Re: non domain computers on network

Henrik Johansson <first.last@xxxxxxx> wrote:
"Linda Marie" <2lm@xxxxxxxxxxx> skrev i meddelandet
news:O5JmM1shIHA.3400@xxxxxxxxxxxxxxxxxxxxxxx
We have a couple of users (visitors) that insist on using their
personal computers on our windows 2003 network. Politics - so don't
ask - believe me you don't want to know.
They of course can surf the Internet (DHCP) and get their personal
email through Outlook or on the web. Now of course they want to
print to the network printers.
Is there any security issue with them just being on the network? I
don't know of any virus' etc. that can be spread unless they access
the server which they cannot do. I have no control over antivirus
or anti-malware on these machines so it make me nervous.
We will supply them with computers for the duration of their visit
but they don't want to use them. And I don't want to support
non-domain computers - we have enough to do, so I would be happy to
hear that they may be a security problem with using these computers.
They run under the local administrator accounts on their machines I
am sure. So if they have a virus or tojan etc. could it cause
problems on our domain and be spread since they are on the LAN?

Thanks
Linda


As you don't have control over their antivirus/firewall etc, you
don't know if they contain any kind of worm,backdoor etc which can be
used for attacking your network from the inside of your surrounding
firewall.. Even if your servers aren't directly attacked, a hacker can
first
attack your (weaker) workstations to get access to your
Windows-network. Have you ensured that all services on your servers are
protected
against any kind of attack? For example, running services as service
accounts instead of bultin local system.
Disabled/uninstalled unnecessary services?
Risk for SQL-injections or DDOS-attacks?

A user should *never* have administrative rights in their normal
work. This is a security risk that should be avoided, and instead use
'runas' when they nead to get temporary administrative rights.
Running as administrator will give the user full control of the local
system and gives the possibility for trojans,viruses etc to be
installed in the background.

/Henrik

This is all true, and is all excellent advice. But ultimately, the best way
to protect your network from malware/trojans lurking on rogue computers, is
to keep those computers off the network entirely. From the sounds of it,
this is a company policy problem more than a technical one, in Linda's case.


.

Relevant Pages

  • Re: non domain computers on network
    ... computers - we have enough to do, so I would be happy to hear that they ... Even if your servers aren't directly attacked, ... A user should *never* have administrative rights in their normal work. ... Running as administrator will give the user full control of the local system ...
    (microsoft.public.windows.server.networking)
  • Re: The Hard Problem for Behaviorists
    ... correct low level abstractions to define the operation of the brain with - ... Do you not know how computers work? ... you can think of this type of network like you ... when you drop a marble in hole X1, ...
    (sci.cognitive)
  • Re: {workgroup}"...is not accessible" after removing NWLINK
    ... I generally reboot the machine whenever I make network ... >problem is a browse service that won?t run on the XP machine using the TCP/IP ... >?The browser has forced an election on network ... >> computer, and one, or preferably two, of the Windows 98 computers. ...
    (microsoft.public.windowsxp.network_web)
  • RE: Help with 070-217
    ... The network contains 25,000 computers. ... > single Windows 2000 domain named research.contoso.com. ... > Server computers that are configured as domain controllers. ...
    (microsoft.public.cert.exam.mcse)
  • Re: sharing files
    ... I have a problem getting a network to work. ... I have ipconfig and browstat info for both computers. ... Master browser name is: DESK-HOME ... There are 2 servers in domain MSHOME on transport ...
    (microsoft.public.windowsxp.network_web)