Securing Your Internal Network from Windows? 78
acacord asks: "I am the Network Admin for a medium-sized law firm (hold the flames, please). We are one of the few Macintosh-based firms left. All of our workstations (near 150) will have been migrated to Mac OS X 10.2.2 by the end of the year. We have a couple users who think that they know more than the IT department and therefore insist that they maintain WinXP boxes on their desks. How should I configure a segment of my network for them, and them only, to make sure that the remainder of my networks are not susceptible to any of their natural security 'features' . Any and all ideas are welcome."
The irony is sickening. (Score:5, Interesting)
Users who think they know more than the IT department, who run a Mac network, insisting that they maintain Windows boxes? I keep reading that sentence over and over and alternating between laughing my ass off and getting mildly furious.
You: "MacOSX is built on UNIX technology, and is more stable, sports a superior IP stack, and new users will find it much easier to use, thanks to the greatest GUI ever designed"
Them: "No thanks, I use a real computer, and that starts with a PC running Windows."
I feel for you man...
Re:The irony is sickening. (Score:4, Interesting)
I'm big into standards - whether they be standards for web pages, or XML formats for document exchange, or things like POSIX. Yep, I'm all for interoperability.
Why?
So users can use whatever damn platform they want. If you wanna go crazy and put X on your box, and that's not the company's party line, fine, as long as you don't expect ANY platform specific support, I don't care. You like Linux, go right ahead. Mac? No Problem. Happy with your PDP11? Go crazy. Windows XP? Sure, spoon feed Bill dinner if you like, I don't care. Whatever you are the most comfortable with, and makes you the most productive, that's fine with me. You can pick your platform, software, whatever.
This is not only hinged on interoperability of document standards though. The administrator has to be judicial in maintaining server security too. Many admins get lazy, wirefall off the outside world, forget about security on the inside, and hope for the best. I say, religious backups, and good group/user security policies on all servers are a must.
In my mind, the Free in Free Software allows you the freedom to use
Re:The irony is sickening. (Score:2)
You have just confessed to the crime of GNU/Heresy. Stay where you are; FSF operatives will be at your home shortly to escort you to the nearest GNU/Re-education camp.
All sarcasm aside, yours is by far the more enlightened viewpoint, but it's also in direct opposition to the position of the FSF. I don't know if most people realize this, but the FSF actually asserts that people should not use software that is, by their definition, unacceptable. Doesn't sound very "free" to me.
Re:The irony is sickening. (Score:2, Funny)
Re:The irony is sickening. (Score:3, Funny)
Yes, that's nice and all but... (Score:4, Informative)
...the reason he's griping about his WinXP boxes is that he doesn't want any viruses banging on his network, crackers hijacking these machines, etc.--Windows IS more susceptible to this stuff, if for no other reason (and there may be other reasons) than it is so popular right now, and it is not exactly set up by default to be secure. So get off your high and mighty standards-compliance horse (no matter that I agree with you--I think you have a good point about what _should_ be the case) and remember this guy has to deal with a real-world situation.
Plus, MS is not really into standards-compliance last I heard, and that also kinda puts a crimp in your ideology...
Re:The irony is sickening. (Score:1, Insightful)
Of course you can use whatever you want at home and should be able to. When you are at a work place, it is reasonable to expect to be mandated to use certain equipment. This is particuarly relevant if you are at risk of revealing secure information. Owning one machine on the network, that isn't cordoned off, will allow you to gain access to the rest of the network much more easily than if this vulnerable machine wasn't there.
Quite clearly you are full of shite and have no idea about what the article was talking about. Enjoy your life and mindless zealotry against mindles zealotry, but please try to be mindlessly zealous about people who are being mindlessly zealous and not just those trying to do their job. This simple precaution will allow your mindless zealotry to be much less offensive; it will merely disappear in a thick background of mindless zealotry.
Re:The irony is sickening. (Score:2, Insightful)
I hate being told what to use as much as anybody (heck, my wife *quit* her last job because they were going to make her use Outlook... for shared calendering... on a Mac! ha ha
So there are good reasons to mandate certain things...
Re:The irony is sickening. (Score:2)
Does your wife show any other recognizable signs of insanity? Jobs are not easy to come by in this economy. I was recently unemployed for a while, after my start-up... well, didn't. The though of quitting a job over a computer program amazes and, frankly, sickens me a little.
It is called "Total Cost of Ownership" (Score:1)
Who is going to support the XP in that situation? The IT Department.
How long is it going to take for someone in the IT department to support the XP system in comparison to the Mac sitting next to it when the user can't get their e-mail? At least double the time. So, he isn't productive and neither is the guy that is sitting around waiting to get his e-mail. That costs money.
One solution: Train the IT department to support any computer. Great, that costs money too. In our economy it ain't going to happen.
Another solution: Hire some guy to support the XP boxes as his primary job. Most companies won't say it is worth it unless there are a LARGE percentage of the "non-standard" systems.
Ok, so let's say we get past all those costs. Lets get to everything else.
Volume licensing works where the more you buy of the same thing the cheaper it is. If I have 400 Macs and 10 Winxp systems, the XP systems (on a per system basis) will cost more to purchase software for than the Macintosh.
The real world solution (only available with backing from above) is to have a single platform and support it very well. Training people to use a Macintosh is a one-time expense that can be handled by the guy sitting next to them. In the long run it will be a lot cheaper.
It *is* entertaining.. (Score:5, Interesting)
A lot of Windows networks have Linux boxes creeping on to them via this route -- the users have to admin them, and are fully responsible if anything goes wrong.
I'd also put a few hard rules on the users -- if they break them, they're in violation. First, SMB/CIFS goes. Windows file sharing causes more problems than anything else on earth. Second, it's probably not a bad idea to budget to get them antivirus programs. Third, I wouldn't let them run their own servers (IIS or whatnot) unless this is already a normal policy (users running servers is kosher) and you have them blocked from the outside world -- users simply do not reasonably have the time if they're doing their work to keep servers up to date.
That being said, your job is to allow the users to get their work done as efficiently as possible. If they're uncomfortable in a non-Windows environment, don't make yourself disliked by trying to impose a different environment on them. Make reasonable restrictions, as I noted above, but don't axe their desires just because they're Windows-based.
I'd try this approach regardless of the OS being used, if it's an unsupported OS, as a matter or fact.
Oh, and the last item: you may (I feel reasonably) ban the use of Outlook on your network. People can argue as much as they want about whose fault Outlook issues are and whether Outlook is simply targeted because it's popular, but there have been enough nasty worms and problems coming from Outlook that I don't think I'd want to administer a network with it on it.
You won't really need it... (Score:4, Interesting)
Even better (Score:2)
What threat? (Score:4, Insightful)
Is there a known trojan/worm/virus that infects XP and then attacks MacOSX ?
Could this entire story be blatant MS bashing, because it's a slow news day?
Re:What threat? (Score:3, Troll)
Ask Slashdot: Securing Your Internal Network from Windows?
Ask Slashdot: Advanced Job Scheduling?
Salvaging Possessions from Smoke Damage?
Consoldated Network Storage?
How Private Is Your Financial Data?
Does First Sale Still Exists?
Boosting the Cellular Signal, Inside?
Microsoft buys linux
Small LCD Screens?
Plugins for Microsoft Office for OpenOffice Documents?
Green Geeks?
MiniDVs as a Backup Medium?
Multiple Broadband Connections at Home?
Is Client/Server Really Dead?
Starting a Cable Company?
I mean no offence guys and gals,, but all he does is post stories that really shouldnt be!
EXAMPLE
Windows 2000, Samba and Cancelling Print Jobs? [slashdot.org]
A question that was best suited for a mailing list, not an Ask Slashdot, and answered by myself in the first four comments.
Maybe Cliff should start thinking about the questions before letting them hit the front page of Slashdot.
Re:What threat? (Score:2)
There are plenty of threats posed by XP boxes, especially if this guy doesn't have much experience with Windows. Windows vulnerabilities may not directly attack Mac OS X boxen, but they certainly could take down his LAN, infect outside clients, attack other networks, etc. I covered a bit of this in another post [slashdot.org].
Used to be browsing at +1 or +2, sans modpoints, was enough to get a decent SnR on here. I'm not so sure anymore...
Re:What threat? (Score:3, Insightful)
I've *never* bought the "security risk" argument of Windows boxen creeping onto the network. If it's possible for someone to harm your network by harming a Windows box, there's something wrong with your network. You should be concerned about someone walking in to your facility with a laptop computer and plugging in.
The only valid complaint is that it's not supported by the IT department. Thus, either the users get no support, no PDCs, no Active Directory, no Exchange, etc - They just stick to peer-to-peer, like emailing meeting requests and direct file transfers - Or the IT department spends a lot of time and energy (and money) to support them. That's really a management call - If it's worth the money to let those users be more productive, then no harm, no foul.
Who defines policy, IT or the users? (Score:3, Insightful)
I guess that's the first question then. Can you say no to the request? If so, get 'em running with the standard plan. If not, then firewall them onto their own segment and be very, very tight about what gets in and out from their segment.
Re:Who defines policy, IT or the users? (Score:2)
I'm not sure that I agree with you here...and I think that this may show the crux of the problem with IT in many companies.
Managers tend to forget that IT exists to serve the employees. IT is not in place to tell the users what they can't do. Its important to keeps this in mind when writing IT policy. In fact, without hte employees, IT wouldn't exist -- there would just be operations.
This is just plain wrong. This totally prevents employees from communicating/filesharing with other employees. Remember, if IT is there for the employee, and IT is preventing the employee from doing their job, then IT is not doing their job and IT deserves to be fired.
I'm not saying that this manager should bend over backwards for these folks -- on the contrary -- tell your users that the department doesn't have the resources to support that minority and they're on their own (after all -- that's what Mac users have been hearing for years in the workplace). Mandate that they use proper virus protection and that they stay up to date with the latest Windows updates...this shuold keep your network pretty safe.
I think that Slashdot is playing too much xbill and starting to believe its real.
Re:Who defines policy, IT or the users? (Score:1)
> the employees. IT is not in place to tell the
> users what they can't do.
It can be that way, but there has to be limits. Certainly, the larger the installed number of workstations, the more difficult it is to maintain control over a non-homogenous network. The question, as originally posted wasn't that these users *required* Windows, it was that they *wanted* Windows.
I want Linux for work, but use Win2k because, worldwide, we're a Microsoft shop.
> This totally prevents employees from
> communicating/filesharing with other employees.
Not necessarily. Being "tight" about what gets into or out of a firewall only affects user productivity if the firewall is poorly configured, i.e., does not address the user's needs. The idea is not to punish; however, there's no reason to let NETBIOS and the like run willy-nilly over the Apple side of the network, right? Let the Windows boxes use Apple protocols for filesharing.
FWIW, although it's somewhat apples-to-oranges, I telecommute. I connect using VPN through a firewall both on my home LAN and at the office. And, yes, traffic is filtered on the connection regardless of the fact that it's via VPN and *could* let traffic on all ports pass through the VPN tunnel. It's just common sense.
trane
Re:Who defines policy, IT or the users? (Score:2, Informative)
Actually, I think this should be exactly what IT is in place to do. Some of the worst messes I've ever had the displeasure of walking into have been the result of an overly permissive "yeah, sure, whatever you need, go ahead and get it and plug it in" policy.
That's not to say that supporting users and their job requirements isn't important--you're right, it's job one. But the users, generally, should not be dictating the software or equipment they need to do the job. After all, they are not the IT professionals. There is a whole department there to find the right tools for the job. That's the entire point of having an IT department--people to make professional decisions about technology. If the users were capable of doing this, you wouldn't need IT in the first place.
Instead, typically, the users see a neat new toy at the last trade show or in someone else's business and decide suddenly that it's a requirement for them to get their job done. They don't consider the consequences or how it fits in to the rest of the system. IT should, and it should use that knowledge to set limits. The users should present IT with the business requirements and allow the techs to find and implement the technology that will best support those; they should NOT present IT with a new technology and say "here, make it work".
Saying no is one of my most important functions as an IT manager, IMHO. The company I am now at is running stable, under-budget, and effective systems because I've been able to cut off all the pie in the sky user-initiated projects off at the knees by saying no. I'm nicer about it than that, of course... usually it's more along the lines of "Wow, that really is a neat piece of gear! But why don't you tell me what exactly it is that you need to accomplish, and let's see if we can do it with something that fits in a little better with our current platform, shall we?"
Re:Who defines policy, IT or the users? (Score:3, Insightful)
While you may have a point fundamentally -- I think that you're wrong in this instance. First of all -- this is not the latest whiz-bang gadgetry -- its the latest version of Microsoft's OS -- the most widely used and supported operating system in the world. Corporate EU's shouldn't have to learn your propritary technology (different from what 90% of the coroporate world uses) to get their job done...especially considering that these people are lawyers (they don't have time to learn how to use a different OS). Look at it this way: Your CEO wants to run an SGI Octane2. Do you say "I won't support it -- you can't have it. I'm going to firewall your shit off" or do yo say "OK, we can do that...but I neither have the budget for that workstation, nor the staff to support it. Here's how much it will cost, and here's the skillset we'll need if you want support."?
Also, this poster's attitude is pretty poor:
What if one of these XP people is a partner in the firm, is saying no the right thing to do, or will saying no find his ass out on the street? If I were a partner in the firm, I'd fire his ass in a heartbeat for taking that attitude.My point is, is that saying hell no and being inflexible is the wrong way to run an IT department -- and this crappy attitude tends to be very commonplace in IT. If this guy actually cares and wants to do the right thing here (instead of hearing a bunch of self-congratulatory Mac users suck each others dicks), what he should do is to explain the situation to his EU's, and offer a couple of alternatives...such as one of the company's old PC's running Win2K running alongside of the Apple -- or (like I said before) let them have it, and tell them that you simply don't have the budget to support a small minority and they're on their own...also tell them what services that they're missing out on by using the alternative OS.
The EU's don't necesarily think that they know more than IT -- they're most likely more comfortable with the Windows environmant than that of the Apple (and likely more productive with it). The fact that this manager is taking the "I know what's best because I'm an IT manager and this is the easiest thing for you to use...damnit" stance is just a bad attitude, and I hope he doesn't really talk down to his users like that...but then again, as much as I hate IT, I'm looking for a different job, and his firm sounds like a nice place to work as a IT manager/admin (after all, I really like the new MacOS).
Re:Who defines policy, IT or the users? (Score:2)
I think basically we're saying the same thing, it's just that I view a politely worded 'no' (which is essentially what you're saying when you say "Sure, we can do that, but it's going to cost you more than the combined revenue of the company for the next five years") as being a 'no' nonetheless. You shouldn't talk down to your users--but you should maintain enough control over your network to ensure stability and productivity for the [i]whole[/i] of the office and not sacrifice that for a few people who can't get with the program. Because at the end of the day, it's your butt on the line when something goes wrong, even if it was a result of someone else's pressuring you into it. The guy down the hall is going to call you when things break, not the dude with the PC.
I've had limited success with the "Okay, if you must do that, go ahead, but I don't have the budget to support you" route. It is fine for some things--it's basically what I tell people about third-party screensavers, freeware utilities, and the like--but anything that is going to dramatically increase my exposure to viruses, network traffic, or other ills, I'm not going to be that cavalier about. I sat down with the bosses, we picked a standard, and if they like the speed and stability that has resulted from that, they would be wise to listen when I explain to them that what they want to do threatens it. That sounds like the situation he's in, he just doesn't know a more, um, politic way to explain it.
Scan them to death... (Score:1, Flamebait)
It's probably your job to keep the network running, stable and secure and therefore I would do nothing... just check for open ports/running services about once a day (that can be automated) and whenever you note something that is against the acceptable use policy of your network disconnect them until it's fixed. That's the way it's done in many places: if you use something that's not approved and managed by IT you will have to care for it yourself.
They want to create work for you (not having a homogeneous{sp?} network increases the workload!)... you will delegate this back to them.
Re:Scan them to death... (Score:1)
Re:How to Fix Your Users Attitude.. (Score:2, Funny)
Er, they have Win XP already..
Fire them (Score:1, Troll)
Then LART the idiot who hired them.
Failure to stop this sickness while
you can will result in major pains later.
Logical segmentation or VLANs (Score:4, Informative)
Given the number of computers involved I am assuming you are using switches. One option you have is to configure VLANS - I'm not very clued up on these, but iirc you should be able to construct a logical separate LAN from a group or port or MAC addresses. Then you need a gateway between the Windows VLAN and the Mac VLAN, with a firewall which can protect them from each other.
This can be a bit nasty to manage though. If its a port-based VLAN you have to make sure the boxes are plugged into the right network sockets, or they'll be on the wrong VLAN. If believe MAC-based VLANs are possible (but I could be wrong); in which case you have to have a list of MACs and whether they are Windows or Mac machines, and assign them ... tedious.
A simpler solution could be to insist that all Windows boxes use DHCP, and assign them addresses in a particular subnet. If you want the Mac boxes to use DHCP too, you'll have to do MAC reservations for the Windows network cards to make sure they go onto the right subnet. Then have a gateway/firewall. This doesn't protect against lusers who give their computer a static IP on the logical Mac subnet ... but it gives you some ability to manage the situation.
To detect troublecausers, you could automate a security scanning tool to check the Mac network for computers which appear to be Windows boxes.
Re:Logical segmentation or VLANs (Score:2)
Yes, VLANs are logical LANs you can define via software, on a port by port basis, with switches capable of doing so. The problem with this, is that they are simply separate *LAN* networks. If you don't have the IP space available to create separate subnets for those VLANs, you're wasting your time. Even if you segment the users off into a separate logical LAN, if you don't have a separate subnet to segregate them into, your networks will get bridged together by the gateway/router.
Additionally, if external router/gateway can't handle trunking, then you can't deliver the separate VLANs to it. Your only other option at that point is to physically deliver your separate LANs on two ethernet ports from your switch, to your router, configured appropriately. This is what VLANs and trunking saves you from in the first place.
Stay honest here and stop the reflexive M$ bash! (Score:4, Insightful)
So why is the majority of the reactions like, "Oh, poor Mac Network Admin, those Win users deserve any shit they get!" Why not subtly reminding him what the fsck his job is in the first place?
Oh wait, I see: he needs to maintain a few WinXP boxes in a *nix environ, so when he bitches he must be right. Because it's Microsoft. Right?
Re:Stay honest here and stop the reflexive M$ bash (Score:2)
No, it's because of the fact that he's working in an OS X shop, and some users insist on running XP. Hey, when I can replace my XP box with OS X at a Microsoft shop, and *still* force the IT depertment to support it, I'll be happy.
But the reverse is not true sadly. I don't know of one IT department that would continue to support you if you'd replace an XP box with any other OS.
-BrentRe:Stay honest here and stop the reflexive M$ bash (Score:1)
Re:Stay honest here and stop the reflexive M$ bash (Score:3, Insightful)
IT should ABSOLUTELY be dictating policy on their LAN. Assuming COMPETENT IT personnel, they are responsible for ensuring the security of their LAN. It is going to be IT's ass on the line when some Windows box spews Klez emails all over the web.
