Internal Network Security


Recommended Posts

Hi Guys

 

My workplace (document scanning company) is in need of a solution to limit the network access of certain PC

Link to comment
Share on other sites

The setup is far from ideal, however I think you could still do what you want.

 

I'm guessing the shares on your NAS will have a username / password? If so create a new share with a different user / password for the temp users to access / save data to.

 

Then create a new standard user account on each PC, I believe by default an additional user on a local Windows machine will not have access to shares mapped by another local user. So on the new user account simply map the new share you created on the NAS. All that user should then be able to access is the share you have just created on the NAS.

 

Of course if you have shared everything without username / password authentication on your NAS you are going to have to make it so guests can not read / write to any of the shares on the NAS by default.

 

I would then browse networks places and ensure each local PC is not sharing confidential documents in the Public folder / any other network shares you have by default.

 

If you don't have passwords on the current local users PC account for employees at the moment I would ensure you add them before the temp workers start. (You should do this rather than get each employee to, so at least you know what the password is, you might also want to create a local Administrator account only you can access in case someone changes their password and gets locked out of the PC).

Link to comment
Share on other sites

It would require a bit of engineering, but you could create a lan and give that lan only access to the computer or network hosting the data that they need access to.   Like I said, it would take a bit of engineering and you would have to have the right equipment to do so.  If you don't know how to implement or where to start, a week is not enough time.

Link to comment
Share on other sites

You really need to implement a central authentication management (Active Directory) in the long run but for short term purposes my question for you is what type of Firewall/Switching do you have in place?

 

I know with Cisco ASA or Palo Alto I can limit access to different vLans by time; so my thought is to add the NAS devices to their own vlan, then create firewall policies to limit access times to normal business hours.

 

Even simpler, since you have to manually create user accounts on PCs, assign those PCs to have static IPs and create firewall rules to deny access from those PCs pending the routing is occurring on your firewall and not your switch.

 

Finally, if segmenting your network isn't an option, my next question would be to ask what type of NAS you have installed? For a basic Windows NAS for example, you can create windows firewall rules to deny access to certain IP addresses. I'm not 100% positive but I believe that you can do the same with most modern NAS software.

Link to comment
Share on other sites

You need to have a Domain setup properly and use GPO.

 

The staff for this night shift are coming to us from a company that is actually a competitor (a lot bigger than us). We have no choice in this.

 

This seems... at a very least.. odd, dangerous, and I dunno. Why would "night shift" people be from a competitor and you have no choice? Who is in charge or owns your company... red flag to me.

Link to comment
Share on other sites

Where is this company?  I don't understand the complete lack of any sort of security, you don't even have central management of users access? - you have machines running OS that are no longer supported and designed for home use.

 

But your company scans documents for their bread and butter - ie TECH related is core of their business.  Do the companies you scan these documents have any idea of the shoestring operation your running?  I would have to assume they have some private stuff on there if not proprietary information, personnel and hr related stuff, etc.. People don't pay to have junk scanned, etc.. I would really like to hear the backup DR plan for these documents?

 

As to having to bring in people from your competitor - well that is just BS plain and simple.. From the way you guys do tech I would assume you could put someone outside spinning a sign and hire people to do whatever it is your doing..  The guy flipping burgers at the joint down the street prob knows about the tech your using than the people setting it up that is for sure.

 

You don't even have passwords set on your shares???

 

You need to get someone be it your current IT?  Is that you?  Or you hire someone to actually setup a company network..  3 NASes -- what are they might I ask??  Billy's garage special?

 

You don't have to spend large amounts of money to have security and stable and secure setup..  Your firewall cold be a free linux distro, samba can ack as AD for your central security.  You can get smart switches so you can do vlans for peanuts..  There is no reason to run a network like this -- Hire someone please!!!

 

edit:  What nases do you have - some can even act as AD DC, for example I know the qnap stuff can do this.. What switch(es) do you have - they might even already support vlans with the ability to do ACLs?  What are you running as a router?  Even the OSes your running not able to actually join a domain would have to auth with username and password..  What are the makes and models of the nases your running with version of software are they running?  Once you setup username and auth to access a share..  The night folk only have be given access to the shares you want to give them access too.

  • Like 2
Link to comment
Share on other sites

Thanks for the replies guys.

 

We know our set up isn't what it should be, but it works for us (most of the time).  We are improving it, but as a small company it takes time.

Link to comment
Share on other sites

Small company is no excuse for using non supported OSes and HOME OSes -- just not..

 

Not like your selling hot dogs for a living and the computer(s) in the store just allow your employee's to surf when nobody is buying.. Your doing TECH as the core of your business!!!

 

Are you the IT guy?  I would be more than happy to point you how to get this setup correctly!!!  Do you have the authority to hire someone, be it contract, temp something to get your IT in order??

 

How are you improving??  Are you taking classes?  The fact that you had to ask such a basic question on the forum does not point towards any sort of improvement coming any time soon..  I would really really suggest you HIRE a professional to assess your network and setup and get you into this century for how a smb should be setup.  It does not have to be a lot of money..

 

edit:  My offer stands, I would be more than happy to draw up a basic diagram of what your network should look like, what software and hardware makes sense for a small business.  You can really do some amazing stuff on shoe string.  Just need someone that has the basic skill set to get started and willing to learn.  Or hire someone to come in and do it for you - which sure will up the required budget.  Yes even a nas can be your Central User database to restrict permissions.

 

What are are you doing for email?  What are you doing for backup?  What are you doing for security patching, what are you doing for antivirus?  What is your core connectivity, what do you have edge router/firewall?  Wireless?  How many total devices?  What do you have for switching?

 

A simple inventory of computers/network devices could get you started on a path to improvement.  Do you have a drawing of your current setup - this tied with an inventory is really step one.  What other software is required? Do you use office, etc.. etc.. How do you track user issues?

 

It does not all have to be done at once, but until you have a understanding of what your doing now and with what.. It's hard to make a plan on moving it forward.. Is there any budget at all?  Once you have a current setup - and then can point out all the flaws and single points of failure that could take the business down then it should be very easy to get at least some sort of budget in place to get the business to a better standing when it comes to IT.  Be it 1k a year or 10k -- need something to get the ball rolling.  Saying your improving is not going to get you anywhere - is there a plan to get everyone on the same OS.. Is there any sort of hardware standards - is it a BYOD sort of shop?

 

There are many people here that do this sort of thing for a living, some us get paid lots of money to run networks for HUGE enterprises - getting a smb to some basic level of where it can be supported and users have connectivity is childs play and sure many people here willing to help you get the ball rolling.

Link to comment
Share on other sites

This topic is now closed to further replies.