Re: non domain computers on network

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

The most important reason for managed desktops is total cost of ownership. If you have to convince any management that is worth anything, this would be the reason. If they do not understand the concept of TCO, they are in the wrong place (or millennium).

Any computer that is not managed is prone to issues that will:
1. occur more frequently, since 'anything goes'.
2. will be new to you, and take more time.
3. will take your tie away from what you -should- be doing: manage the network, and as such add risk to the company.
4. infect other none-managed systems
5. cause network traffic issues
6. will create/introduce business risks: would you like some bots on your net sending out pr0n spam? The marketing manager will have a good time!
7. will mostly likely (in case of outbreak) bring the mailservers to a halt.
8. Unmanaged computers also introduce a security-risk; what kind of confidential company information is being store on home-systems?

With regards to risk that is imposed: any worm that exploits know vulnerabilities will be introduced to your managed network through these PC's. Even a number of such rogue systems can bring your companies network traffic to a halt. No more E-Mail, no more printing, etc. For a list of such animals I would recommend checking out McAfee's Avert website.

If you -must- have a technical solution:
As I mentioned: what you could explore is physically separating such systems from your managed LAN. You mentioned these people having the requirement to print, that's where VLAN's could be used.

Hope this helps.
regards,

Paul

Linda Marie wrote:
Thanks Paul,
I know how ugly the politcs can get and that is why I am being careful and asking for a purely technical arguement against this practice
I need a couple of those thousands of reasons - budget wise it is cheaper, that won't work. I need the security reasons spelled out - links are fine I am not lazy about research I just have not found what I need in this case.

As to bad things turning ugly quickly - that is what will happen if the network is damaged and I have not done a CYA. Or CMA in this case I guess. I want to email the Home Office IT and say that I do not want non-domain computers hooked up to the LAN because of the threat of 1).... 2)....... 3)...... the threat is security and virus etc attacks. I would like to know what specific threats there are to prove my points. Then if they say - well make exceptions - it is not my fault. Or if I say no - I have the documentation to back it up to the users. If they hook up anyway and I am forced into making that exception then at least my A is not grass for not stating my case.

We have VLAN's , we have several here and others in the regional offices. I am working in Kabul, my problem is with Home Office staff- short term assignments that want to use their own PC and more often with short term consultants (spoiled bunch for the most part) that do not want to "learn" a new computer and bring thier PC with them and plug into the LAN. The offices are all wired LAN at 1 GB. They are all welcome to use them on the VLAN's and we help set them up (guest houses) it it their insistance on plugging them into the office LAN that is giving me sleepless nights. It is politcs and I need information to win this one. Or at least information to make it "I told you not to" when and if something goes wrong.
Yes, they could -definitely- cause problems and this is a big risk. - What are the problems? I have to be specific to fight this.
Please anyone, the name of a specific virus or trojan or other threat that connecting a non-domain computer to the windows domaiin LAN can cause.

Thanks
Linda



"Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message news:47dda60b$0$7555$e4fe514c@xxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi Linda,

Yes, they could -definitely- cause problems and this is a big risk. You mentioned the politics, so you are looking for a technical solution for a management problem. Be very careful on how you approach this, as these kind of things tend to turn ugly -quickly-, and guess who they will find to blame.

My experience tells me sometimes its better just to say "Nope, sorry we can't do that". If challenged on that you'll be able to find thousands of reasons of why it cant be done, budget wise, security wise etc.

Have said all that (and yes, I know you knew all that ;-) the only technical solution that seems to make a little sens is to get these computers on their separate VLAN, and have then connected to the printers that way, then make them print to the IP port of the printer directly, instead of going through servers. (assuming these are network printers).

Good luck with the politics....!

Paul

Linda Marie wrote:
We have a couple of users (visitors) that insist on using their personal computers on our windows 2003 network. Politics - so don't ask - believe me you don't want to know.
They of course can surf the Internet (DHCP) and get their personal email through Outlook or on the web. Now of course they want to print to the network printers.
Is there any security issue with them just being on the network? I don't know of any virus' etc. that can be spread unless they access the server which they cannot do. I have no control over antivirus or anti-malware on these machines so it make me nervous.
We will supply them with computers for the duration of their visit but they don't want to use them. And I don't want to support non-domain computers - we have enough to do, so I would be happy to hear that they may be a security problem with using these computers. They run under the local administrator accounts on their machines I am sure. So if they have a virus or tojan etc. could it cause problems on our domain and be spread since they are on the LAN?

Thanks
Linda


.

Relevant Pages

  • Re: Multi-AP WiFi best practice
    ... They bought in the major management service ... My recommendation from this experience would be install a gigabit network ... I wouldn't entertain the idea of laptops anywhere!! ... I am also very strongly of the opinion that computers add very little to the ...
    (uk.telecom.broadband)
  • Re: SP1 enables Windows XP firewall how to turn it off?
    ... it's home computers that VPN in that infect office computers... ... If only 10% of network admins would have wanted that on.... ... Got news for you, but with a properly configured firewall, proper filtering of HTTP sessions, proper blocking of attachments, and such, there is little that can make it inbound to the users desktop. ... In a properly configured domain, "Users" have little access across the network to others systems, only the management has the type of access you suggest, and that's the way it should be. ...
    (microsoft.public.windows.server.sbs)
  • Re: Looking for Windows XP with Service Pack 1
    ... I need to reformat some computers on our network, ... | they must run on XP SP1. ...
    (microsoft.public.windowsxp.general)
  • Re: Down with DHCP!!!!
    ... going to staic IP's would be a management nightmare ... (speaking as someone who managed a static IP network ... Security is always a compromise; ... Computer Emergency Response Teams, and Digital Investigations. ...
    (Security-Basics)
  • RE: Down with DHCP!!!!
    ... Managing/monitoring the DHCP pools as assignments yourself ... -Other management tools as in Asset ... Security Administrator ... Network Operations-ICW Group ...
    (Security-Basics)