-09-2005, 10:53 PM
andy smart wrote:

> Marlon wrote:
>> Imagine I need to publish a website for a K-12 institution that gives
>> people access to grades. I am sure that only users from my State area
>> would need to access such site.
>>
>> Is there any method to reliably let only people from, let's say, my
>> State or pehaps the US utilize such website ?
>>
>> I figured that I could greatly minimize the surface of attack if I
>> make this site unavailable to the rest of world.
>>
>>
>
> Your question 'should' be, how do I only allow authorized people,
> regardless of location, to access the grades on my website.

I thought that too when I first read the OP's post. After all, why would
anyone but people directly connected with the school (parents,
teachers, kids) want to see information about it? In that case, there
is already software available to do that - both my kids' schools have a
deal where you log into a website, enter the username/pwd and have
access.

Maybe the OP was really trying to do something else? I guess we'll never
know unless he comes back and enlightens us.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Marlon
07-09-2005, 10:53 PM
No. Obviously the website will require authentication, but if you are able
to access the website from China and Korea, you should also be able to try
few combination of "reset my password" questions/answers to be able to
figure out which the password is. Why not just minimize the number of people
unathorized to visit the site by restricting this geographically ? Too bad
that there is no effective way of retrieving gographical information,
because that would be very helpful in situations like this, which only
local people should have interest in contents associated with such site.


"Malke" <invalid@not-real.com> wrote in message
news:u6v8Fq2aFHA.3620@TK2MSFTNGP09.phx.gbl...
> andy smart wrote:
>
> > Marlon wrote:
> >> Imagine I need to publish a website for a K-12 institution that gives
> >> people access to grades. I am sure that only users from my State area
> >> would need to access such site.
> >>
> >> Is there any method to reliably let only people from, let's say, my
> >> State or pehaps the US utilize such website ?
> >>
> >> I figured that I could greatly minimize the surface of attack if I
> >> make this site unavailable to the rest of world.
> >>
> >>
> >
> > Your question 'should' be, how do I only allow authorized people,
> > regardless of location, to access the grades on my website.
>
> I thought that too when I first read the OP's post. After all, why would
> anyone but people directly connected with the school (parents,
> teachers, kids) want to see information about it? In that case, there
> is already software available to do that - both my kids' schools have a
> deal where you log into a website, enter the username/pwd and have
> access.
>
> Maybe the OP was really trying to do something else? I guess we'll never
> know unless he comes back and enlightens us.
>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP Windows - Shell/User

andy smart
07-09-2005, 10:53 PM
Marlon wrote:
> No. Obviously the website will require authentication, but if you are able
> to access the website from China and Korea, you should also be able to try
> few combination of "reset my password" questions/answers to be able to
> figure out which the password is. Why not just minimize the number of people
> unathorized to visit the site by restricting this geographically ? Too bad
> that there is no effective way of retrieving gographical information,
> because that would be very helpful in situations like this, which only
> local people should have interest in contents associated with such site.
>
>
> "Malke" <invalid@not-real.com> wrote in message
> news:u6v8Fq2aFHA.3620@TK2MSFTNGP09.phx.gbl...
>
>>andy smart wrote:
>>
>>
>>>Marlon wrote:
>>>
>>>>Imagine I need to publish a website for a K-12 institution that gives
>>>>people access to grades. I am sure that only users from my State area
>>>>would need to access such site.
>>>>
>>>>Is there any method to reliably let only people from, let's say, my
>>>>State or pehaps the US utilize such website ?
>>>>
>>>>I figured that I could greatly minimize the surface of attack if I
>>>>make this site unavailable to the rest of world.
>>>>
>>>>
>>>
>>>Your question 'should' be, how do I only allow authorized people,
>>>regardless of location, to access the grades on my website.
>>
>>I thought that too when I first read the OP's post. After all, why would
>>anyone but people directly connected with the school (parents,
>>teachers, kids) want to see information about it? In that case, there
>>is already software available to do that - both my kids' schools have a
>>deal where you log into a website, enter the username/pwd and have
>>access.
>>
>>Maybe the OP was really trying to do something else? I guess we'll never
>>know unless he comes back and enlightens us.
>>
>>Malke
>>--
>>Elephant Boy Computers
>>www.elephantboycomputers.com
>>"Don't Panic!"
>>MS-MVP Windows - Shell/User
>
>
>
Why would you be more likely to want to hack that information if you
live in China or Korea? The good people of the far east are totally
uninterested in your assessment results.

The people who would want to access that information without
authorisation are those who would want to misuse it; and they are people
within your own community.

Malke
07-09-2005, 10:53 PM
Marlon wrote:

> No. Obviously the website will require authentication, but if you are
> able to access the website from China and Korea, you should also be
> able to try few combination of "reset my password" questions/answers
> to be able to figure out which the password is. Why not just minimize
> the number of people unathorized to visit the site by restricting this
> geographically ? Too bad that there is no effective way of retrieving
> gographical information,
> because that would be very helpful in situations like this, which
> only local people should have interest in contents associated with
> such site.
>
Why would anyone except people directly connected with the school want
to get into it? Why would anyone from China and Korea be interested in
this site? If you are concerned about website hacking, the way to do it
is not to worry about geography - the way to do it is to secure your
webserver! Hackers aren't going to waste time trying to get in through
the reset my password thing - they'll get in through holes in the
server.

If you are considering running your own webserver for the school, based
on your posts you would be much better off to let a hosting company do
it for you. I'm not saying this to hurt your feelings, but you really
need to learn a lot more about webserver security before you set up
your school's website.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Alun Jones [MSFT]
07-09-2005, 10:53 PM
"Marlon" <marlon-nospam@hotmail.com> wrote in message
news:%23tmQJCuaFHA.1088@TK2MSFTNGP14.phx.gbl...
> Imagine I need to publish a website for a K-12 institution that gives
> people
> access to grades. I am sure that only users from my State area would need
> to
> access such site.

Users from your state area may occasionally travel outside of your state
area. I have a child in school, and yet I spend some time every year
several thousand miles away from his school district. So does he. Assuming
that I don't have any restraining orders preventing me knowing about my
child's grades, what is the reason for preventing me from, say, showing his
grades to his grandparents?

> Is there any method to reliably let only people from, let's say, my State
> or
> pehaps the US utilize such website ?

Not 100% reliable, no. There have been a number of methods for roughly
tracking whose IP address comes from what area of the world, but it is
easily defeated by setting up a VPN. There's also the possibility that your
traffic may go through a distant router or provider. A cross-town
connection may go out of state and back on a regular basis, and even the
end-point may appear to be hugely distant from its actual location.

> I figured that I could greatly minimize the surface of attack if I make
> this
> site unavailable to the rest of world.

With hackers allegedly controlling "zombie armies" of infected computers,
this probably would have a minimal effect on improving your security, while
simultaneously reducing usability to those users who are out of town, or who
inadvertently use an ISP that your chosen solution has decided is "too far
away".

Alun.
~~~~
--
Software Design Engineer, Internet Information Server (FTP)
This posting is provided "AS IS" with no warranties, and confers no rights.


Is it possible to restrict website geographically ?