Remember that worm that infected Samba shares? What if a file gets infected by a Windows machine, but noone knows until they email it out to some unwitting client? Instead of giving everyone who expresses some dislike for Microsoft products a hard time, how about offering a suggestion to help this guy?
To be honest, it shouldnt take much to keep those XP boxen secure. If they won't be using Outlook, that is a big first step =). After that, keep IIS off the machines, install Microsoft's automagic update feature, and you should be good to go. If possible, make user accounts for the users of the machine and keep them in the users or power users group, to keep them from installing any other software. If they can justify having a Windows box on your company's LAN, you can justify some conditions.
Re:Stay honest here and stop the reflexive M$ bash (Score:1)
Re:Stay honest here and stop the reflexive M$ bash (Score:3, Insightful)
I work for a company composed largely of engineers, who are working on a networking product. Yet these same engineers don't think twice of plugging a box into our core LAN, and running a piece of software designed to do funky things with IP they can't predict the results of. I had my core LAN going down once or twice a week because some engineer's machine was spewing bogus ARP packets on the network. I do my best to accomodate these guys and not inconvenience them, but when they start taking down the LAN and interrupting everyone else's work I had to draw the line.
IT shouldn't act like a bunch of Nazis, but part of keeping a LAN secure and functional is dictating a policy of what is and isn't allowed on a network. This is where the management side of MIS comes in. There is more to MIS than being a tech. Maybe I'm confusing MIS and IT? Perhaps, but then a lot of people here are too. Do any of the idiots bashing this guy have any experience at all?
Re:Stay honest here and stop the reflexive M$ bash (Score:1)
For the legal profession, I doubt there are many killer apps that are Windows only. If these few outcasts are using programs that only run on Windows, then the IT department would have its best interests in mind if it supports the Windows boxen. However, if the ones using the Windows boxen are using it just because they're familiar with it, then I believe it is time for the IT departmant to mandate a change. Be friendly about it, and show those people ways that OS X will improve their productivity while minimizing their personal liability (definitely appreciated in a legal environment), but be firm in the desktop standart.
Dual homed Server (Score:2)
For extra paranoia, put the Windows XP on a different switch.
For super paranoia, pull the blue cables out.
Network Administrator? (Score:3, Insightful)
You could VLAN the XP boxes onto thier own segment, then use Access Control Lists to only let the traffic through that you want. Or, alternately, a firewall.
You could publish desktop standards (with management approval, of course), and simply turn of the switch ports of the XP boxes until they get a Mac.
Or, you can leave them on the same networks as the Macs. Just dont let them install 2000 Server or whatnot with ADS, and you should have no problem. Is there a specific cross platform virus you are worried about, or are you just a chest thumping over-zealous sysadmin?
use vlans (Score:1)
Two words (Score:2)
SOCKS proxy.
If you have to ask, you are unqualified to do your job, and should resign immediately.
You are a Law Firm... (Score:4, Informative)
Please do not give the BSA a free ticket in the front door.
Re:You are a Law Firm... (Score:2)
Re:You are a Law Firm... (Score:1)
And the part about XP phoning home. And how when it does, it doesn't transmit any personal information. But it does. Wait, no it doesn't. Well . . . kinda sorta but not really . . . but if you're not running a hacked copy, you've got nothing to worry about.
And the part about how they can audit your data for "compliance."
What's more, M$ can and will break your apps [slashdot.org], propagate every virus known to man, and God-only-knows what else.
I completely agree - it's not worth the risk.
Protection from Windows (Score:3, Funny)
If you have to ask such a simple question, may be your users DO know more then IT department.
Leave it be (Score:1)
mac with pc (Score:1)
I will assume that your 150 mac workstations are all connected to hubs located around your building. Those hubs are probably connected to a larger hub closer to your router.
If that is the case, simply ask you pc users to plug in to the closest hub.
The pcs are so deep in the network that they should not get attacked by inbound worms. Your router and firewall should handle that.
