+ Post New Thread
Results 1 to 6 of 6
Windows Thread, Battening down the hatches in Technical; We have a vanilla 2k3 network here with XP PCs and no wireless. Later this term we have an event ...
  1. #1

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,193
    Thank Post
    1,923
    Thanked 2,413 Times in 1,767 Posts
    Rep Power
    840

    Battening down the hatches

    We have a vanilla 2k3 network here with XP PCs and no wireless.

    Later this term we have an event on a Saturday where rather a lot of people are going to be roaming the school grounds and buildings.

    As it is not practical to put guards in all rooms (and they don't all have locks), I have been putting together an action plan to ensure the security of our network on the day.

    The things I have considered are:
    - enabling logon only for selected very limited-privilege logons on the day, so that powerpoints, videos or slide shows can be run without allowing anyone to stop them and snoop off round sensitive data.
    - All standard pupil/staff logons to be disabled for the day.
    - removal of keyboards/mice/network cables as appropriate to prevent PC use
    - ensuring that lockable rooms are locked - especially the server room!

    What have I forgotten or not considered please?... The more I think about it, the more I worry!

  2. #2

    Join Date
    Feb 2006
    Location
    Derbyshire
    Posts
    1,381
    Thank Post
    181
    Thanked 211 Times in 171 Posts
    Rep Power
    66
    Is your internet access locked down/needed on the day? Can you just switch the router off for the day on Saturday, or if not, do users need to know proxy settings/be authenticated for it to work? Just thinking of anyone wandering round with a wifi enabled mobile thinking "Ooh, wireless, handy..."

  3. Thanks to OutToLunch from:

    elsiegee40 (18th May 2009)

  4. #3

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,193
    Thank Post
    1,923
    Thanked 2,413 Times in 1,767 Posts
    Rep Power
    840
    Quote Originally Posted by OutToLunch View Post
    Is your internet access locked down/needed on the day? Can you just switch the router off for the day on Saturday, or if not, do users need to know proxy settings/be authenticated for it to work? Just thinking of anyone wandering round with a wifi enabled mobile thinking "Ooh, wireless, handy..."
    We have no wireless so that isn't an issue.

    Internet access from the wired network is something I need to think about. I may have to leave that enabled so that the office staff (whose PCs are safely locked away) can access email... I will discuss with them whether they are likely to need it. The router can always be switched on again if needed.

  5. #4
    Jamman960's Avatar
    Join Date
    Sep 2007
    Location
    London/Kent
    Posts
    1,002
    Thank Post
    190
    Thanked 199 Times in 159 Posts
    Rep Power
    48
    What about disconnecting the servers for the day and having all powerpoints etc run locally or turning off all switches except those in secure areas(presuming the secure areas aren't fed from switches in other areas)

  6. Thanks to Jamman960 from:

    elsiegee40 (18th May 2009)

  7. #5

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,271
    Thank Post
    884
    Thanked 2,749 Times in 2,322 Posts
    Blog Entries
    11
    Rep Power
    785
    I'd be more concerned with the safety of the gear itself depending on the area. One place that I worked did have issues with gear walking either during or after such events. Might be an idea to have some observant people at the gates and look at extra physical security the night after.

    As to the network security, locking down the accounts is a good idea and restricting internet access also sounds good if you have a system that can be discriminating based on the clients. As to stopping people from messing with the machines physically it may be easier to just remove the power cables from the systems that are not used to stop them being switched on if you are worried about them being compromised by the visitors.

    If the servers and accounts are locked down then you should be able to leave them (servers) on so long as the restricted, and still active accounts don't have the ability to access anything private. Other than that you could, if they are patched differently just isolate the servers and offices from the rest of the network but unless your neighbourhood contains a large number of board hackers this is probably overkill.
    Last edited by SYNACK; 18th May 2009 at 01:28 PM.

  8. Thanks to SYNACK from:

    elsiegee40 (18th May 2009)

  9. #6

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,193
    Thank Post
    1,923
    Thanked 2,413 Times in 1,767 Posts
    Rep Power
    840
    Quote Originally Posted by SYNACK View Post
    I'd be more concerned with the safety of the gear itself depending on the area. One place that I worked did have issues with gear walking either during or after such events. Might be an idea to have some observant people at the gates and look at extra physical security the night after.

    As to the network security, locking down the accounts is a good idea and restricting internet access also sounds good if you have a system that can be discriminating based on the clients. As to stopping people from messing with the machines physically it may be easier to just remove the power cables from the systems that are not used to stop them being switched on if you are worried about them being compromised by the visitors.

    If the servers and accounts are locked down then you should be able to leave them (servers) on so long as the restricted, and still active accounts don't have the ability to access anything private. Other than that you could, if they are patched differently just isolate the servers and offices from the rest of the network but unless your neighbourhood contains a large number of board hackers this is probably overkill.

    My biggest concern is the more recent former pupils making free with younger siblings logons. Hence the decision to disable the vast majority of accounts for the day. Staff seem to be blissfully unconcerned that their personal logons are exposed if used for running powerpoints... I'm stirring it with them now. Now that they have been told they cannot logon with their own accounts that day, hopefully it will raise a greater sense of concern (not just outrage at me for restricting their liberties!)

    I agree about ensuring gear isn't lifted, that applies to more than just computers though



SHARE:
+ Post New Thread

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •