+ Post New Thread
Results 1 to 14 of 14
Windows Thread, Isolate a Windows box (No VLANs) in Technical; Hello, The school have bought - without my input - a signing in system where we do not own the ...
  1. #1
    Trapper's Avatar
    Join Date
    Apr 2007
    Location
    Birmingham
    Posts
    1,220
    Thank Post
    74
    Thanked 149 Times in 120 Posts
    Rep Power
    94

    Isolate a Windows box (No VLANs)

    Hello,

    The school have bought - without my input - a signing in system where we do not own the hardware, or have any ability to access it (the companies remote support remove any user accounts I create etc.)

    This box is not firewalled, has no AV and they do not run Windows updates and is connected to the internet. Not only that the third party company can connect at will.

    First off am I being a whiney so and so about this and should just suck it up?

    If not what can I do to isolate this thing from the rest of my network.

    It needs internet access for backup and remote support, and needs access to a couple of local clients for their management software.

  2. #2


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,658
    Thank Post
    276
    Thanked 780 Times in 607 Posts
    Rep Power
    224
    Windows, no AV, no patching, Internet accessible and no isolation from the main LAN? GTFO.

    More constructive: Why does $company think their setup is acceptable? How have they justified it? What measures have they taken to ensure their device isn't a source of a security breach? What data does the device hold (you mentioned signing-in)?

    You can (for example) run Windows Embedded, have a write blocker enabled (restores to stock on reboot), a strong password etc and restrict what can access it via the network (at host and network level)...etc

    Have they paid for it yet?

  3. #3
    smithson83's Avatar
    Join Date
    Nov 2007
    Posts
    130
    Thank Post
    6
    Thanked 31 Times in 26 Posts
    Rep Power
    19
    I don't think you're being unreasonable at all, but without VLANing or a Heath Robinson approach Iím not sure what you can do.

    Are all the Local Clients and Main System cabled conveniently to put on a separate switch? If so, cheap unmanaged switch, transparent proxy forwarding all traffic to the Default Gateway and blocking all other IPís (depending on the inbound connection meathod, this could get a bit tricky)

    (Edit: I had a security firm wanting to connect a unmonitored broadband line to my core so they could get to the DVR, the CCTV is all now on it's own separate physical network. Could putting in a seperate BB line for the system be an option, then split them off completely from the School Network?)
    Last edited by smithson83; 30th April 2014 at 12:48 PM.

  4. #4


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,658
    Thank Post
    276
    Thanked 780 Times in 607 Posts
    Rep Power
    224
    Is "signing-in system":

    "Bob the electician, BobCorp, fix fan heater, in 09:10, out 10:30"?

    an MIS-linked system for kids/staff?

    or something in-between?

  5. #5

    Norphy's Avatar
    Join Date
    Jan 2006
    Location
    Harpenden
    Posts
    2,458
    Thank Post
    55
    Thanked 333 Times in 259 Posts
    Blog Entries
    6
    Rep Power
    125
    You need to put your concerns into writing and present them to your senior management. Tell them that this is horrifically insecure and poses a risk to the rest of your network.

    They might not do anything about it but if it does end up going wahooni shaped, you'll at least have a paper trial saying that this is stupid and that you don't want to take responsibility for it.

    /edit This isn't a Bromcom box is it? I seem to remember being in a similar situation with them once upon a time.
    Last edited by Norphy; 30th April 2014 at 01:06 PM.

  6. #6

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    5,035
    Thank Post
    890
    Thanked 1,475 Times in 1,012 Posts
    Blog Entries
    47
    Rep Power
    647
    This box is not firewalled, has no AV and they do not run Windows updates and is connected to the internet.
    Burn it! Burn it with fire!

    No sodding way that's acceptable under any circumstances, you have an obligation to protect your network and the data on it and this is a massive open door for anyone to get in through.

  7. #7
    smithson83's Avatar
    Join Date
    Nov 2007
    Posts
    130
    Thank Post
    6
    Thanked 31 Times in 26 Posts
    Rep Power
    19
    Quote Originally Posted by Norphy View Post
    ... if it does end up going wahooni shaped, ...
    OT: Nice Pratchett reference, very few a far between

  8. #8
    Trapper's Avatar
    Join Date
    Apr 2007
    Location
    Birmingham
    Posts
    1,220
    Thank Post
    74
    Thanked 149 Times in 120 Posts
    Rep Power
    94
    It's a proper kosher Birmingham company who do a lot of trade as a support company for schools.

