+ Post New Thread
Results 1 to 14 of 14
Windows Thread, Isolate a Windows box (No VLANs) in Technical; Hello, The school have bought - without my input - a signing in system where we do not own the ...
  1. #1
    Trapper's Avatar
    Join Date
    Apr 2007
    Location
    Birmingham
    Posts
    1,158
    Thank Post
    73
    Thanked 140 Times in 113 Posts
    Rep Power
    91

    Isolate a Windows box (No VLANs)

    Hello,

    The school have bought - without my input - a signing in system where we do not own the hardware, or have any ability to access it (the companies remote support remove any user accounts I create etc.)

    This box is not firewalled, has no AV and they do not run Windows updates and is connected to the internet. Not only that the third party company can connect at will.

    First off am I being a whiney so and so about this and should just suck it up?

    If not what can I do to isolate this thing from the rest of my network.

    It needs internet access for backup and remote support, and needs access to a couple of local clients for their management software.

  2. #2


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,630
    Thank Post
    275
    Thanked 777 Times in 604 Posts
    Rep Power
    223
    Windows, no AV, no patching, Internet accessible and no isolation from the main LAN? GTFO.

    More constructive: Why does $company think their setup is acceptable? How have they justified it? What measures have they taken to ensure their device isn't a source of a security breach? What data does the device hold (you mentioned signing-in)?

    You can (for example) run Windows Embedded, have a write blocker enabled (restores to stock on reboot), a strong password etc and restrict what can access it via the network (at host and network level)...etc

    Have they paid for it yet?

  3. #3
    smithson83's Avatar
    Join Date
    Nov 2007
    Posts
    130
    Thank Post
    6
    Thanked 31 Times in 26 Posts
    Rep Power
    19
    I don't think you're being unreasonable at all, but without VLANing or a Heath Robinson approach Iím not sure what you can do.

    Are all the Local Clients and Main System cabled conveniently to put on a separate switch? If so, cheap unmanaged switch, transparent proxy forwarding all traffic to the Default Gateway and blocking all other IPís (depending on the inbound connection meathod, this could get a bit tricky)

    (Edit: I had a security firm wanting to connect a unmonitored broadband line to my core so they could get to the DVR, the CCTV is all now on it's own separate physical network. Could putting in a seperate BB line for the system be an option, then split them off completely from the School Network?)
    Last edited by smithson83; 30th April 2014 at 12:48 PM.

  4. #4


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,630
    Thank Post
    275
    Thanked 777 Times in 604 Posts
    Rep Power
    223
    Is "signing-in system":

    "Bob the electician, BobCorp, fix fan heater, in 09:10, out 10:30"?

    an MIS-linked system for kids/staff?

    or something in-between?

  5. #5
    Norphy's Avatar
    Join Date
    Jan 2006
    Location
    Harpenden
    Posts
    2,242
    Thank Post
    50
    Thanked 274 Times in 212 Posts
    Blog Entries
    6
    Rep Power
    113
    You need to put your concerns into writing and present them to your senior management. Tell them that this is horrifically insecure and poses a risk to the rest of your network.

    They might not do anything about it but if it does end up going wahooni shaped, you'll at least have a paper trial saying that this is stupid and that you don't want to take responsibility for it.

    /edit This isn't a Bromcom box is it? I seem to remember being in a similar situation with them once upon a time.
    Last edited by Norphy; 30th April 2014 at 01:06 PM.

  6. #6

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,934
    Thank Post
    861
    Thanked 1,438 Times in 988 Posts
    Blog Entries
    47
    Rep Power
    616
    This box is not firewalled, has no AV and they do not run Windows updates and is connected to the internet.
    Burn it! Burn it with fire!

    No sodding way that's acceptable under any circumstances, you have an obligation to protect your network and the data on it and this is a massive open door for anyone to get in through.

  7. #7
    smithson83's Avatar
    Join Date
    Nov 2007
    Posts
    130
    Thank Post
    6
    Thanked 31 Times in 26 Posts
    Rep Power
    19
    Quote Originally Posted by Norphy View Post
    ... if it does end up going wahooni shaped, ...
    OT: Nice Pratchett reference, very few a far between

  8. #8
    Trapper's Avatar
    Join Date
    Apr 2007
    Location
    Birmingham
    Posts
    1,158
    Thank Post
    73
    Thanked 140 Times in 113 Posts
    Rep Power
    91
    It's a proper kosher Birmingham company who do a lot of trade as a support company for schools.

