Securing Your Internal Network from Windows?

acacord asks: "I am the Network Admin for a medium-sized law firm (hold the flames, please). We are one of the few Macintosh-based firms left. All of our workstations (near 150) will have been migrated to Mac OS X 10.2.2 by the end of the year. We have a couple users who think that they know more than the IT department and therefore insist that they maintain WinXP boxes on their desks. How should I configure a segment of my network for them, and them only, to make sure that the remainder of my networks are not susceptible to any of their natural security 'features' . Any and all ideas are welcome."

Scan them to death...

[cnvogel]

While I'm sure that someone with a clue could manage to run a WinXP computer just as securely and stable as any Linux, OSX, ... machine out there... ...i doubt that someone who insists of having a stupid PC when he could have a Power-MAC instead has any useable brain left...

It's probably your job to keep the network running, stable and secure and therefore I would do nothing... just check for open ports/running services about once a day (that can be automated) and whenever you note something that is against the acceptable use policy of your network disconnect them until it's fixed. That's the way it's done in many places: if you use something that's not approved and managed by IT you will have to care for it yourself.

They want to create work for you (not having a homogeneous{sp?} network increases the workload!)... you will delegate this back to them.