System Lockdown

kafifi13 · May 2007

Guys,

I want to throw this question out there to see if i can get some help. I'm a supervisor of a Long Distance phone company. We are looking to switch over all of our phone systems to VOIP in the next coming months which now will put a strain on available bandwidth.

Our IT director is insisting that each employee move from a Personal PC to a Terminal Server so that IT has the ability to lock down the systems. Basically restricted employee's from downloading music and video, AIM, MSN Messenger, Youtube, Myspace you name it they want it locked down.

Is there a better alternative to doing this other than switching everyone over to Terminal Servers? Just wanted to see if anybody had some Ideas to throw at me and i'll do the research on my own.

as always thanks guys.

Kareem

Netstudent · May 2007

Terminal server...eeew yuck. You could go with Websense or some other type of webfiltering software. Check out www.websense.com...You could also go with a hardware device. We have a barracuda web/spam firewall and I love it. It was very easy to install as well. we just redirected http, pop3, SMTP, IMAPI in our netscreen to point to the barracuda.
Super easy http based GUI as well.

I'm not sure about the cost of Term serv CALS and a license server would be versus a new firewall or software web filter.

Just a thought....

flares2 · May 2007

Kareem,
By Personal PC do you mean just a workstation on the network? If so you can stop the users from installing software such as AIM and MSN Mesenger by configuring their accounts or their OU through Active Directory. Your Server team, or whoever controls the firewalls (in my case the DSID) can block specific sites, like MySpace (which we also block) or block any streaming media, so you could get to a site like youtube, just wouldn't be able to watch the videos, pretty much deterring users from going to the sites.
If you're actually talking about your end users using personal machines on the network where they have local admin rights, and rights to change the proxy to try to outsmart your company's firewall, you could could just MAC filter your switches so only company computers have access to the network, then follow the consideration in my first paragraph to lock down security.
Hope this helps,
Flares

sprkymrk · May 2007

That sounds really.... dumb!

As mentioned by others, a proxy device of some sort will be cheaper and work better than TS. I can't even imagine where they are coming from with that idea. They are either really "outside the box" thinkers in a very unique environment, or just plain whacko.

kafifi13 · May 2007

Thanks for your input guys. The more you have send them along. I agree a 100% this is not a good idea. I'm fighting it to the death.

Netstudent · May 2007

If it is the Director of IT, you should use business metrics to explain why or why not. Print out information on the number of TS CALS you would need with prices, and the man hours to configure everyone for TS. Then dig up some information on reputable software/hardware web filtering products. It sounds like all he is thinking about is how to conserve bandwidth and not thinking about $$$$$$. Which is very odd for a director. How many users will go to TS? Do yall even have a box on campus that can handle processing for all your users?

Here i found an article on proxying with Group Policy Objects and startup scripts. Not much info on creating the actual proxy server or webfilter, but it may provide more ideas.
http://lpakb.stbernard.com/Webhelp/ODS/EnterpriseWebFilter/SupportFiles/OD0048.htm

kafifi13 · May 2007

flares2 wrote:

Kareem,
By Personal PC do you mean just a workstation on the network? If so you can stop the users from installing software such as AIM and MSN Mesenger by configuring their accounts or their OU through Active Directory. Your Server team, or whoever controls the firewalls (in my case the DSID) can block specific sites, like MySpace (which we also block) or block any streaming media, so you could get to a site like youtube, just wouldn't be able to watch the videos, pretty much deterring users from going to the sites.
If you're actually talking about your end users using personal machines on the network where they have local admin rights, and rights to change the proxy to try to outsmart your company's firewall, you could could just MAC filter your switches so only company computers have access to the network, then follow the consideration in my first paragraph to lock down security.
Hope this helps,
Flares

Flares - I didn't mean bringing in thier personal PC's to change the settings but i do get your point. I should have been clear. I appreciate the feedback. These are all great feed back. I don't understand why my Network Admin department doesn't see it that way.

sprkymrk · May 2007

kafifi13 wrote:

Thanks for your input guys. The more you have send them along. I agree a 100% this is not a good idea. I'm fighting it to the death.

Good luck!

How many users are we looking at here? The cost of Terminal Server licensing and the server hardware needed may kill the project before it gets off the ground. I imagine they already have a significant investment in the desktop PC's, and the fact that not all apps work well inside TS could also be a factor.

I just don't understand the need for controlling bandwidth/web filtering can translate into using TS. Weird...

kafifi13 · May 2007

We are talking around 85 employees and growing. I was just speaking to my direct boss about this and he also says that part of the reason is working from home remotly. Which again doesn't make sense. We log in jusing VPN with no issues. So now they are looking to get rid of VPN and have us log directly into the server. Again makes no sense.

Netstudent · May 2007

Your probably looking at between 5-6 thousand dollars, if not more, for licenses for 85 users. The cheapest I could find was a 5 pack of TS CALS for 338$

sprkymrk · May 2007

kafifi13 wrote:

We are talking around 85 employees and growing. I was just speaking to my direct boss about this and he also says that part of the reason is working from home remotly. Which again doesn't make sense. We log in jusing VPN with no issues. So now they are looking to get rid of VPN and have us log directly into the server. Again makes no sense.

You'll still want to run the RDP session over a VPN, so I don't see a cost savings there either. I agree, it makes no sense. Any script kiddie worth an ounce of dirt can scan for port 3389, then run a brute force or dictionary attack to attempt a login. Even if the login fails, you could end up with a DOS against your accounts due to lockouts, etc.

Darthn3ss · May 2007

tell them that they can have the terminal servers but its coming out of their bonuses and benefits.

mgeorge · May 2007

The Cisco IOS Firewall can block all this stuff. As well as a PIX or ASA.

You would be wasting money upgarding servers to support many users, when you could configure a firewall or router.

Group policy can also take care of many of these problems.

Delirious · May 2007

mgeorge27 wrote:

The Cisco IOS Firewall can block all this stuff. As well as a PIX or ASA.

You would be wasting money upgarding servers to support many users, when you could configure a firewall or router.

Group policy can also take care of many of these problems.

I have to agree, this is what group policy and firewall is for.

Netstudent · May 2007

So if all the employees surf the web and use those kind of apps now, that means there isn't a policy in place now saying they can't right? Also when you do go live on VoIP, are yall going to use the PRI thats in place or are yall going to switch providers to get the VoIP? When you go live on VoIP you will need a PRI on the router which connects to the PBX. Do yall have a Full T for data? The VoIP shouln't consume bandwidth on the LAN, just the WAN link to your CO. So why not just have the PRI muxed on a T1 and have your data sent across it's own T1? You can bond the T's on the router. That way the VOIP has it's own circuit and you will not have to worry about voice traffic consuming bandwith from the Data traffic.

kafifi13 · May 2007

Netstudent wrote:

So if all the employees surf the web and use those kind of apps now, that means there isn't a policy in place now saying they can't right? Also when you do go live on VoIP, are yall going to use the PRI thats in place or are yall going to switch providers to get the VoIP? When you go live on VoIP you will need a PRI on the router which connects to the PBX. Do yall have a Full T for data? The VoIP shouln't consume bandwidth on the LAN, just the WAN link to your CO. So why not just have the PRI muxed on a T1 and have your data sent across it's own T1? You can bond the T's on the router. That way the VOIP has it's own circuit and you will not have to worry about voice traffic consuming bandwith from the Data traffic.

correct, there is no policy right now. This is the part that's making it difficult and where i'm not involved. Not sure if we are using a different PRI or not. In terms of the VOIP provider, we are our own VOIP provider. We are a long distance company that resells LD service. Well now we just bought our own switches and placed them in different area's of the country and plan on going live this summer. Well we are going to be our first customers on this voip swithc to test before it gets rolled out to the public. That's about as involved as a i get. This is the reason why i'm getting my CCNA and hopefully my CCVP and CCNP. I'd like to be the one involved in these decisions some day as we grow into a voip provider.

Netstudent · May 2007

Ahhh. I see, thats a little more complicated then. So yall are going to put the internal company on VoIP(on your own local VOIP switch) as well as offer VoIP services for customers? If thats the case, then there would be way too much integration going on for what I was talking about with the PRI and an extra T. So does the office you work at have a PBX or is the phone system for the employees linked to the phone switches yall have now for customers?

System Lockdown

Comments