Windows Thread, Isolate a Windows box (No VLANs) in Technical; Hello,
The school have bought - without my input - a signing in system where we do not own the ...
30th April 2014, 01:13 PM #1
Isolate a Windows box (No VLANs)
The school have bought - without my input - a signing in system where we do not own the hardware, or have any ability to access it (the companies remote support remove any user accounts I create etc.)
This box is not firewalled, has no AV and they do not run Windows updates and is connected to the internet. Not only that the third party company can connect at will.
First off am I being a whiney so and so about this and should just suck it up?
If not what can I do to isolate this thing from the rest of my network.
It needs internet access for backup and remote support, and needs access to a couple of local clients for their management software.
30th April 2014, 01:29 PM #2
Windows, no AV, no patching, Internet accessible and no isolation from the main LAN? GTFO.
More constructive: Why does $company think their setup is acceptable? How have they justified it? What measures have they taken to ensure their device isn't a source of a security breach? What data does the device hold (you mentioned signing-in)?
You can (for example) run Windows Embedded, have a write blocker enabled (restores to stock on reboot), a strong password etc and restrict what can access it via the network (at host and network level)...etc
Have they paid for it yet?
30th April 2014, 01:46 PM #3
I don't think you're being unreasonable at all, but without VLANing or a Heath Robinson approach Iím not sure what you can do.
Are all the Local Clients and Main System cabled conveniently to put on a separate switch? If so, cheap unmanaged switch, transparent proxy forwarding all traffic to the Default Gateway and blocking all other IPís (depending on the inbound connection meathod, this could get a bit tricky)
(Edit: I had a security firm wanting to connect a unmonitored broadband line to my core so they could get to the DVR, the CCTV is all now on it's own separate physical network. Could putting in a seperate BB line for the system be an option, then split them off completely from the School Network?)
Last edited by smithson83; 30th April 2014 at 01:48 PM.
30th April 2014, 01:55 PM #4
Is "signing-in system":
"Bob the electician, BobCorp, fix fan heater, in 09:10, out 10:30"?
an MIS-linked system for kids/staff?
or something in-between?
30th April 2014, 02:03 PM #5
You need to put your concerns into writing and present them to your senior management. Tell them that this is horrifically insecure and poses a risk to the rest of your network.
They might not do anything about it but if it does end up going wahooni shaped, you'll at least have a paper trial saying that this is stupid and that you don't want to take responsibility for it.
/edit This isn't a Bromcom box is it? I seem to remember being in a similar situation with them once upon a time.
Last edited by Norphy; 30th April 2014 at 02:06 PM.
30th April 2014, 02:18 PM #6
Burn it! Burn it with fire!
This box is not firewalled, has no AV and they do not run Windows updates and is connected to the internet.
No sodding way that's acceptable under any circumstances, you have an obligation to protect your network and the data on it and this is a massive open door for anyone to get in through.
30th April 2014, 02:32 PM #7
OT: Nice Pratchett reference, very few a far between
Originally Posted by Norphy
30th April 2014, 04:47 PM #8
It's a proper kosher Birmingham company who do a lot of trade as a support company for schools.
Apparently it's their hardware, the AV comment was ignored and Windows Update is part of a "managed service" which they "test before deployment".
Yes we've paid. My SBM has been surprisingly apologetic me to about it! I think he's realised it's been a bit of a cock up and that I am actually trying to cover the school.
30th April 2014, 05:17 PM #9
Can you create a whole new IP range for it somehow?
We have a windows based DHCP server for domain use and our palo alto has a second IP range on it with it's associated nat rules. In that instance, it is vlan'd as it runs dhcp, however you could create the nat rules to allow things in and out from/to it and give it a static address in that range?
Bit of a bodge, but hey, it could work.
30th April 2014, 10:55 PM #10
Which system is it? Sounds like we should all be wary of any mention of it...
1st May 2014, 10:42 AM #11
If you are forced to accept it in this state, the best you could do is to connect it via a physical firewall appliance that bars it from accessing any local IP other than the gateway out to the Internet, and even then, only on the ports it requires to operate. Configure it to use external DNS so it doesn't need to talk to your own, either by static configuration or via a DHCP reservation.
You should absolutely ensure it cannot connect out to the Internet on port 25 (SMTP) or it will almost inevitably become a spambot at some point. (To be honest, it's good practice to have that rule in place on your perimeter firewall already for every IP except your on-premises mail server).
1st May 2014, 11:22 AM #12
Why not remove it from the internet, firewall it, and if the remote support company wants access to it then they do it through your VPN or what ever you've got for remote access. We have done this before when we bought a phone systems (without our input) and it used a Server 2003 box, No AV, No Updates, No Firewall, and WAS internet accessible, just like in this scenario, it was remotely controlled.
We took if off the internet, put it behind our corporate firewall, and if the support company wanted access they did it through our VPN so we could control it. Not that they ever connected to it.
Needless to say, this system was swiftly binned and we got our money back.
1st May 2014, 12:56 PM #13
Use VLANS or a separate switching system, everything else is easily comprimiseable and pointless.
1st May 2014, 01:09 PM #14
If it were me id fire off and email detailing what procedures were broken in purchasing it, and what procedures have been broken in using it.
I would not support it and I would not be bending over backwards to 'change the network' to get it working. Once you do that you will be forever doing it for what ever crap they buy without following procedure.
By nathanbowes in forum Windows 7
Last Post: 13th August 2012, 12:18 PM
By tomgrindle in forum Windows
Last Post: 9th February 2011, 12:49 PM
By Edu-IT in forum Windows
Last Post: 19th February 2010, 10:03 PM
By Hebdenlad in forum Hardware
Last Post: 14th August 2009, 12:15 PM
By EduTech in forum Windows 7
Last Post: 31st March 2009, 10:39 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)