+ Post New Thread
Results 1 to 14 of 14
Windows Thread, Isolate a Windows box (No VLANs) in Technical; Hello, The school have bought - without my input - a signing in system where we do not own the ...
  1. #1
    Trapper's Avatar
    Join Date
    Apr 2007
    Location
    Birmingham
    Posts
    1,277
    Thank Post
    78
    Thanked 155 Times in 124 Posts
    Rep Power
    95

    Isolate a Windows box (No VLANs)

    Hello,

    The school have bought - without my input - a signing in system where we do not own the hardware, or have any ability to access it (the companies remote support remove any user accounts I create etc.)

    This box is not firewalled, has no AV and they do not run Windows updates and is connected to the internet. Not only that the third party company can connect at will.

    First off am I being a whiney so and so about this and should just suck it up?

    If not what can I do to isolate this thing from the rest of my network.

    It needs internet access for backup and remote support, and needs access to a couple of local clients for their management software.

  2. #2


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,715
    Thank Post
    288
    Thanked 789 Times in 616 Posts
    Rep Power
    226
    Windows, no AV, no patching, Internet accessible and no isolation from the main LAN? GTFO.

    More constructive: Why does $company think their setup is acceptable? How have they justified it? What measures have they taken to ensure their device isn't a source of a security breach? What data does the device hold (you mentioned signing-in)?

    You can (for example) run Windows Embedded, have a write blocker enabled (restores to stock on reboot), a strong password etc and restrict what can access it via the network (at host and network level)...etc

    Have they paid for it yet?

  3. #3
    smithson83's Avatar
    Join Date
    Nov 2007
    Posts
    189
    Thank Post
    14
    Thanked 46 Times in 38 Posts
    Rep Power
    23
    I don't think you're being unreasonable at all, but without VLANing or a Heath Robinson approach Iím not sure what you can do.

    Are all the Local Clients and Main System cabled conveniently to put on a separate switch? If so, cheap unmanaged switch, transparent proxy forwarding all traffic to the Default Gateway and blocking all other IPís (depending on the inbound connection meathod, this could get a bit tricky)

    (Edit: I had a security firm wanting to connect a unmonitored broadband line to my core so they could get to the DVR, the CCTV is all now on it's own separate physical network. Could putting in a seperate BB line for the system be an option, then split them off completely from the School Network?)
    Last edited by smithson83; 30th April 2014 at 01:48 PM.

  4. #4


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,715
    Thank Post
    288
    Thanked 789 Times in 616 Posts
    Rep Power
    226
    Is "signing-in system":

    "Bob the electician, BobCorp, fix fan heater, in 09:10, out 10:30"?

    an MIS-linked system for kids/staff?

    or something in-between?

  5. #5

    Norphy's Avatar
    Join Date
    Jan 2006
    Location
    Harpenden
    Posts
    2,581
    Thank Post
    59
    Thanked 371 Times in 287 Posts
    Blog Entries
    7
    Rep Power
    134
    You need to put your concerns into writing and present them to your senior management. Tell them that this is horrifically insecure and poses a risk to the rest of your network.

    They might not do anything about it but if it does end up going wahooni shaped, you'll at least have a paper trial saying that this is stupid and that you don't want to take responsibility for it.

    /edit This isn't a Bromcom box is it? I seem to remember being in a similar situation with them once upon a time.
    Last edited by Norphy; 30th April 2014 at 02:06 PM.

  6. #6

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    5,375
    Thank Post
    958
    Thanked 1,630 Times in 1,103 Posts
    Blog Entries
    47
    Rep Power
    711
    This box is not firewalled, has no AV and they do not run Windows updates and is connected to the internet.
    Burn it! Burn it with fire!

    No sodding way that's acceptable under any circumstances, you have an obligation to protect your network and the data on it and this is a massive open door for anyone to get in through.

  7. #7
    smithson83's Avatar
    Join Date
    Nov 2007
    Posts
    189
    Thank Post
    14
    Thanked 46 Times in 38 Posts
    Rep Power
    23
    Quote Originally Posted by Norphy View Post
    ... if it does end up going wahooni shaped, ...
    OT: Nice Pratchett reference, very few a far between

  8. #8
    Trapper's Avatar
    Join Date
    Apr 2007
    Location
    Birmingham
    Posts
    1,277
    Thank Post
    78
    Thanked 155 Times in 124 Posts
    Rep Power
    95
    It's a proper kosher Birmingham company who do a lot of trade as a support company for schools.

