encoad
asked on
Prevent a computer from connecting to another network
Hi All,
Looking to lock down all the computers in a remote office. I realize that physical security is paramount, however I need to do everything that I can when it comes to software and hardware security as well.
One things that's holding me us is preventing the computer from being connected to an unauthorized switch or through a cross-over cable.
My overall goal is to prevent engineeirng drawings from being stolen on mass. (the computers will not have internet access).
Any suggestions?
Thanks,
Nicholas
Looking to lock down all the computers in a remote office. I realize that physical security is paramount, however I need to do everything that I can when it comes to software and hardware security as well.
One things that's holding me us is preventing the computer from being connected to an unauthorized switch or through a cross-over cable.
My overall goal is to prevent engineeirng drawings from being stolen on mass. (the computers will not have internet access).
Any suggestions?
Thanks,
Nicholas
ASKER
Hi John,
People policies are great, but work only as well as your employees are honest.
Granting permissions to the correct folders is the right strategy and we're going a great deal further, DLP, MAC security, no internet, Bitlocker network encryption etc... No wireless of course.
I'm hoping to find some way to "break" the routing so it will only ever work with our network. The guys who will try to steal won't be computer engineers. They won't know or understand routing, but they could bring a little laptop and switch into the office unnoticed.
Thanks
People policies are great, but work only as well as your employees are honest.
Granting permissions to the correct folders is the right strategy and we're going a great deal further, DLP, MAC security, no internet, Bitlocker network encryption etc... No wireless of course.
I'm hoping to find some way to "break" the routing so it will only ever work with our network. The guys who will try to steal won't be computer engineers. They won't know or understand routing, but they could bring a little laptop and switch into the office unnoticed.
Thanks
If people bring in a non-company laptop and connect it wired to your network, you cannot prevent that.
But your server login credentials should be strong enough to prevent unauthorized access.
Employees in the remote location should be instructed to watch for and report non-company laptops connecting to your network.
But your server login credentials should be strong enough to prevent unauthorized access.
Employees in the remote location should be instructed to watch for and report non-company laptops connecting to your network.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi John,
This is a satellite office in a 2nd world country with all new to us employees. So the human factor is pretty difficult.
I can prevent to a certain extent the unauthorized laptop with switch port security, but I can't do much if someone just runs a network cable into a backpack and connects it to the company provided desktop.
I will disable password caching on the desktop computers; no domain controller, no login. But what about if someone logs into the domain controller and then connects to a backpack laptop.
My dream is to build a system that I could not break into, but I'm having a hard time figuring that out.
Thanks.
This is a satellite office in a 2nd world country with all new to us employees. So the human factor is pretty difficult.
I can prevent to a certain extent the unauthorized laptop with switch port security, but I can't do much if someone just runs a network cable into a backpack and connects it to the company provided desktop.
I will disable password caching on the desktop computers; no domain controller, no login. But what about if someone logs into the domain controller and then connects to a backpack laptop.
My dream is to build a system that I could not break into, but I'm having a hard time figuring that out.
Thanks.
ASKER
Hi Dan,
Already planned for the static IP. But you can just match up the static IP settings on a backpack laptop for example.
Not worried about resetting the local admin account with NTPassword since the hard disk will be encrypted.
I'm not looking for a NSA or computer engineer proof system here. I just need it "power user" proof.
Thanks
Already planned for the static IP. But you can just match up the static IP settings on a backpack laptop for example.
Not worried about resetting the local admin account with NTPassword since the hard disk will be encrypted.
I'm not looking for a NSA or computer engineer proof system here. I just need it "power user" proof.
Thanks
Static IP addresses can be a pain in the butt and I do not use these. I do have clients with Satellite offices.
So assuming a non-employee computer connects to the network:
1. Make sure no satellite computer is an administrator, make sure the "administrator" account is disabled, make sure satellite computers have STRONG passwords;
2. Make sure your local resources (and servers?) are equally well secured,
Then people should not be able to access your resources. That should secure you fairly well.
So assuming a non-employee computer connects to the network:
1. Make sure no satellite computer is an administrator, make sure the "administrator" account is disabled, make sure satellite computers have STRONG passwords;
2. Make sure your local resources (and servers?) are equally well secured,
Then people should not be able to access your resources. That should secure you fairly well.
ASKER
Hi John,
I am not concerned about a non-employee computer connecting to the network. Switchport security will take care of that.
I am concerned about a cross-over cable going from a non-employee computer with an open share connecting to a employee computer.
Thanks
I am not concerned about a non-employee computer connecting to the network. Switchport security will take care of that.
I am concerned about a cross-over cable going from a non-employee computer with an open share connecting to a employee computer.
Thanks
You need a clear employee policy that forbids rogue connections to your network.
Nothing stops a person from carrying around regular and crossover network cables - I do and have done that myself (I am a business consultant).
You cannot prevent the kind of things you are suggesting, so you need employee policies.
Nothing stops a person from carrying around regular and crossover network cables - I do and have done that myself (I am a business consultant).
You cannot prevent the kind of things you are suggesting, so you need employee policies.
Good day,
I think one can use NAC network Access Control , to solve mentioned issues.
Moreover, human factor controlled by policy is as important.
I think one can use NAC network Access Control , to solve mentioned issues.
Moreover, human factor controlled by policy is as important.
I'm surprised no one mentioned AD RMS!
ASKER
Hi David,
Can AD RMS be applied to Solidworks files? Any files at all? Or only specific document types?
Thanks
Can AD RMS be applied to Solidworks files? Any files at all? Or only specific document types?
Thanks
ADRMS can be applied to a folder.
Once on your network, only give access to the folders people should have access to.
If people have legitimate access, you need a Personnel Policy that obliges employees to keep company files secure and secret from others.