hi there

can it be dome like we allow only linux basd achine to acces the internet throught (squid)proxy and firewall(iptabes)

in my university after a major virus attack on win mahcines ,the administration want to allow internet access only through linux mahcines and keep windows for offline work
this might reduce the chances the virus attacks.of course if they download an attachment in linux which might be virus for windows but at atleast the linux machine will keep on working

so how should we go about it??

one way could be to keep those win machines on a domain ,and allow only restricted acces to those machines for all users so that they cannot change the network settings in windows,

but we hope to block the internet access from a windows machine

regards

subnets is all i could think of. put all windows systems on a subnet that is not allowed access to the WAN side of your routers. this will also make them basically invisible to your linux boxes unless you give the linux boxes access to that subnet too.

no no

let me make this more clear

we will be having windows and linux on a single machine
to access internet u need to go to Linux

regards

just don't make the micro$oft machines internet enabled. take out their tcp/ip stack, and do all their workgroups via netbeui and samba. all should be able to see all, but without tcp/ip the m$ cannot get access to the net

yes that will be a good idea but the problem is that we will need to keep them under some domain controllerso that they do not install that TCP/IP in windows

regards

you do not need the AD to do that. both win2k and XP pro have local security settings. you can make it so that the user (not admin) can not install anything if you want, in fact you can even limit exactly what they can run.

look around in the local security and settings you will find all kinds of security settings in there you can apply to the user accounts. no need for an AD setup with a win2k or 2k3 server running unless you just want to set it up that way.

yes that can be done through a local machine but with the domain controller we could have control over the machines more

again this solution is not much prefered
since we have a large no of machines around 800 in the university

regards

set them all to run tcp/ip (for "domain" purposes, which is really tied to the internet...) and the linux boxes only to run the ipx/spx stack. then allow that stack only into the default gateway, where there is a proxie server / protocol switcher (linux box or appliance). the ipx/spx (linux netwk data) will be repackaged as tcp/ip for internet. you might need some powerful protocol machines though!!

or just lock down the permissions tighter, like Lleb_KCir said. What Microsoft O$ are you running?

all types of win OS

98, Xp , 2000

a domain controller wil help though
and i will look into ur suggestions as well

thanks

with 9x in the mix you will not be running a full set of AD as 9x does not follow all of the permiessions set down by the AD. you can do the exact same thing in the AD as you can in your local security settings. just do it by OU and place all of your users into that OU to prevent them from getting close to the WAN side of things including removing the ability to open IE or either OE or Outlook.

once you have the users set to lowest level they will NOT be able to install 90% of the software out there, nor will they be able to adjust any of the TCP/IP settings.

THIS IS NOT TRUE FOR WIN9x SYSTEMS. as mentioned above win9x is not going to follow the AD permissions for the OU security or user level you have set. your only option for the win9x boxes is to upgrade them or remove windows from them completly and leave linux only on those older systems.

sadly with roughly 800 boxes you will still have to touch each and every box to implement a lot of this.

1. configure your OU
2. assign the users to that OU
3. configure p/w levels for the users
4. touch every box and lock down the local system to prevent local login and ONLY allow domain level log in.
5. remove floppy drives from all boxes for maxium security. with a floppy drive any and all windows systems can be 100% comprimised in less then 5min by someone who knows what they are doing and 15-20min by a script kiddy.

that should help. sadly that will again leave you touching every box. if the school has batches of simular hardware systems, then i HIGHLY sujest looking into Symantecs GHOST enterprise. this is pricey, but a school might get a substantial discount. with that you will be able to bring down 1 of each hardware setup and rebuild it. make a ghost img, then do a LAN based roll out.

you can also do something simular with RIS in win2k/win2k3 servers, but those are not near as effective and only give you a base level install not a fully secured and locked down system that ghost enterprise will.

you would also need ghostwalker to roll the SIDs on all of the systems before you bring them live to the domain.

i hope that is a bit better for you.