Securtiy in a small office with public access

Topic

New Reply

Scenario:  A small senior center and office with 4 public use computers + 3 office computers (that share a hard drive in one of the computers).  There is also public Wi-Fi.

All of these Windows 10 computers, including the Wi-Fi, get a single internet access from a cable modem and router.

All of the computers use MS Defender and require no passwords.  Most are on 24/7.

Questions:  What should be done to step up the security, if any?

..Additional Software/Malware Application?,   Hardware security ?,  Separate  internet feed for the public vs office computers?

Appreciate any advice,

Mike

Reply | Quote

Replies

You always want to separate the office and public networks. The easiest way to provide that is a router with a guest wifi channel, such as a TP-Link Archer C7.
The office machines will be on the “normal” network and the public machines on the guest.

I would install DeepFreeze from Faronics to turn the machines into unchangeable kiosks – reboot every morning and you are back to your original configuration. It’s around $50 per machine and takes away any worries about changes or malware.

The office machines should be backed up to an external disk / network machine. What do you have at present?

cheers, Paul

2 users thanked author for this post.

MrJimPhelps, Mr. Austin

Reply | Quote

+1 on everything Paul recommends, especially the DeepFreeze recommendation.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

2 users thanked author for this post.

Fred

Reply | Quote

You always want to separate the office and public networks. The easiest way to provide that is a router with a guest wifi channel, such as a TP-Link Archer C7.

In this case, there is a single cable modem and then router that is hardwired CAT to all the computers.  I’ll have to check, but there may be a switch to provide more ports.  But, one router feeds all public and office computers.

I would install DeepFreeze from Faronics

Excellent idea.  Would something like “Reboot/Restore” do the same ?

And what about additional software for malware ?  Other than Defender.

The office machines should be backed up to an external disk / network machine. What do you have at present?

The backup on the office machines are two portable USB hard drives.  Probably 5+ years old.  Not sure if the users are backing up manual or letting Windows do it.

Thanks Paul for your comments.

Mike

 

Reply | Quote

[Michael432]

Three main points

1. Public use computers should be Chromebooks running in Guest Mode.
2. The public computers should be walled off from the office computers.
3. Each public computer should have Internet access but not be able to see any other computer, not even other public computers.

Points 2 and 3 can be done using VLANs on adult routers. On consumer routers, the Guest Wi-Fi is a poor man’s VLAN but I don’t think any consumer router can partition off Ethernet connected devices. So, if any public computer uses Ethernet, that’s out. You could connect all the public computers to a second router, but then they would still be able to see each other which is not good. To partition off wired devices you need to step up to the Ubiquiti Dream Machine, pfSense or OPNsens or the Pepwave Surf SOHO router. Never use a TP-Link router.

As for the prior response, if you are married to Windows, then yes, Deep Freeze is a great idea. But that’s a techies answer. If you have a techie around all the time, fine. Chromebooks will require far less time/effort in the long run and are much more reliable than Windows. MUCH more reliable.

As for backup, I suggest a low end NAS. Or, perhaps share the NAS on the network rather than one of the office computers.

And, you need some mechanism for off-site backup. Maybe once a week, take all the shared files, zip them up, encrypt them and copy them to a USB flash drive. 7Zip is great for this. Or, have the NAS automatically backup files in the middle of the night. There is no one right answer other than to have *some* type of off-site backup.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

• This reply was modified 5 years, 1 month ago by Michael432.

2 users thanked author for this post.

satrow, Kirsty

Reply | Quote

The easiest way to isolate hard wired computers is to add a second router.

1. Set up a DMZ on your existing router.
2. Set the second router to use the DMZ IP address. Plug it in to a port on the existing router.
3. Connect the public computers to the second router.

You can even use a TP-Link for that job.

cheers, Paul

1 user thanked author for this post.

Reply | Quote

Why setup a DMZ? I see no need for this and I have plugged one router into another many times. Also, a second router does not isolate each public PC from the other public PCs. And I would not use TP-Link for anything as they do a poor job of keeping their routers up to date on bug fixes.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

Reply | Quote

DMZ links the second router directly to the internet. Otherwise it has access to your local network – may not be an issue but why chance it.

Michael432 wrote:

I would not use TP-Link for anything as they do a poor job of keeping their routers up to date

Do any of the consumer router manufacturers?

cheers, Paul

Reply | Quote

Mike wrote:

Would something like “Reboot/Restore” do the same?

Yes, it seems the free version does the same job. And the paid version is well priced.
Let us know if it works.

cheers, Paul

1 user thanked author for this post.

Reply | Quote

Realistically, all of the PCs in this facility are already loaded with malware.

Go ahead and put the hardware pieces in place to properly isolate the public PCs from the staff machines, but plan to wipe & reload everything before you bother installing security or other software.

Trust me – no passwords (local admin accounts, most likely), no security software, and no network segmentation?

They’re all infected.

1 user thanked author for this post.

Reply | Quote

Jabeattyauditor:  I too think these pc’s cannot be trusted in any way. One has to start from zero, 0,…. Repartition the harddisk(s) and than use all these advises;

* _ ... _ *

Reply | Quote

My thanks to everyone here.  I appreciate all the ideas.

Mike

Reply | Quote