Main Area and Open Discussion > General Software Discussion

Create a profiles for users on a Workgroup and disable Homegroup options & wifi

<< < (2/3) > >>

Shades:
First of all, a domain would be your best bet. An old PC with a properly configured Untangle (or similar product) might do the trick as well.

However, if macguyvering is your only option, you could think about the following concept and steps to take (fooling your users a bit).
Make a virtual LAN on your switch that is not allowed internet access. I do hope you have a DHCP server that "parks" every known and unknown computer/smartphone" in that virtual LAN. Then there should be a script available to anyone that should suggest it has to run to grant internet access. That script should then assign (hard-coded) IP numbers in a different subnet with internet access on a first come, first serve basis. With 20 or so users that shouldn't be too hard. This script should also disable HomeGroup (as 4wd has shown you) and whatever else you need/want.

This goof-of-concept might work for you. But most of all, you should have learned by know that Workgroups are an administration nightmare on the best of days. Get a domain server is really the best way to go if you want a windows-only solution. Or invest time in doing networking on Linux. Untangle is based on Linux and its web-interface makes management tasks quite easy.

Oh, before I forget, learn to work with 'sc', that is a powerful toy to play with. :)

x16wda:
If your users have admin rights on their boxes then anything you do is subject to being undone, of course.

That said you might look at something like Argon Switcher to set up a couple network profiles. I haven't used this (yet  ;)) but it looks like it might help immensely:

Argon is an open source utility with the aim to supply multiple network configuration in Windows XP and Windows 7. It's usefully when you move your notebook from a network to others. For each network you can select the network card to use and store configuration as "profile". For each profile you can configure many things as: Network card configuration, Proxy configuration, A set of application to run when the profile start, A set of windows services to start or to stop, Set the default printer, Map the necessary network drive, Disable network cards, Enable/disable network card.

--- End quote ---

You can set up the addresses you want and save the profiles. Disable the wireless card. Also, if you're just working locally, you could maybe set the netmask to 1.0.0.0 and set no gateway, set the proxy to localhost, etc, so the boxes know that everything is local and there's no need to go through a router.

Edit: You could also try IP Switcher or TCP/IP Manager for the network profile part if you see issues with Argon, its Sourceforge rating was only 3 stars.  :o

Stoic Joker:
Damn it Shades, now you got me started thinking about junkyard design options.

First of all, a domain would be your best bet. An old PC with a properly configured Untangle (or similar product) might do the trick as well.-Shades (May 17, 2014, 12:08 AM)
--- End quote ---

This actually has potential, but I'll come back to that.

However, if macguyvering is your only option, you could think about the following concept and steps to take (fooling your users a bit).
Make a virtual LAN on your switch that is not allowed internet access. I do hope you have a DHCP server that "parks" every known and unknown computer/smartphone" in that virtual LAN. Then there should be a script available to anyone that should suggest it has to run to grant internet access. That script should then assign (hard-coded) IP numbers in a different subnet with internet access on a first come, first serve basis. With 20 or so users that shouldn't be too hard. This script should also disable HomeGroup (as 4wd has shown you) and whatever else you need/want.-Shades (May 17, 2014, 12:08 AM)
--- End quote ---

Okay, bear with me as I play devil's advocate/hacker here. An isolated VLAN isn't going to stop devices from accessing a hot spot. The DHCP angle also goes up in smoke due to it only having the ability to control devices that ask it for an IP address. The problem child hotspot has DHCP capabilities too. Then there is the 20 users x how many devices x at least 2 NICs = how many MAC addresses needing to be tracked? *Shudder*

Here's the problem, even if you completely lock down all but one network adapter/path there still is one. And that one can be modified to do what ever someone wants it to (like connect to multiple networks) if they know how. Now the really horrific part is that if the don't know how and try to give it a go anyway ... And/or follow a "reasonably tech savvy" friends advice they could easily end up creating a vortex that sucks the entire network into the Chinese petting palace universe. This scenario -which I've seen play out many times - with local administrative rights is really the biggest danger IMO.

HomeGroup membership at this point actually becomes rather irrelevant when the thing you're really trying to block is the (technically completely unrelated because it is on a totally different layer of the OSI model) TCP/IP network connectivity to the internet.

But we're not totally screwed ... Yet!

Untangle is based on Linux and its web-interface makes management tasks quite easy.-Shades (May 17, 2014, 12:08 AM)
--- End quote ---

Getting back to the gateway fortification method. If the users do actually need to be connected to the internal network to perform their jobs. We can leverage that in our favor with a wee bit of static routing based shenanigans.

Here's the thing. Have you ever encountered a Cisco VPC client install that was setup by a hyper paranoid asshole that blocked access to everything except the remote target network? It's both infuriating to troubleshoot...and - being ephemerally session based - exactly what we want. Because all you really need is a DHCP server that will toss in a few rather restrictive static routes, and nothing the users do or try will allow them to get to anything while they are on the company network because the IP routing table won't allow it. Sure they can connect to anything, within a first hop broadcast zone ... But any attempt to go past that will - via the routing table - auto-magically fail.

And ultimately that is really what is needed. An environment that will transparently allow them just enough room to realize that they have failed...so that they give up and go back to work.

40hz:
If you have a small enough device pool accessing the WAP you can also restrict access by device MAC Addresses.

Royal PITA to stay on top of with more than a dozen or so devices. But it's a pretty effective (and free) access security boost in an SMB/SOHO environment. Keeps people's personal smartphones off the company network if nothing else.

And while it's true you can spoof MAC, doing so is beyond the knowledge level of the bulk of the people you'd want to restrict. Keeping out a real pro hacker is a whole 'nother smoke - but that's for another discussion. Usually one you'd have to pay someone to have with you. ;) :)

Shades:
Stoic's alternative solution is indeed an improvement over my too friendly concept. After all you're the admin and your users should feel the power that comes with that position. Applying routing tables will keep your users in check and discouraged.

But make sure to get those tables right, because if you don't, you have only added to your headaches. Here are two links that are springboards for study: Linux and Windows

For both a domain server or Untangle an old single-core Pentium 4 with 512MByte/1GBYte of RAM and 2 network cards (preferably not on-board) is already sufficient. So it really can be an old clunker, so the extra hardware cost shouldn't be an issue. Untangle and its alternatives, both commercial and open source/free.

Navigation

[0] Message Index

[#] Next page

[*] Previous page