    Apparently it's their hardware, the AV comment was ignored and Windows Update is part of a "managed service" which they "test before deployment".

    Yes we've paid. My SBM has been surprisingly apologetic me to about it! I think he's realised it's been a bit of a cock up and that I am actually trying to cover the school.

  9. #9

    Oaktech's Avatar
    Join Date
    Jul 2011
    Location
    Bournemouth
    Posts
    2,896
    Thank Post
    816
    Thanked 561 Times in 440 Posts
    Rep Power
    263
    Can you create a whole new IP range for it somehow?

    We have a windows based DHCP server for domain use and our palo alto has a second IP range on it with it's associated nat rules. In that instance, it is vlan'd as it runs dhcp, however you could create the nat rules to allow things in and out from/to it and give it a static address in that range?

    Bit of a bodge, but hey, it could work.

  10. #10
    RichCowell's Avatar
    Join Date
    Dec 2005
    Location
    PR7, Lancashire
    Posts
    467
    Thank Post
    76
    Thanked 79 Times in 66 Posts
    Rep Power
    31
    Which system is it? Sounds like we should all be wary of any mention of it...

  11. #11

    Join Date
    Dec 2007
    Location
    Potomac, MD, USA
    Posts
    60
    Thank Post
    12
    Thanked 24 Times in 12 Posts
    Rep Power
    54
    If you are forced to accept it in this state, the best you could do is to connect it via a physical firewall appliance that bars it from accessing any local IP other than the gateway out to the Internet, and even then, only on the ports it requires to operate. Configure it to use external DNS so it doesn't need to talk to your own, either by static configuration or via a DHCP reservation.

    You should absolutely ensure it cannot connect out to the Internet on port 25 (SMTP) or it will almost inevitably become a spambot at some point. (To be honest, it's good practice to have that rule in place on your perimeter firewall already for every IP except your on-premises mail server).

  12. #12
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,504
    Thank Post
    519
    Thanked 292 Times in 268 Posts
    Rep Power
    83
    Why not remove it from the internet, firewall it, and if the remote support company wants access to it then they do it through your VPN or what ever you've got for remote access. We have done this before when we bought a phone systems (without our input) and it used a Server 2003 box, No AV, No Updates, No Firewall, and WAS internet accessible, just like in this scenario, it was remotely controlled.

    We took if off the internet, put it behind our corporate firewall, and if the support company wanted access they did it through our VPN so we could control it. Not that they ever connected to it.

    Needless to say, this system was swiftly binned and we got our money back.

  13. #13

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,205
    Thank Post
    876
    Thanked 2,729 Times in 2,308 Posts
    Blog Entries
    11
    Rep Power
    782
    Use VLANS or a separate switching system, everything else is easily comprimiseable and pointless.

  14. #14
    Galway's Avatar
    Join Date
    Jun 2007
    Location
    West Yorkshire
    Posts
    1,374
    Thank Post
    9
    Thanked 311 Times in 219 Posts
    Rep Power
    101
    If it were me id fire off and email detailing what procedures were broken in purchasing it, and what procedures have been broken in using it.

    I would not support it and I would not be bending over backwards to 'change the network' to get it working. Once you do that you will be forever doing it for what ever crap they buy without following procedure.

SHARE:
+ Post New Thread

Similar Threads

  1. Windows 7 No Internet Access Through Proxy
    By nathanbowes in forum Windows 7
    Replies: 7
    Last Post: 13th August 2012, 11:18 AM
  2. 'Log on to Windows' Box Image
    By tomgrindle in forum Windows
    Replies: 7
    Last Post: 9th February 2011, 11:49 AM
  3. Windows 7 - No internet connectivity
    By Edu-IT in forum Windows
    Replies: 19
    Last Post: 19th February 2010, 09:03 PM
  4. Migrating off your Windows boxes onto the S7000
    By Hebdenlad in forum Hardware
    Replies: 5
    Last Post: 14th August 2009, 11:15 AM
  5. Windows 7 - No Operating System Found
    By EduTech in forum Windows 7
    Replies: 14
    Last Post: 31st March 2009, 09:39 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •