I am no expert, but am always willing to learn what I can.

My question is: I have a group of computers within my organization that run critical software and equipment. "we" want to deny these computer access to the internet, and USB access (had problems with USB viruses), but would like to have a LAN connection to a single user pc where users can get to data on the other PCs. Once they have data on this PC it would be nice to have internet access and the ability to share the data on a more global scale. What you recommend to accomplish this.

Hope that is clear and specific enough. Thanks

Hello Overload,

As blunt as it may sound, you should have an IT professional that is experienced with enterprise setups to configure your network. Suggestions taken here for mission critical equipment is risky at best and you definitely don't want this to fall back on your lap should something go wrong.

What you are trying to do is possible, but with out knowing what your network looks like I can't really tell you what you need. Like Thideras said, talk to an IT pro who knows what they are doing.

You can accomplish your objectives in several ways. For the USB ports, you may be able to turn them off in the BIOS. Otherwise, you could simply disable them in the Widnows device manager. If you need access to your USB ports, there are group policy settings that can restrict the use of USB storage devices, while permitting the use of other USB devices (GPEdit.msc; Computer Configuration -> Administrative Templates -> System -> Removable Storage Access: All Removable Storage classes:Deny all access.)

For the network access portion, the best solution would be to utilize VLANs if you have managed switch. If you don't have a managed switch, you could use a software firewall to restrict access to a particular host(s). You can also leave out the default gateway if these computers if the computers you want communications with reside on the same network segment.

There are many ways to do what you're trying to do, but more information about your network would be needed to determine the best solution.

.
Thanks, that helps a little. seems obvious, but i had overlooked the bios option. the PCs are not supported by IT because they are not clones of their hardware/software. they are from the equipment manufacturer and that is their sole purpose. I want another PC that data from the quipment pcs can be put onto (over LAN). users can use this pc and if they put viruses on it i dont care, and then the equipment will remain safe

Ok so just to recap before I give my opinion.

USB access = none for X # of systems.

Same X # of systems are networked BUT not able to access the net

1 additional system is in place but able to access the net?

Is that 1 system also able to connect to the other systems in the isolated network? Is it able to browse the standard network in addition?

Ok so just to recap before I give my opinion.

USB access = none for X # of systems.

Same X # of systems are networked BUT not able to access the net

1 additional system is in place but able to access the net?

Is that 1 system also able to connect to the other systems in the isolated network? Is it able to browse the standard network in addition?


That sounds about right.

Can you just set a rule or filter up on your default gateway to block the IPs of the computers u want denied access to Internet.

That sounds about right.

You should REALLY have someone who can look at the layout answer this but from what I gathered, easiest way would be to have a router or similar in place which only allows the assigned system out to the rest of the network.

PFSense, IPCop, and any number of Linux firewall distros can easily do this. A simple Netgear/Linksys/Buffalo etc. router could as well. Alternatively, a managed switch with a VLAN could do the same. Simplest but most "problematic" would be a switch and static IPs that is a "closed network" which isnt connected in.

You will need to have the "closed" systems blacklisted on your firewall and DHCP server to prevent a user from simply plugging one PC into a network drop.

You would honestly be better served by having a local network tech come out to look at the layout and address any potential concerns or possible missed "problems" that you didnt realize would be a problem.

Either I missed something, or we haven't determined if the one Internet accessible system is allowed to access the restricted network.

If the machines in the restricted network are that critical as to not have nor require Internet access, compromising the security of the restricted network by connecting one Internet facing PC is not a good idea.

Without knowing the size / scope of the network, you could always just get a switch, plug all the computers into it, let Windows assign APIPA addresses to each machine and you have a quick and easy restricted network. Obviously, this will not work if you wish to manage these machines via domain based group policy - but once again, depending upon the number of machines, you could use local based group policy to enforce restrictions (i.e. USB) like what Templi said.

Either I missed something, or we haven't determined if the one Internet accessible system is allowed to access the restricted network.

If the machines in the restricted network are that critical as to not have nor require Internet access, compromising the security of the restricted network by connecting one Internet facing PC is not a good idea.

Without knowing the size / scope of the network, you could always just get a switch, plug all the computers into it, let Windows assign APIPA addresses to each machine and you have a quick and easy restricted network. Obviously, this will not work if you wish to manage these machines via domain based group policy - but once again, depending upon the number of machines, you could use local based group policy to enforce restrictions (i.e. USB) like what Templi said.

Oh I didnt even get into security side.. It is easily a multi-day, multi-page Q&A session to get the full needs, wants,likes and THEN it gets difficult err fun.

Oh I didnt even get into security side.. It is easily a multi-day, multi-page Q&A session to get the full needs, wants,likes and THEN it gets difficult err fun.

It's ALWAYS fun :clap: Agreed though, any time you are talking 'mission critical' it's more than just the 'plug stuff in and go' mentality. Business Continuity Planning, Access Control, defined roles / responsibilities, physical security, etc - all things that need to be taken seriously and be in writing with the support of management.

Thanks everyone, you have been a lot of help. to clarify a bit more the PCs are in an academic environment. up until now the policy has been: plug them in and fend for yourselves. PCs and data have been lost in the past. the number of PCs I am concerned about is 6. The 'policy makers' want to lock down these six, but add a single data storage PC for easy shared access to all data. maybe this computer will have internet access if they can be convinced hackers wont break in and steal/delete the data!

Thanks everyone, you have been a lot of help. to clarify a bit more the PCs are in an academic environment. up until now the policy has been: plug them in and fend for yourselves. PCs and data have been lost in the past. the number of PCs I am concerned about is 6. The 'policy makers' want to lock down these six, but add a single data storage PC for easy shared access to all data. maybe this computer will have internet access if they can be convinced hackers wont break in and steal/delete the data!


see above for my previous suggestion options, there are many many many ways to do what you want. Without knowing every detail, and having a once over on your network, you are best served by an isolated network and then having a single PC connected to the world (you could have the separate PC VPN to the "real" network for net access and such)..

it sounds like we are going in the right direction, from what you are telling me. thanks for the help. Now that i now my options I feel beter :)