Announcement

Collapse
No announcement yet.

Security Policy

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security Policy

    Hi,

    We are having 20 systems in our network with win 7 and win 8 OS. We have install php and mysql and sql server 2008 installed in it. We are also using a linux squid proxy server and configure the lan proxy settings inside every machine. Now my users are changing the network settings , such as gateway and dns and bypass the proxy server.

    I try to lock my user to go in to the network properties by making a non administrator login but in that case they are not able to run their programs like php and sql server so i must have to made them a member of the local administrator.

    Is their any way to lock those users to not to go to the properties of the network card nor even go to the proxy settings in explorer. We are not using any DC in our network. Also, Is their a way that those users can only run the php and my sql or sql server programs can run with administrator rights not any other programs.

    Please help...

    Thanks

  • #2
    As long as you are NOT using centralized control from a DC, and the users must have local admin rights on their PCs to run their apps, they can do anything they want on those machines. Without a higher authority to enforce what you want, each machine is a law unto itself. As for the proxy bypass, if the users can change the settings to get around the proxy, then your networking must have at least one other path to the outside world than the one you want them to use. You may benefit from a networking change to remove that extra leg to get out so that all outbound traffic has no choice but to use the proxy.

    If management wants the connections to be governed the way you've described, and the users are changing things to suit themselves, then you may also want to get management to start enforcing penalties on users who change the settings from the ones you put in. Either way, it sounds like you're in need of standing up a domain system.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Hi ,

      Thanks for your quick reply..

      If I create a domain environment , is it possible to give user to administrator rights for php and sql server so that they can run those programs smoothly but not be able to change other windows settings , such as not able to install new program in their system...

      Thanks..

      Comment


      • #4
        I can't speak to PHP as I've never used it, but using Group Policy and administrative scripts, you can control virtually everything about the user environment. For SQL, part of that would depend on what they *need* to do their jobs vs what they *want* to be able to do. Inside SQL, the Security section lets you assign user permissions and role permissions at a granular level, so it should be possible to tailor perms per database or per instance, as needed. But it's also beginning to sound as if you need someone to visit your site to see the daily working requirements, and help you develop a strategy on what you want to accomplish, how to go about doing it, and what training your IT dept will be needing to see it through. You should start looking for a consultancy visit or 3, because the depth of what you're asking, for someone who hasn't seen it in action, is more than can be provided by a few emails back & forth in a forum.
        *RicklesP*
        MSCA (2003/XP), Security+, CCNA

        ** Remember: credit where credit is due, and reputation points as appropriate **

        Comment


        • #5
          So, you have a Proxy server, which is supposed to control all your outbound web access, and your employees are removing the proxy settings, allowing them to go directly onto the internet.

          If it was me, and I wanted everyone to use a proxy and I didn't have a centralised platform like a domain, I'd make sure the only thing that could talk to the internet was the proxy server.

          *IF* you can figure out what I said there and what it means, it should give you a far simpler solution than setting up a domain and messing around with GPOs trying to figure out how to allow access to things

          Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

          Comment


          • #6
            Yeah, my first response said basically the same thing, just a bit wordy-er. Kathy, if your users can remove the proxy settings but still get to the internet, your proxy isn't the only path to the internet. Your proxy should stand between the web and your users, not just be in the same address space. That one issue is your first hurdle. The GPO issues and domain control come later, unless you can't change the networking to remove the alternate path the users keep using. If you can't change the networking so it doesn't matter what they do, then you'll have to impose a standardized security policy on them, and that's the domain/GPO path.
            *RicklesP*
            MSCA (2003/XP), Security+, CCNA

            ** Remember: credit where credit is due, and reputation points as appropriate **

            Comment

            Working...
            X