Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
can it be dome like we allow only linux basd achine to acces the internet throught (squid)proxy and firewall(iptabes)
in my university after a major virus attack on win mahcines ,the administration want to allow internet access only through linux mahcines and keep windows for offline work
this might reduce the chances the virus attacks.of course if they download an attachment in linux which might be virus for windows but at atleast the linux machine will keep on working
so how should we go about it??
one way could be to keep those win machines on a domain ,and allow only restricted acces to those machines for all users so that they cannot change the network settings in windows,
but we hope to block the internet access from a windows machine
subnets is all i could think of. put all windows systems on a subnet that is not allowed access to the WAN side of your routers. this will also make them basically invisible to your linux boxes unless you give the linux boxes access to that subnet too.
just don't make the micro$oft machines internet enabled. take out their tcp/ip stack, and do all their workgroups via netbeui and samba. all should be able to see all, but without tcp/ip the m$ cannot get access to the net
yes that will be a good idea but the problem is that we will need to keep them under some domain controllerso that they do not install that TCP/IP in windows
you do not need the AD to do that. both win2k and XP pro have local security settings. you can make it so that the user (not admin) can not install anything if you want, in fact you can even limit exactly what they can run.
look around in the local security and settings you will find all kinds of security settings in there you can apply to the user accounts. no need for an AD setup with a win2k or 2k3 server running unless you just want to set it up that way.
set them all to run tcp/ip (for "domain" purposes, which is really tied to the internet...) and the linux boxes only to run the ipx/spx stack. then allow that stack only into the default gateway, where there is a proxie server / protocol switcher (linux box or appliance). the ipx/spx (linux netwk data) will be repackaged as tcp/ip for internet. you might need some powerful protocol machines though!!
or just lock down the permissions tighter, like Lleb_KCir said. What Microsoft O$ are you running?
with 9x in the mix you will not be running a full set of AD as 9x does not follow all of the permiessions set down by the AD. you can do the exact same thing in the AD as you can in your local security settings. just do it by OU and place all of your users into that OU to prevent them from getting close to the WAN side of things including removing the ability to open IE or either OE or Outlook.
once you have the users set to lowest level they will NOT be able to install 90% of the software out there, nor will they be able to adjust any of the TCP/IP settings.
THIS IS NOT TRUE FOR WIN9x SYSTEMS. as mentioned above win9x is not going to follow the AD permissions for the OU security or user level you have set. your only option for the win9x boxes is to upgrade them or remove windows from them completly and leave linux only on those older systems.
sadly with roughly 800 boxes you will still have to touch each and every box to implement a lot of this.
1. configure your OU
2. assign the users to that OU
3. configure p/w levels for the users
4. touch every box and lock down the local system to prevent local login and ONLY allow domain level log in.
5. remove floppy drives from all boxes for maxium security. with a floppy drive any and all windows systems can be 100% comprimised in less then 5min by someone who knows what they are doing and 15-20min by a script kiddy.
that should help. sadly that will again leave you touching every box. if the school has batches of simular hardware systems, then i HIGHLY sujest looking into Symantecs GHOST enterprise. this is pricey, but a school might get a substantial discount. with that you will be able to bring down 1 of each hardware setup and rebuild it. make a ghost img, then do a LAN based roll out.
you can also do something simular with RIS in win2k/win2k3 servers, but those are not near as effective and only give you a base level install not a fully secured and locked down system that ghost enterprise will.
you would also need ghostwalker to roll the SIDs on all of the systems before you bring them live to the domain.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.