    Apparently it's their hardware, the AV comment was ignored and Windows Update is part of a "managed service" which they "test before deployment".

    Yes we've paid. My SBM has been surprisingly apologetic me to about it! I think he's realised it's been a bit of a cock up and that I am actually trying to cover the school.

  9. #9

    Oaktech's Avatar
    Join Date
    Jul 2011
    Location
    Bournemouth
    Posts
    3,217
    Thank Post
    943
    Thanked 645 Times in 504 Posts
    Rep Power
    288
    Can you create a whole new IP range for it somehow?

    We have a windows based DHCP server for domain use and our palo alto has a second IP range on it with it's associated nat rules. In that instance, it is vlan'd as it runs dhcp, however you could create the nat rules to allow things in and out from/to it and give it a static address in that range?

    Bit of a bodge, but hey, it could work.

  10. #10
    RichCowell's Avatar
    Join Date
    Dec 2005
    Location
    PR7, Lancashire
    Posts
    524
    Thank Post
    98
    Thanked 92 Times in 74 Posts
    Rep Power
    35
    Which system is it? Sounds like we should all be wary of any mention of it...

  11. #11

    Join Date
    Dec 2007
    Location
    Potomac, MD, USA
    Posts
    68
    Thank Post
    12
    Thanked 28 Times in 14 Posts
    Rep Power
    56
    If you are forced to accept it in this state, the best you could do is to connect it via a physical firewall appliance that bars it from accessing any local IP other than the gateway out to the Internet, and even then, only on the ports it requires to operate. Configure it to use external DNS so it doesn't need to talk to your own, either by static configuration or via a DHCP reservation.

    You should absolutely ensure it cannot connect out to the Internet on port 25 (SMTP) or it will almost inevitably become a spambot at some point. (To be honest, it's good practice to have that rule in place on your perimeter firewall already for every IP except your on-premises mail server).

  12. #12
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,605
    Thank Post
    544
    Thanked 301 Times in 277 Posts
    Rep Power
    85
    Why not remove it from the internet, firewall it, and if the remote support company wants access to it then they do it through your VPN or what ever you've got for remote access. We have done this before when we bought a phone systems (without our input) and it used a Server 2003 box, No AV, No Updates, No Firewall, and WAS internet accessible, just like in this scenario, it was remotely controlled.

    We took if off the internet, put it behind our corporate firewall, and if the support company wanted access they did it through our VPN so we could control it. Not that they ever connected to it.

    Needless to say, this system was swiftly binned and we got our money back.

  13. #13

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,271
    Thank Post
    884
    Thanked 2,749 Times in 2,322 Posts
    Blog Entries
    11
    Rep Power
    785
    Use VLANS or a separate switching system, everything else is easily comprimiseable and pointless.

  14. #14
    Galway's Avatar
    Join Date
    Jun 2007
    Location
    West Yorkshire
    Posts
    1,463
    Thank Post
    9
    Thanked 345 Times in 238 Posts
    Rep Power
    107
    If it were me id fire off and email detailing what procedures were broken in purchasing it, and what procedures have been broken in using it.

    I would not support it and I would not be bending over backwards to 'change the network' to get it working. Once you do that you will be forever doing it for what ever crap they buy without following procedure.



SHARE:
+ Post New Thread

Similar Threads

  1. Windows 7 No Internet Access Through Proxy
    By nathanbowes in forum Windows 7
    Replies: 7
    Last Post: 13th August 2012, 12:18 PM
  2. 'Log on to Windows' Box Image
    By tomgrindle in forum Windows
    Replies: 7
    Last Post: 9th February 2011, 12:49 PM
  3. Windows 7 - No internet connectivity
    By Edu-IT in forum Windows
    Replies: 19
    Last Post: 19th February 2010, 10:03 PM
  4. Migrating off your Windows boxes onto the S7000
    By Hebdenlad in forum Hardware
    Replies: 5
    Last Post: 14th August 2009, 12:15 PM
  5. Windows 7 - No Operating System Found
    By EduTech in forum Windows 7
    Replies: 14
    Last Post: 31st March 2009, 10:39 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •