Securing Your Internal Network from Windows?

acacord asks: "I am the Network Admin for a medium-sized law firm (hold the flames, please). We are one of the few Macintosh-based firms left. All of our workstations (near 150) will have been migrated to Mac OS X 10.2.2 by the end of the year. We have a couple users who think that they know more than the IT department and therefore insist that they maintain WinXP boxes on their desks. How should I configure a segment of my network for them, and them only, to make sure that the remainder of my networks are not susceptible to any of their natural security 'features' . Any and all ideas are welcome."

What threat?

[steve.m]

What threat does a couple of XP boxes pose to 150 MacOSX boxes?

Is there a known trojan/worm/virus that infects XP and then attacks MacOSX ?

Could this entire story be blatant MS bashing, because it's a slow news day?

Re:What threat?

[gengee]

Nonsense. Windows XP with updates and antiviral software is fine. Like previous posters have said, it's a good idea to filter out any inbound traffic not originating from within the network - But then, it's a good idea to do that with ANY operating system.

I've *never* bought the "security risk" argument of Windows boxen creeping onto the network. If it's possible for someone to harm your network by harming a Windows box, there's something wrong with your network. You should be concerned about someone walking in to your facility with a laptop computer and plugging in.

The only valid complaint is that it's not supported by the IT department. Thus, either the users get no support, no PDCs, no Active Directory, no Exchange, etc - They just stick to peer-to-peer, like emailing meeting requests and direct file transfers - Or the IT department spends a lot of time and energy (and money) to support them. That's really a management call - If it's worth the money to let those users be more productive, then no harm, no foul.

Who defines policy, IT or the users?

[Trane+Francks]

Frankly, I think it's bad juu-juu to let users define policy unless it is already mandated by corporate policy. If you have the mandate to nix the installation of Windows boxes on the network, then just do it.

I guess that's the first question then. Can you say no to the request? If so, get 'em running with the standard plan. If not, then firewall them onto their own segment and be very, very tight about what gets in and out from their segment.

Re:Who defines policy, IT or the users?

[j-turkey]

Actually, I think this should be exactly what IT is in place to do. Some of the worst messes I've ever had the displeasure of walking into have been the result of an overly permissive "yeah, sure, whatever you need, go ahead and get it and plug it in" policy.

While you may have a point fundamentally -- I think that you're wrong in this instance. First of all -- this is not the latest whiz-bang gadgetry -- its the latest version of Microsoft's OS -- the most widely used and supported operating system in the world. Corporate EU's shouldn't have to learn your propritary technology (different from what 90% of the coroporate world uses) to get their job done...especially considering that these people are lawyers (they don't have time to learn how to use a different OS). Look at it this way: Your CEO wants to run an SGI Octane2. Do you say "I won't support it -- you can't have it. I'm going to firewall your shit off" or do yo say "OK, we can do that...but I neither have the budget for that workstation, nor the staff to support it. Here's how much it will cost, and here's the skillset we'll need if you want support."?

Also, this poster's attitude is pretty poor:

We have a couple users who think that they know more than the IT department and therefore insist that they maintain WinXP boxes on their desks.

What if one of these XP people is a partner in the firm, is saying no the right thing to do, or will saying no find his ass out on the street? If I were a partner in the firm, I'd fire his ass in a heartbeat for taking that attitude.

My point is, is that saying hell no and being inflexible is the wrong way to run an IT department -- and this crappy attitude tends to be very commonplace in IT. If this guy actually cares and wants to do the right thing here (instead of hearing a bunch of self-congratulatory Mac users suck each others dicks), what he should do is to explain the situation to his EU's, and offer a couple of alternatives...such as one of the company's old PC's running Win2K running alongside of the Apple -- or (like I said before) let them have it, and tell them that you simply don't have the budget to support a small minority and they're on their own...also tell them what services that they're missing out on by using the alternative OS.

The EU's don't necesarily think that they know more than IT -- they're most likely more comfortable with the Windows environmant than that of the Apple (and likely more productive with it). The fact that this manager is taking the "I know what's best because I'm an IT manager and this is the easiest thing for you to use...damnit" stance is just a bad attitude, and I hope he doesn't really talk down to his users like that...but then again, as much as I hate IT, I'm looking for a different job, and his firm sounds like a nice place to work as a IT manager/admin (after all, I really like the new MacOS).

-Turkey

Stay honest here and stop the reflexive M$ bash!

[TeeWee]

Imagine a story where the opposite is true: a Windows Network Admin who asks how to secure a few Macs from the rest of the Win network. Be honest, the bloke would be flamed to a cinder, and rightly so, because securing a network should be part of a Network Admin's daily job!

