Limiting Computers That Can Connec to a Wired Network

[allanc]

One of my new business clients is running 3*8 hour shifts - 7 days a week.
No supervisors are on duty during some of these shifts.
Their router is a basic wired LinkSys.
They are concerned that an employee might unplug one of the office computers from the network and substitute a home netbook that is possibly infected.
All suggestions as to how to resolve this issue are appreciated.

 

[chrisaroz]

On some routers you can whitelist specific MAC addresses, might check to see if theirs can.

 

[Alan22]

On some routers you can whitelist specific MAC addresses, might check to see if theirs can.

Yupp, that would be my first suggestion also. However, there's a way around it - if an employee brings in another router and clones the MAC address of an allowed PC they can connect whatever they want to the new router and get on the network.

 

[TekSiDoT]

cloning a known mac id is really easy ... when you know how of course.

But since this a wired network you'd have to figure out the whitelist mac id from one of the connected computers, which might not be that easy when access to these computers is restricted.

You could also try locking the router away and seal the computer connectors side with leads.

As with any physically accesible networks, there's no way of total security, but you can make obvious statement with seals and whitelists.

 

[Alan22]

cloning a known mac id is really easy ... when you know how of course.

But since this a wired network you'd have to figure out the whitelist mac id from one of the connected computers, which might not be that easy when access to these computers is restricted.

Pretty easy even if access is restricted. This is pretty much the same on all Linksys routers. Most other routers have mac address cloning as well.

 

[TekSiDoT]

Thanks, didn't know that.

So we're back to physically restricting access ... I think something like a seal would deter any employee who wants to keep job enough to keep his fingers off.

If possible, you could also log the traffic on the router and let everyone know about it. It's about making it a lot of hassle and making it clear for anyone that this usage is off-limits.

 

[chrisaroz]

If you and the boss are the only ones that know the password for the router, I don't see that being an issue.

 

[studiot]

Hi Allanc I don't think you have provided enough info to properly evaluate the risk.

Is this a domain? If so how would the employee get the netbook accepted?

Is there a network at all? If not (you didn't actually mention it) what are you afraid of?

 

[TriadPCSolutions]

also generally in a small business standpoint it does depend what level of security you are afraid of, white-list IMO deals with the less informed employees that disregard the memo's. While cloning a mac address isn't going to protect you from even an armature hacker, it sounds to me more like you are worried about "Joe the accountant". Who with a white list will most likely

1. Receive memo informing that it is against company policy to wire in unauthorized computers
2. Promptly forget about memo and hook infected netbook in.
3. Call your IT support for help when it can't connect due to not being listed. You inform him that it is against company policy, then wait till next week and have the same discussion again.

 

[allanc]

Hi Allanc I don't think you have provided enough info to properly evaluate the risk.

Is this a domain? If so how would the employee get the netbook accepted?

Is there a network at all? If not (you didn't actually mention it) what are you afraid of?

No, no domain is involved. Just XP computers.
The router (LinkSys BEFSR41) is only capable of black-listing and not white-listing.
Due to the nature of the job, many of the staff on one of the computers does not stay employeed too long i.e. they are moved to another address, etc.
They have had all kinds of P2P software and malware installed.
All nature of WEB sites have been visited.
Last week I had to disinfect three computers and one was infected with a mass mailer.
So, I need to button down the hatches there and I am trying to gather my ammunition so that I can attack from many directions at one time.

Potentially one of the biggest problems is that there is a specific third party application that needs to run *as administrator*.
From a design standpoint, I think that this is poor design because of the transient nature of the midnight shift and the fact that it is a low paying job.
So, now they need to give these employees the admin. password - ridiculous!

I think that I need to lock it down as much as possible and also add some keylogging or timed snapshots.
I am open to all suggestions.

 

[chrisaroz]

OpenDNS
Untangle Server
"Standard" User Accounts with that one program set to run as Admin
Network cabinet with Router locked away
New Router

I'm sure there are more ideas, but that's just off the top of my head.

 

[allanc]

OpenDNS
Untangle Server
"Standard" User Accounts with that one program set to run as Admin
Network cabinet with Router locked away
New Router

I'm sure there are more ideas, but that's just off the top of my head.

Yes, I was thinking of the OpenDNS and new router.
I believe that there was an issue when I tried to run that program as Admin but I need to start testing again.
Thanks for the other suggestions.

 

[studiot]

You still didn't say if the computers need to access each other?

This is vitally important and makes all the difference.

Also does this admin prog need the internet?
And does it need to run on all the pcs?

ie can you separate the functions?

If you do lash out on a new router get a properly secure one like a draytek.

 

[allanc]

You still didn't say if the computers need to access each other?

This is vitally important and makes all the difference.

Also does this admin prog need the internet?
And does it need to run on all the pcs?

ie can you separate the functions?

If you do lash out on a new router get a properly secure one like a draytek.

Yes, there is a share on each of the three computers hard drives.
I am not sure of all the functionality at this point of the admin program.
I do know that it is interfacing with some security hardware via serial port.
It runs on only the PC with the issue.

 

[studiot]

Well there you go - dedicated pc for this special program and limited user for everyone else.

Does the admin prog require the internet?

And why do the rest of the gang require internet?

Hope you are charging for the systems consultancy.

 

[allanc]

Well there you go - dedicated pc for this special program and limited user for everyone else.

Does the admin prog require the internet?

And why do the rest of the gang require internet?

Hope you are charging for the systems consultancy.

Yes, I am charging.
There are other issues such as they do not have the physical space for a second computer.
The gang requires internet for another WEB based application
I think my next step is to speak to tech support of the software and get the inside story about the requirement for the Windows Admin usage.

 

[studiot]

In any technical discipline it is sometimes necessary for the expert to explain to the non technical 'client' that what he is asking or doing is less than optimal. And to further explain that changes to working practices may be necessary to accomodate proper proceedures. Any half ways decent manager will understand -it is after all his business at stake.

 

[allanc]

OpenDNS
Untangle Server
"Standard" User Accounts with that one program set to run as Admin
Network cabinet with Router locked away
New Router

I'm sure there are more ideas, but that's just off the top of my head.

I remember that months ago I was testing 'the program' that requires Admin.
If I remember correctly, every time that I right clicked and selected 'Run As Administrator' I had to enter the Admin. password.
I found a work around somewhere where you could create a batch file that runs the program as Admin. but the password had to be stored in the batch file.
Obviously, neither one of these solutions (as is) is acceptable.

 

[LunchBox]

I remember that months ago I was testing 'the program' that requires Admin.
If I remember correctly, every time that I right clicked and selected 'Run As Administrator' I had to enter the Admin. password.
I found a work around somewhere where you could create a batch file that runs the program as Admin. but the password had to be stored in the batch file.
Obviously, neither one of these solutions (as is) is acceptable.

What you can you is go to the properties of the application and add a user, lets call it Special APP and give the user adming rights to the application. So the account runs under regular users rights but launching the application will be with admin rights. Also you should give the user admin rights to the folder with the apps resides.

I've done this several times and it always works. Now, if this application allows them to launch an application like IE, well then it will also lunch IE with admin rights. However, this is worth a try.

 

[allanc]

What you can you is go to the properties of the application and add a user, lets call it Special APP and give the user adming rights to the application. So the account runs under regular users rights but launching the application will be with admin rights. Also you should give the user admin rights to the folder with the apps resides.

I've done this several times and it always works. Now, if this application allows them to launch an application like IE, well then it will also lunch IE with admin rights. However, this is worth a try.

Do you mean Properties / ShortCut / Advanced / Run with different credentials?
I do not think that I follow you in terms of this being XP and not being in a domain.
Sorry