Securing Your Internal Network from Windows?

acacord asks: "I am the Network Admin for a medium-sized law firm (hold the flames, please). We are one of the few Macintosh-based firms left. All of our workstations (near 150) will have been migrated to Mac OS X 10.2.2 by the end of the year. We have a couple users who think that they know more than the IT department and therefore insist that they maintain WinXP boxes on their desks. How should I configure a segment of my network for them, and them only, to make sure that the remainder of my networks are not susceptible to any of their natural security 'features' . Any and all ideas are welcome."

The irony is sickening.

[GreyWolf3000]

We have a couple users who think that they know more than the IT department and therefore insist that they maintain WinXP boxes on their desks.

Users who think they know more than the IT department, who run a Mac network, insisting that they maintain Windows boxes? I keep reading that sentence over and over and alternating between laughing my ass off and getting mildly furious.

You: "MacOSX is built on UNIX technology, and is more stable, sports a superior IP stack, and new users will find it much easier to use, thanks to the greatest GUI ever designed"

Them: "No thanks, I use a real computer, and that starts with a PC running Windows."

I feel for you man...

Re:The irony is sickening.

[HRbnjR]

Well, I don't really feel for him.

I'm big into standards - whether they be standards for web pages, or XML formats for document exchange, or things like POSIX. Yep, I'm all for interoperability.

Why?

So users can use whatever damn platform they want. If you wanna go crazy and put X on your box, and that's not the company's party line, fine, as long as you don't expect ANY platform specific support, I don't care. You like Linux, go right ahead. Mac? No Problem. Happy with your PDP11? Go crazy. Windows XP? Sure, spoon feed Bill dinner if you like, I don't care. Whatever you are the most comfortable with, and makes you the most productive, that's fine with me. You can pick your platform, software, whatever.

This is not only hinged on interoperability of document standards though. The administrator has to be judicial in maintaining server security too. Many admins get lazy, wirefall off the outside world, forget about security on the inside, and hope for the best. I say, religious backups, and good group/user security policies on all servers are a must.

In my mind, the Free in Free Software allows you the freedom to use /any/ software you want.

You won't really need it...

[gnovos]

Just stick a firewall in front of them (filtering out ALL inbound not originating from the box) and let them share a hub. That way they can do all thier little active directory stuff with each other and won't have to worry about hackers hacking in. In fact, filter out all traffic coming OUT too and use a proxy for web browsing and mail and you won't have to worry about emailed code-red type things clogging up your network when they look at them in outlook.

What threat?

[steve.m]

What threat does a couple of XP boxes pose to 150 MacOSX boxes?

Is there a known trojan/worm/virus that infects XP and then attacks MacOSX ?

Could this entire story be blatant MS bashing, because it's a slow news day?

Logical segmentation or VLANs

[Twylite]

Given the number of computers involved I am assuming you are using switches. One option you have is to configure VLANS - I'm not very clued up on these, but iirc you should be able to construct a logical separate LAN from a group or port or MAC addresses. Then you need a gateway between the Windows VLAN and the Mac VLAN, with a firewall which can protect them from each other.

This can be a bit nasty to manage though. If its a port-based VLAN you have to make sure the boxes are plugged into the right network sockets, or they'll be on the wrong VLAN. If believe MAC-based VLANs are possible (but I could be wrong); in which case you have to have a list of MACs and whether they are Windows or Mac machines, and assign them ... tedious.

A simpler solution could be to insist that all Windows boxes use DHCP, and assign them addresses in a particular subnet. If you want the Mac boxes to use DHCP too, you'll have to do MAC reservations for the Windows network cards to make sure they go onto the right subnet. Then have a gateway/firewall. This doesn't protect against lusers who give their computer a static IP on the logical Mac subnet ... but it gives you some ability to manage the situation.

To detect troublecausers, you could automate a security scanning tool to check the Mac network for computers which appear to be Windows boxes.

Stay honest here and stop the reflexive M$ bash!

[TeeWee]

Imagine a story where the opposite is true: a Windows Network Admin who asks how to secure a few Macs from the rest of the Win network. Be honest, the bloke would be flamed to a cinder, and rightly so, because securing a network should be part of a Network Admin's daily job!

So why is the majority of the reactions like, "Oh, poor Mac Network Admin, those Win users deserve any shit they get!" Why not subtly reminding him what the fsck his job is in the first place?

Oh wait, I see: he needs to maintain a few WinXP boxes in a *nix environ, so when he bitches he must be right. Because it's Microsoft. Right?

It *is* entertaining..

[0x0d0a]

Funny as this is (IT department demands users use MacOS, users refuse and want to use Windows), there's a simple fix. If these folks are so computer-centric that they can handle this themselves, let them run (as an alternate...I'd put a normal, supported computer on their desk so that they're never in a situation where they can say "hey, I can't do X and the IT department won't help") Windows. Make them admin the box themselves too, and state very clearly at the outset that connecting a nonstandard box to the network is a privilege, not a right, and at the first onset of problems, the box goes permanently.

A lot of Windows networks have Linux boxes creeping on to them via this route -- the users have to admin them, and are fully responsible if anything goes wrong.

I'd also put a few hard rules on the users -- if they break them, they're in violation. First, SMB/CIFS goes. Windows file sharing causes more problems than anything else on earth. Second, it's probably not a bad idea to budget to get them antivirus programs. Third, I wouldn't let them run their own servers (IIS or whatnot) unless this is already a normal policy (users running servers is kosher) and you have them blocked from the outside world -- users simply do not reasonably have the time if they're doing their work to keep servers up to date.

That being said, your job is to allow the users to get their work done as efficiently as possible. If they're uncomfortable in a non-Windows environment, don't make yourself disliked by trying to impose a different environment on them. Make reasonable restrictions, as I noted above, but don't axe their desires just because they're Windows-based.

I'd try this approach regardless of the OS being used, if it's an unsupported OS, as a matter or fact.

Oh, and the last item: you may (I feel reasonably) ban the use of Outlook on your network. People can argue as much as they want about whose fault Outlook issues are and whether Outlook is simply targeted because it's popular, but there have been enough nasty worms and problems coming from Outlook that I don't think I'd want to administer a network with it on it.

You are a Law Firm...

[Technician]

Read the EULA carefully. Especialy the part regarding auditing any and all computers in the building. Let your staff know the building can not support the liabiality risk of the other OS.
Please do not give the BSA a free ticket in the front door.

Yes, that's nice and all but...

[amarodeeps]

...the reason he's griping about his WinXP boxes is that he doesn't want any viruses banging on his network, crackers hijacking these machines, etc.--Windows IS more susceptible to this stuff, if for no other reason (and there may be other reasons) than it is so popular right now, and it is not exactly set up by default to be secure. So get off your high and mighty standards-compliance horse (no matter that I agree with you--I think you have a good point about what _should_ be the case) and remember this guy has to deal with a real-world situation.

Plus, MS is not really into standards-compliance last I heard, and that also kinda puts a crimp in your ideology...

Either you "own" your network or you don't

[unsinkableme]

In the past, I have handled this question in a number of ways. First, you need to establish how necessary it is to their jobs to work on a platform different from the rest of the company. This doesn't have to be a platform war. There are plenty of reasons for them to want a different platform, pick your battles carefully. If it is still necessary that the Windows boxes remain, establish who the admins are for the boxes. If your endusers insist they can administer the boxes,I would refuse to allow them to attach it to the network. It's all very well and good for them to be technically savvy, but the network is still your responsiblity.

However if you administer the machine, and I realize it's probably not your first choice, you need to start reading up on Windows. Yes, there's a lot to keep up with, however their can be some advantages to understanding different platforms and being able to administer and secure them in the same environment. And regardless of how any one feels about it, Window is still the most common business environment.

Additionally, I see several post that seem to question the legitimacy of the original question. This *is* a legitimate question, as any one who has had samba and appletalk on the same network can tell you. Discussing security concerns when integrating two very different platforms with different vulnerabilities is more than reasonable for any Administrator, especially in a small business environment where the only other "collegues" they may have access to are the very same users insisting on the installing their own boxes.

Meet Them on Their Own Terms

[TheWanderingHermit]

They're lawyers, right? Don't deal with them as tech wannabes. Deal with them as lawyers. For a change like this, one of the very top PHBs must have either okay'ed this, or instigated it. Go up the ladder to the highest lawyer in the firm that was behind this switch. Have him help you prepare a form that says something like, "Since Windows XP has been shown to have the following security vulnerabilities...yada yada yada...and the Macintosh OSX has been shown to be a more secure system...yada yada yada...I understand that in insisting that I use Windows XP as my desktop operating system, I am increasing the risk of having not only my computer, but the entire corporate network either infected or damaged by viral programs, as well as the risk of my computer or the entire network being accessed illegally by unauthorized persons. I fully understand it is my choice to use this software and I take full legal and financial responsibility for any damage done to my desktop system or the company network as a result of my choice of running an OS with these known high risks."

Be sure to include in the paper (where the first set of yadas is) lists of vulnerabilities of WinXP, including the recend IE/Outlook flaws for which there is (as of yet) no sure fix. In place of the 2nd set of yadas, put in documentation that shows OSX is more stable and less vulnerable.

The point is to take the issue to them on their grounds and show them that their choice can have serious implications for them and the entire law firm and that they could be the idiot responsible for the whole system going down. If they are talked to in their language and made to see their choice as a real action with real (and possibly disasterous) consequences, it could open their eyes. You might still have to deal with WInXP, but it'll certainly get them thinking about it.