As a requirement that you get to set.. force them to install something like Norton AntiVirus/Internet Security. Assign the pc users IP addresses. dont let them automatically assign using DHCP. when they get fussy with you about AntiVirus. simply kill their IP address and tell them when they meet requirements they get turned back on.
But know you will have to add to your routine a few steps.
make sure they have all incoming email getting scanned. Set their computer to only let you be the admin and them the user. Set windows update to automatically install updates. Set Norton to check for updates everyday. Do not let them have the ability to install software unless you do it.
this should put things back into control for a while.
pcs and mac os x actually work fine together as long as the IT guy is a tyrant!
isolated VLAN segment (Score:1)
WP? (Score:1)
(Moderators - if you don't see the humor here you need to go talk to a lawyer or an IT consultant who's handled law firms...
Either you "own" your network or you don't (Score:4, Insightful)
However if you administer the machine, and I realize it's probably not your first choice, you need to start reading up on Windows. Yes, there's a lot to keep up with, however their can be some advantages to understanding different platforms and being able to administer and secure them in the same environment. And regardless of how any one feels about it, Window is still the most common business environment.
Additionally, I see several post that seem to question the legitimacy of the original question. This *is* a legitimate question, as any one who has had samba and appletalk on the same network can tell you. Discussing security concerns when integrating two very different platforms with different vulnerabilities is more than reasonable for any Administrator, especially in a small business environment where the only other "collegues" they may have access to are the very same users insisting on the installing their own boxes.
Re:Either you "own" your network or you don't (Score:3, Insightful)
In such a case, it is almost certainly appropriate to provide support for the Windows hosts for that single purpose. That doesn't mean that those hosts are supported for "regular" functions such as e-mail, file and printer sharing, or Web browsing.
If it's just a case of a couple of users who prefer Windows over the Mac, at some point someone with budget authority needs to make a basic decision on the relative costs of (a) those users' happiness versus (b) the very real costs in software and time associated with adding support for Windows on the network. A company with 150 desktops will have someone watching over the budget, and their answer is probably "We're a Mac shop, get over it."
Meet Them on Their Own Terms (Score:5, Insightful)
Be sure to include in the paper (where the first set of yadas is) lists of vulnerabilities of WinXP, including the recend IE/Outlook flaws for which there is (as of yet) no sure fix. In place of the 2nd set of yadas, put in documentation that shows OSX is more stable and less vulnerable.
The point is to take the issue to them on their grounds and show them that their choice can have serious implications for them and the entire law firm and that they could be the idiot responsible for the whole system going down. If they are talked to in their language and made to see their choice as a real action with real (and possibly disasterous) consequences, it could open their eyes. You might still have to deal with WInXP, but it'll certainly get them thinking about it.
You don't cater.... (Score:2)
The computers aren't there for their convenience and entertainment, they are there so that they can do the work they are paid to do. Since you're running over 100 of these systems, I'm making a fairly safe assumption that everything that needs done in day-to-day business can be done on the Macs that the company provides?
There is no reason to introduce unsupported hardware and software into your environment. Maybe the handful of people should be made aware that if Windows boxes were to come into play, they'd have to fund a new employee to manage those computers, which would drop $100K or so from the anual budget; that's a lot of company-expenses dinners and parties that won't happen, jsut so they can play Age of Empires or whatever while they're working.
Re:You don't cater.... (Score:1)
Things to remember (Score:2)
It never hurts to know more. This is a good chance to learn more about how most of the world lives, and how to support them. It may be the camel's nose in the tent, but in a installation like yours it will take years to make a transition, if it it ever happens. Nobody knows what the future will bring. Apple may (finally) go out of business -- it happened to Wang and DEC, after all. Or something new may come along. If you are flexible, your skill set will never become obsolete.