    Apparently it's their hardware, the AV comment was ignored and Windows Update is part of a "managed service" which they "test before deployment".

    Yes we've paid. My SBM has been surprisingly apologetic me to about it! I think he's realised it's been a bit of a cock up and that I am actually trying to cover the school.

  9. #9

    Oaktech's Avatar
    Join Date
    Jul 2011
    Location
    Bournemouth
    Posts
    2,776
    Thank Post
    764
    Thanked 541 Times in 424 Posts
    Rep Power
    259
    Can you create a whole new IP range for it somehow?

    We have a windows based DHCP server for domain use and our palo alto has a second IP range on it with it's associated nat rules. In that instance, it is vlan'd as it runs dhcp, however you could create the nat rules to allow things in and out from/to it and give it a static address in that range?

    Bit of a bodge, but hey, it could work.

  10. #10
    RichCowell's Avatar
    Join Date
    Dec 2005
    Location
    PR7, Lancashire
    Posts
    450
    Thank Post
    72
    Thanked 73 Times in 63 Posts
    Rep Power
    30
    Which system is it? Sounds like we should all be wary of any mention of it...

  11. #11

    Join Date
    Dec 2007
    Location
    Potomac, MD, USA
    Posts
    56
    Thank Post
    8
    Thanked 24 Times in 12 Posts
    Rep Power
    54
    If you are forced to accept it in this state, the best you could do is to connect it via a physical firewall appliance that bars it from accessing any local IP other than the gateway out to the Internet, and even then, only on the ports it requires to operate. Configure it to use external DNS so it doesn't need to talk to your own, either by static configuration or via a DHCP reservation.

    You should absolutely ensure it cannot connect out to the Internet on port 25 (SMTP) or it will almost inevitably become a spambot at some point. (To be honest, it's good practice to have that rule in place on your perimeter firewall already for every IP except your on-premises mail server).

  12. #12
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,421
    Thank Post
    508
    Thanked 282 Times in 258 Posts
    Rep Power
    81
    Why not remove it from the internet, firewall it, and if the remote support company wants access to it then they do it through your VPN or what ever you've got for remote access. We have done this before when we bought a phone systems (without our input) and it used a Server 2003 box, No AV, No Updates, No Firewall, and WAS internet accessible, just like in this scenario, it was remotely controlled.

    We took if off the internet, put it behind our corporate firewall, and if the support company wanted access they did it through our VPN so we could control it. Not that they ever connected to it.

    Needless to say, this system was swiftly binned and we got our money back.

  13. #13

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,066
    Thank Post
    853
    Thanked 2,675 Times in 2,269 Posts
    Blog Entries
    9
    Rep Power
    768
    Use VLANS or a separate switching system, everything else is easily comprimiseable and pointless.

  14. #14
    Galway's Avatar
    Join Date
    Jun 2007
    Location
    West Yorkshire
    Posts
    1,305
    Thank Post
    9
    Thanked 300 Times in 209 Posts
    Rep Power
    99
    If it were me id fire off and email detailing what procedures were broken in purchasing it, and what procedures have been broken in using it.

    I would not support it and I would not be bending over backwards to 'change the network' to get it working. Once you do that you will be forever doing it for what ever crap they buy without following procedure.

SHARE:
+ Post New Thread

Similar Threads

  1. Windows 7 No Internet Access Through Proxy
    By nathanbowes in forum Windows 7
    Replies: 7
    Last Post: 13th August 2012, 11:18 AM
  2. 'Log on to Windows' Box Image
    By tomgrindle in forum Windows
    Replies: 7
    Last Post: 9th February 2011, 11:49 AM
  3. Windows 7 - No internet connectivity
    By Edu-IT in forum Windows
    Replies: 19
    Last Post: 19th February 2010, 09:03 PM
  4. Migrating off your Windows boxes onto the S7000
    By Hebdenlad in forum Hardware
    Replies: 5
    Last Post: 14th August 2009, 11:15 AM
  5. Windows 7 - No Operating System Found
    By EduTech in forum Windows 7
    Replies: 14
    Last Post: 31st March 2009, 09:39 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •