Saturday, March 21, 2009

Secure a subset of Windows computers in a larger Workgroup.

In a Workgroup environment it can be a daunting task to prevent unauthorized access to network shares while still allowing the convenience of using any old user name on each desktop, especially with XP Home Edition. For example:

In a network of 10 computers 1 of them is desired to act as a server, serving up critical financial and clinical data. Three computers are trusted to access that data as they are in locked offices and the employees using them need to access that data to get their job done. The other 6 computers are in common areas and can pretty much be used by anyone that can walk up to them. Consider your organization too cheap to use switches with VLAN's.

In such a situation where there is no Active Directory server with fancy schmancy Security Groups it is a huge pain to set up users and permissions. I looked at Group Policy settings for an hour trying to restrict our untrusted 6. Then it hit me:

The Windows Firewall can be configured to allow or deny access to computers based on their IP address. Set up your network so that the untrusted computers are in one range of IP's, and your trusted PC's are in a different range but the same net block, so don't make the untrusted PC's 192.168.222.x and the trusted PC's 192.168.000.x, that would screw things up.

So lets say you're using 192.168.0.x; set up your DHCP server to dole out addresses from 192.168.0.10 through 192.168.0.50 to anyone that asks. Then set up reserved IP's for your more secure desktops as 192.168.0.200-192.168.0.203. Next, go to each of the secured PC's, open up the Windows Firewall, open the File and Print scope and change it from localsubnet to 192.168.0.200, 192.168.0.201, 192.168.0.202, 192.168.0.203. OR you can set it to 192.168.0.199/255.255.255.251 if you're good at figuring out subnets. A subnet calculator can be found at http://www.subnet-calculator.com/.

Tuesday, March 17, 2009

Server 2003 Dynamic Disk - Don't Trust It!

I have a customer that ran out of space on their server's C: drive. I Googled for solutions to grow the partition and found that Dynamic Disk allows for a partition to be expanded into the unused space on the drive. Great, I have 12 GB unpartitioned, I'll just use that, right? So off I go . . .

WRONG!

It allowed me to convert the partition, but it still wouldn't allow me to grow it. This server was upgraded from a NT 4.0 Server, and apparantly the partition that was created isn't truly compatible with Dynamic Disk.

Just great, because now I cannot undo the dynamic disk and as an added bonus there is no good way to clone a dynamic disk - rumor has it that Ghost 2k3 will clone the disk and leave the partition as a standard one instead of dynamic. Ghost 2k3 wouldn't work on my server, likely because of the SCSI RAID.

So now what?

Fresh install and then copy the data from the old array. Bummer.