Threats cannot be dealt with in the abstract. Security is not a monolithic property that can be measured in a system. Instead, deal with concrete issues and make your plans from them. Take a legal pad, and draw a line down the middle. On the left, put your concerns: viruses, trojans, spyware, license audits. On the right, ways you can deal wtih them: anti-virus software, supervising software installation, reading and understanding your licenses and keeping your license documentation in a safe place. Getting your ducks in a row is what makes you a professional, not some whining fan-boy.
For a start... (Score:2)
I would put them behind a firewall or NAT box and turn off every inbound port to them. Enable outbound ports one-by-one, as needed. (POP3 and IMAP internally, WWW to the outside world, whatever). Proxy the heck out of their WWW access, and require credentials.
Alternatively, run them under VMware hosted on a linux box. You can limit what XP can do fairly well that way. Good luck!
/ ban (Score:2)
Has anyone else done tech for a law firm, here? (Score:2, Insightful)
Every attorney is a PHB, complete with their own dictates and whims. Some attorneys are cool, some aren't. Going "by the book" is a great way to tick off someone who can get you fired.
Yes, it should be a stated/printed IT policy that only Macs are supported, but you've still gotta help the Windows users. But do it slowly, begrudgingly, and occasionally mention that it's just a favor, and how lucky they were that someone was around who could do it.
Failure to support their PCs can get you fired, or at least make your life rough. Supporting them too well will subvert your goal and make your job harder in the long run. You want to get across the point that it's the PC that's making their job harder, not you. If you can rig the network to drop a fair percent of their packets or throttle their bandwidth on days you're in the mood, then do it to slow things down a little. When their coworkers and secretaries are getting lower pings and faster downloads than they are, they'll figure it's the PC and come to your side.
Whatever... (Score:1)
Firewalls! (Score:2)
I'd start off by putting all the Windoze boxen on a physically different subnet. Then I'd firewall off the Windoze subnet from the rest of the corporate network. Take a look at OpenBSD [openbsd.org] as a suitable firewall. This should provide adequate protection from those pesky Windoze systems.
Remember, logical security is only half the battle. Think physical security too. Maybe everyone using a Windoze box should sit at one end of your office space. Then you can put a OmniLock [omnilock.com] on the door to keep them from getting into the rest of the office.
While you're at it, you might also want to think about implementing a virus-filtering mail gateway [iland.net] in between your Windoze subnet and the rest of the known world.
Fight fire with fire (Score:2)
Obligatory Brockovich quote "I hate lawyers. I just work for them."
Who's in charge? (Score:1)
My statement to my users: The computer we provide is a tool. You can negotiate the make/model as much as you'd like, but like the printers, copiers, fax machines, and phones you'll use what is provided. IT IS A TOOL.
If they don't like it I'd suggest you let them know to start looking for work elseware. If they can't/won't learn to use the tool, OS X, then obviously they'll be unable to complete their job.
Personally inside work and outside I have REFUSED to diagnose, use, touch, learn, anything XP. NOTHING gets plugged into my network without my knowledge (arpwatch). XP is completely UNSUPPORTED.
Here, Windows 2000 "Professional" is being supported only until it is completely REMOVED. Anybody that wants to talk Linux or BSD with me is also VERY welcome. I do like the Unix's
Who's in charge there? There's no reason you couldn't take the OS X only stance. If it the PARTNERS wanting XP, well, then, they OWN the business. Do what THEY want. If it is some secretary or trouser trout then I have to question: do they make their own decision on what they should be paid too? Can I work there?
Fortunately, for me here, the "IT Department" (me) owns the largest chunk of company stock as well (non computer related business -- they're just TOOLS we happen to use in our job). Heheh. I make my own rules, and well, Windows had it's chance. I see the light now. It is Unix.
Of course I _started_ on AT&T SysVr2 TRUE "Unix" and have missed those days only briefly. Loved Coherent, drooled over the NeXT, settled on Linux, and can say I like tight and fast BSD. OS X is the GUI of choice today for the GNU generation.
Microwho? Fire the idiots...
You're the boss (Score:1)