So why is the majority of the reactions like, "Oh, poor Mac Network Admin, those Win users deserve any shit they get!" Why not subtly reminding him what the fsck his job is in the first place?

Oh wait, I see: he needs to maintain a few WinXP boxes in a *nix environ, so when he bitches he must be right. Because it's Microsoft. Right?

Network Administrator?

[Ummagumma]

There are several ways you can do this (why, I don't know, but thats your call). Any Network Administrator should already know this stuff, however.

You could VLAN the XP boxes onto thier own segment, then use Access Control Lists to only let the traffic through that you want. Or, alternately, a firewall.

You could publish desktop standards (with management approval, of course), and simply turn of the switch ports of the XP boxes until they get a Mac.

Or, you can leave them on the same networks as the Macs. Just dont let them install 2000 Server or whatnot with ADS, and you should have no problem. Is there a specific cross platform virus you are worried about, or are you just a chest thumping over-zealous sysadmin?

Re:The irony is sickening.

[jman11]

This isn't about software freedom or any of that garbage. The issue is that some guy is responsible for security. The opinion is that a unix based OS is the only reasonable choice and giving a windows machine access will be a serious security weakness.

Of course you can use whatever you want at home and should be able to. When you are at a work place, it is reasonable to expect to be mandated to use certain equipment. This is particuarly relevant if you are at risk of revealing secure information. Owning one machine on the network, that isn't cordoned off, will allow you to gain access to the rest of the network much more easily than if this vulnerable machine wasn't there.

Quite clearly you are full of shite and have no idea about what the article was talking about. Enjoy your life and mindless zealotry against mindles zealotry, but please try to be mindlessly zealous about people who are being mindlessly zealous and not just those trying to do their job. This simple precaution will allow your mindless zealotry to be much less offensive; it will merely disappear in a thick background of mindless zealotry.

Either you "own" your network or you don't

[unsinkableme]

In the past, I have handled this question in a number of ways. First, you need to establish how necessary it is to their jobs to work on a platform different from the rest of the company. This doesn't have to be a platform war. There are plenty of reasons for them to want a different platform, pick your battles carefully. If it is still necessary that the Windows boxes remain, establish who the admins are for the boxes. If your endusers insist they can administer the boxes,I would refuse to allow them to attach it to the network. It's all very well and good for them to be technically savvy, but the network is still your responsiblity.

However if you administer the machine, and I realize it's probably not your first choice, you need to start reading up on Windows. Yes, there's a lot to keep up with, however their can be some advantages to understanding different platforms and being able to administer and secure them in the same environment. And regardless of how any one feels about it, Window is still the most common business environment.

Additionally, I see several post that seem to question the legitimacy of the original question. This *is* a legitimate question, as any one who has had samba and appletalk on the same network can tell you. Discussing security concerns when integrating two very different platforms with different vulnerabilities is more than reasonable for any Administrator, especially in a small business environment where the only other "collegues" they may have access to are the very same users insisting on the installing their own boxes.

Re:Either you "own" your network or you don't

[michael_cain]

First, you need to establish how necessary it is to their jobs to work on a platform different from the rest of the company. This doesn't have to be a platform war. There are plenty of reasons for them to want a different platform, pick your battles carefully.

This is an excellent point, and I was surprised at how far down I had scrolled before someone made it. There is a lot of software that is only available for the Windows platform, and the users may have legitimate needs for a specific program requiring Windows with regard to a client and/or project. The general flavor of the original question doesn't really suggest that situation, but it's clearly possible.

In such a case, it is almost certainly appropriate to provide support for the Windows hosts for that single purpose. That doesn't mean that those hosts are supported for "regular" functions such as e-mail, file and printer sharing, or Web browsing.

If it's just a case of a couple of users who prefer Windows over the Mac, at some point someone with budget authority needs to make a basic decision on the relative costs of (a) those users' happiness versus (b) the very real costs in software and time associated with adding support for Windows on the network. A company with 150 desktops will have someone watching over the budget, and their answer is probably "We're a Mac shop, get over it."

Re:The irony is sickening.

[phallstrom]

>> So users can use whatever damn platform they want. If you wanna go crazy and put X on your box, and that's not the company's party line, fine, as long as you don't expect ANY platform specific support, I don't care.

I hate being told what to use as much as anybody (heck, my wife *quit* her last job because they were going to make her use Outlook... for shared calendering... on a Mac! ha ha :), but you *will* support that system even if you say you won't. The first time the PHB needs something from that person and that person's computer if screwed up, you can bet that you'll be there trying to fix it.

So there are good reasons to mandate certain things...

Meet Them on Their Own Terms

[TheWanderingHermit]

They're lawyers, right? Don't deal with them as tech wannabes. Deal with them as lawyers. For a change like this, one of the very top PHBs must have either okay'ed this, or instigated it. Go up the ladder to the highest lawyer in the firm that was behind this switch. Have him help you prepare a form that says something like, "Since Windows XP has been shown to have the following security vulnerabilities...yada yada yada...and the Macintosh OSX has been shown to be a more secure system...yada yada yada...I understand that in insisting that I use Windows XP as my desktop operating system, I am increasing the risk of having not only my computer, but the entire corporate network either infected or damaged by viral programs, as well as the risk of my computer or the entire network being accessed illegally by unauthorized persons. I fully understand it is my choice to use this software and I take full legal and financial responsibility for any damage done to my desktop system or the company network as a result of my choice of running an OS with these known high risks."

Be sure to include in the paper (where the first set of yadas is) lists of vulnerabilities of WinXP, including the recend IE/Outlook flaws for which there is (as of yet) no sure fix. In place of the 2nd set of yadas, put in documentation that shows OSX is more stable and less vulnerable.

The point is to take the issue to them on their grounds and show them that their choice can have serious implications for them and the entire law firm and that they could be the idiot responsible for the whole system going down. If they are talked to in their language and made to see their choice as a real action with real (and possibly disasterous) consequences, it could open their eyes. You might still have to deal with WInXP, but it'll certainly get them thinking about it.

Re:Stay honest here and stop the reflexive M$ bash

[kableh]

No, the majority of the reactions here are "WTF is your problem with letting them run XP? Are you some kind of IT nazi?! No Windows for you!"

IT should ABSOLUTELY be dictating policy on their LAN. Assuming COMPETENT IT personnel, they are responsible for ensuring the security of their LAN. It is going to be IT's ass on the line when some Windows box spews Klez emails all over the web.

Remember that worm that infected Samba shares? What if a file gets infected by a Windows machine, but noone knows until they email it out to some unwitting client? Instead of giving everyone who expresses some dislike for Microsoft products a hard time, how about offering a suggestion to help this guy?

To be honest, it shouldnt take much to keep those XP boxen secure. If they won't be using Outlook, that is a big first step =). After that, keep IIS off the machines, install Microsoft's automagic update feature, and you should be good to go. If possible, make user accounts for the users of the machine and keep them in the users or power users group, to keep them from installing any other software. If they can justify having a Windows box on your company's LAN, you can justify some conditions.

Re:Stay honest here and stop the reflexive M$ bash

[kableh]

EXACTLY! They have to make sure the LAN is up! This we can agree on. Part of that is making sure you KNOW what is on your network, and are aware of the possible vulnerablilities. And the only way to do so is to spell out exactly what IS and ISN'T allowed on your LAN.

I work for a company composed largely of engineers, who are working on a networking product. Yet these same engineers don't think twice of plugging a box into our core LAN, and running a piece of software designed to do funky things with IP they can't predict the results of. I had my core LAN going down once or twice a week because some engineer's machine was spewing bogus ARP packets on the network. I do my best to accomodate these guys and not inconvenience them, but when they start taking down the LAN and interrupting everyone else's work I had to draw the line.

IT shouldn't act like a bunch of Nazis, but part of keeping a LAN secure and functional is dictating a policy of what is and isn't allowed on a network. This is where the management side of MIS comes in. There is more to MIS than being a tech. Maybe I'm confusing MIS and IT? Perhaps, but then a lot of people here are too. Do any of the idiots bashing this guy have any experience at all?

Has anyone else done tech for a law firm, here?

[Insightfill]

I have, and the rules are different than most companies. If you've ever worked in legal, then corporate, you know the diff. I've trained, supported and done development at probably five out of the top twenty largest firms, and dozens of the top 200.

Every attorney is a PHB, complete with their own dictates and whims. Some attorneys are cool, some aren't. Going "by the book" is a great way to tick off someone who can get you fired.

Yes, it should be a stated/printed IT policy that only Macs are supported, but you've still gotta help the Windows users. But do it slowly, begrudgingly, and occasionally mention that it's just a favor, and how lucky they were that someone was around who could do it.

Failure to support their PCs can get you fired, or at least make your life rough. Supporting them too well will subvert your goal and make your job harder in the long run. You want to get across the point that it's the PC that's making their job harder, not you. If you can rig the network to drop a fair percent of their packets or throttle their bandwidth on days you're in the mood, then do it to slow things down a little. When their coworkers and secretaries are getting lower pings and faster downloads than they are, they'll figure it's the PC and come to your side.