Prevent a computer from connecting to another network

Hi All,

Looking to lock down all the computers in a remote office.  I realize that physical security is paramount, however I need to do everything that I can when it comes to software and hardware security as well.

One things that's holding me us is preventing the computer from being connected to an unauthorized switch or through a cross-over cable.

My overall goal is to prevent engineeirng drawings from being stolen on mass.  (the computers will not have internet access).

Any suggestions?

Thanks,
Nicholas
LVL 1
encoadAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
You can remove wireless profiles and all but the main wired connection, make the users Standard Users and they should then only be able to connect to your wired network. You cannot prevent different points on the network.

Once on your network, only give access to the folders people should have access to.

If people have legitimate access, you need a Personnel Policy that obliges employees to keep company files secure and secret from others.
0
encoadAuthor Commented:
Hi John,

People policies are great, but work only as well as your employees are honest.

Granting permissions to the correct folders is the right strategy and we're going a great deal further, DLP, MAC security, no internet, Bitlocker network encryption etc...  No wireless of course.

I'm hoping to find some way to "break" the routing so it will only ever work with our network.  The guys who will try to steal won't be computer engineers.  They won't know or understand routing, but they could bring a little laptop and switch into the office unnoticed.

Thanks
0
JohnBusiness Consultant (Owner)Commented:
If people bring in a non-company laptop and connect it wired to your network, you cannot prevent that.

But your server login credentials should be strong enough to prevent unauthorized access.

Employees in the remote location should be instructed to watch for and report non-company laptops connecting to your network.
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

Dan CraciunIT ConsultantCommented:
If your users don't have administrative rights and you configure the network cards to always use a static IP, that's one extra step an intruder/employee has to figure out.

As for an extra computer/laptop on your network, that should be caught by your security system in a few minutes after getting online.

HTH,
Dan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
encoadAuthor Commented:
Hi John,

This is a satellite office in a 2nd world country with all new to us employees.  So the human factor is pretty difficult.

I can prevent to a certain extent the unauthorized laptop with switch port security, but I can't do much if someone just runs a network cable into a backpack and connects it to the company provided desktop.

I will disable password caching on the desktop computers;  no domain controller, no login.  But what about if someone logs into the domain controller and then connects to a backpack laptop.

My dream is to build a system that I could not break into, but I'm having a hard time figuring that out.  

Thanks.
0
encoadAuthor Commented:
Hi Dan,

Already planned for the static IP.   But you can just match up the static IP settings on a backpack laptop for example.

Not worried about resetting the local admin account with NTPassword since the hard disk will be encrypted.

I'm not looking for a NSA or computer engineer proof system here.  I just need it "power user" proof.

Thanks
0
JohnBusiness Consultant (Owner)Commented:
Static IP addresses can be a pain in the butt and I do not use these. I do have clients with Satellite offices.

So assuming a non-employee computer connects to the network:

1. Make sure no satellite computer is an administrator, make sure the "administrator" account is disabled, make sure satellite computers have STRONG passwords;
2. Make sure your local resources (and servers?) are equally well secured,

Then people should not be able to access your resources. That should secure you fairly well.
0
encoadAuthor Commented:
Hi John,

I am not concerned about a non-employee computer connecting to the network.  Switchport security will take care of that.

I am concerned about a cross-over cable going from a non-employee computer with an open share connecting to a employee computer.

Thanks
0
JohnBusiness Consultant (Owner)Commented:
You need a clear employee policy that forbids rogue connections to your network.

Nothing stops a person from carrying around regular and crossover network cables - I do and have done that myself (I am a business consultant).

You cannot prevent the kind of things you are suggesting, so you need employee policies.
0
Eng. Nidal KamalInformation ConsultantCommented:
Good day,

I think one can use NAC network Access Control , to solve mentioned issues.
Moreover, human factor controlled by policy is as important.
0
David Johnson, CD, MVPOwnerCommented:
I'm surprised no one mentioned AD RMS!
0
encoadAuthor Commented:
Hi David,

Can AD RMS be applied to Solidworks files?  Any files at all?  Or only specific document types?

Thanks
0
David Johnson, CD, MVPOwnerCommented:
ADRMS can be applied to a folder.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.