Securing Your Internal Network from Windows?

← Back to Stories (view on slashdot.org)

Securing Your Internal Network from Windows?

Posted by Cliff on Tuesday November 26, 2002 @09:35PM from the protecting-your-network-externally-and-internally dept.

acacord asks: "I am the Network Admin for a medium-sized law firm (hold the flames, please). We are one of the few Macintosh-based firms left. All of our workstations (near 150) will have been migrated to Mac OS X 10.2.2 by the end of the year. We have a couple users who think that they know more than the IT department and therefore insist that they maintain WinXP boxes on their desks. How should I configure a segment of my network for them, and them only, to make sure that the remainder of my networks are not susceptible to any of their natural security 'features' . Any and all ideas are welcome."

4 of 78 comments (clear)

Min score:

Reason:

Sort:

The irony is sickening. by GreyWolf3000 · 2002-11-26 21:42 · Score: 5, Interesting

We have a couple users who think that they know more than the IT department and therefore insist that they maintain WinXP boxes on their desks.

Users who think they know more than the IT department, who run a Mac network, insisting that they maintain Windows boxes? I keep reading that sentence over and over and alternating between laughing my ass off and getting mildly furious.
You: "MacOSX is built on UNIX technology, and is more stable, sports a superior IP stack, and new users will find it much easier to use, thanks to the greatest GUI ever designed"
Them: "No thanks, I use a real computer, and that starts with a PC running Windows."
I feel for you man...

--
Slashdot: Where people pretend to be twice as smart as they really are by behaving like children.
1. Re:The irony is sickening. by HRbnjR · 2002-11-26 22:02 · Score: 4, Interesting
  
  Well, I don't really feel for him.
  
  I'm big into standards - whether they be standards for web pages, or XML formats for document exchange, or things like POSIX. Yep, I'm all for interoperability.
  
  Why?
  
  So users can use whatever damn platform they want. If you wanna go crazy and put X on your box, and that's not the company's party line, fine, as long as you don't expect ANY platform specific support, I don't care. You like Linux, go right ahead. Mac? No Problem. Happy with your PDP11? Go crazy. Windows XP? Sure, spoon feed Bill dinner if you like, I don't care. Whatever you are the most comfortable with, and makes you the most productive, that's fine with me. You can pick your platform, software, whatever.
  
  This is not only hinged on interoperability of document standards though. The administrator has to be judicial in maintaining server security too. Many admins get lazy, wirefall off the outside world, forget about security on the inside, and hope for the best. I say, religious backups, and good group/user security policies on all servers are a must.
  
  In my mind, the Free in Free Software allows you the freedom to use /any/ software you want.
You won't really need it... by gnovos · 2002-11-26 21:54 · Score: 4, Interesting

Just stick a firewall in front of them (filtering out ALL inbound not originating from the box) and let them share a hub. That way they can do all thier little active directory stuff with each other and won't have to worry about hackers hacking in. In fact, filter out all traffic coming OUT too and use a proxy for web browsing and mail and you won't have to worry about emailed code-red type things clogging up your network when they look at them in outlook.

--
"Your superior intellect is no match for our puny weapons!"
It *is* entertaining.. by 0x0d0a · 2002-11-27 00:17 · Score: 5, Interesting

Funny as this is (IT department demands users use MacOS, users refuse and want to use Windows), there's a simple fix. If these folks are so computer-centric that they can handle this themselves, let them run (as an alternate...I'd put a normal, supported computer on their desk so that they're never in a situation where they can say "hey, I can't do X and the IT department won't help") Windows. Make them admin the box themselves too, and state very clearly at the outset that connecting a nonstandard box to the network is a privilege, not a right, and at the first onset of problems, the box goes permanently.

A lot of Windows networks have Linux boxes creeping on to them via this route -- the users have to admin them, and are fully responsible if anything goes wrong.

I'd also put a few hard rules on the users -- if they break them, they're in violation. First, SMB/CIFS goes. Windows file sharing causes more problems than anything else on earth. Second, it's probably not a bad idea to budget to get them antivirus programs. Third, I wouldn't let them run their own servers (IIS or whatnot) unless this is already a normal policy (users running servers is kosher) and you have them blocked from the outside world -- users simply do not reasonably have the time if they're doing their work to keep servers up to date.

That being said, your job is to allow the users to get their work done as efficiently as possible. If they're uncomfortable in a non-Windows environment, don't make yourself disliked by trying to impose a different environment on them. Make reasonable restrictions, as I noted above, but don't axe their desires just because they're Windows-based.

I'd try this approach regardless of the OS being used, if it's an unsupported OS, as a matter or fact.

Oh, and the last item: you may (I feel reasonably) ban the use of Outlook on your network. People can argue as much as they want about whose fault Outlook issues are and whether Outlook is simply targeted because it's popular, but there have been enough nasty worms and problems coming from Outlook that I don't think I'd want to administer a network with it on it.

--
May we never see th