Saturday, March 21, 2009

Secure a subset of Windows computers in a larger Workgroup.

In a Workgroup environment it can be a daunting task to prevent unauthorized access to network shares while still allowing the convenience of using any old user name on each desktop, especially with XP Home Edition. For example:

In a network of 10 computers 1 of them is desired to act as a server, serving up critical financial and clinical data. Three computers are trusted to access that data as they are in locked offices and the employees using them need to access that data to get their job done. The other 6 computers are in common areas and can pretty much be used by anyone that can walk up to them. Consider your organization too cheap to use switches with VLAN's.

In such a situation where there is no Active Directory server with fancy schmancy Security Groups it is a huge pain to set up users and permissions. I looked at Group Policy settings for an hour trying to restrict our untrusted 6. Then it hit me:

The Windows Firewall can be configured to allow or deny access to computers based on their IP address. Set up your network so that the untrusted computers are in one range of IP's, and your trusted PC's are in a different range but the same net block, so don't make the untrusted PC's 192.168.222.x and the trusted PC's 192.168.000.x, that would screw things up.

So lets say you're using 192.168.0.x; set up your DHCP server to dole out addresses from 192.168.0.10 through 192.168.0.50 to anyone that asks. Then set up reserved IP's for your more secure desktops as 192.168.0.200-192.168.0.203. Next, go to each of the secured PC's, open up the Windows Firewall, open the File and Print scope and change it from localsubnet to 192.168.0.200, 192.168.0.201, 192.168.0.202, 192.168.0.203. OR you can set it to 192.168.0.199/255.255.255.251 if you're good at figuring out subnets. A subnet calculator can be found at http://www.subnet-calculator.com/.

No comments: