News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Securtiy in a small office with public access

    Home Forums AskWoody support Windows Windows 10 Windows 10 version 1909 – November 2019 Update Securtiy in a small office with public access

    Viewing 7 reply threads
    • Author
      Posts
      • #2141371 Reply
        Mike
        AskWoody Plus

        Scenario:  A small senior center and office with 4 public use computers + 3 office computers (that share a hard drive in one of the computers).  There is also public Wi-Fi.

        All of these Windows 10 computers, including the Wi-Fi, get a single internet access from a cable modem and router.

        All of the computers use MS Defender and require no passwords.  Most are on 24/7.

        Questions:  What should be done to step up the security, if any?

        ..Additional Software/Malware Application?,   Hardware security ?,  Separate  internet feed for the public vs office computers?

        Appreciate any advice,

        Mike

      • #2141461 Reply
        Paul T
        AskWoody MVP

        You always want to separate the office and public networks. The easiest way to provide that is a router with a guest wifi channel, such as a TP-Link Archer C7.
        The office machines will be on the “normal” network and the public machines on the guest.

        I would install DeepFreeze from Faronics to turn the machines into unchangeable kiosks – reboot every morning and you are back to your original configuration. It’s around $50 per machine and takes away any worries about changes or malware.

        The office machines should be backed up to an external disk / network machine. What do you have at present?

        cheers, Paul

        2 users thanked author for this post.
        • #2141730 Reply
          MrJimPhelps
          AskWoody_MVP

          +1 on everything Paul recommends, especially the DeepFreeze recommendation.

          Group "L" (Linux Mint)
          with Windows 8.1 running in a VM
          2 users thanked author for this post.
      • #2141715 Reply
        Mike
        AskWoody Plus

        You always want to separate the office and public networks. The easiest way to provide that is a router with a guest wifi channel, such as a TP-Link Archer C7.

        In this case, there is a single cable modem and then router that is hardwired CAT to all the computers.  I’ll have to check, but there may be a switch to provide more ports.  But, one router feeds all public and office computers.

        I would install DeepFreeze from Faronics

        Excellent idea.  Would something like “Reboot/Restore” do the same ?

        And what about additional software for malware ?  Other than Defender.

        The office machines should be backed up to an external disk / network machine. What do you have at present?

        The backup on the office machines are two portable USB hard drives.  Probably 5+ years old.  Not sure if the users are backing up manual or letting Windows do it.

        Thanks Paul for your comments.

        Mike

         

      • #2141821 Reply
        Michael432
        AskWoody_MVP

        Three main points

        1. Public use computers should be Chromebooks running in Guest Mode.
        2. The public computers should be walled off from the office computers.
        3. Each public computer should have Internet access but not be able to see any other computer, not even other public computers.

        Points 2 and 3 can be done using VLANs on adult routers. On consumer routers, the Guest Wi-Fi is a poor man’s VLAN but I don’t think any consumer router can partition off Ethernet connected devices. So, if any public computer uses Ethernet, that’s out. You could connect all the public computers to a second router, but then they would still be able to see each other which is not good. To partition off wired devices you need to step up to the Ubiquiti Dream Machine, pfSense or OPNsens or the Pepwave Surf SOHO router. Never use a TP-Link router.

        As for the prior response, if you are married to Windows, then yes, Deep Freeze is a great idea. But that’s a techies answer. If you have a techie around all the time, fine. Chromebooks will require far less time/effort in the long run and are much more reliable than Windows. MUCH more reliable.

        As for backup, I suggest a low end NAS. Or, perhaps share the NAS on the network rather than one of the office computers.

        And, you need some mechanism for off-site backup. Maybe once a week, take all the shared files, zip them up, encrypt them and copy them to a USB flash drive. 7Zip is great for this. Or, have the NAS automatically backup files in the middle of the night. There is no one right answer other than to have *some* type of off-site backup.

        Get up to speed on router security at RouterSecurity.org

        • This reply was modified 5 months, 3 weeks ago by Michael432.
        2 users thanked author for this post.
      • #2141830 Reply
        Paul T
        AskWoody MVP

        The easiest way to isolate hard wired computers is to add a second router.

        1. Set up a DMZ on your existing router.
        2. Set the second router to use the DMZ IP address. Plug it in to a port on the existing router.
        3. Connect the public computers to the second router.

        You can even use a TP-Link for that job. 🙂

        cheers, Paul

        1 user thanked author for this post.
        • #2152913 Reply
          Michael432
          AskWoody_MVP

          Why setup a DMZ? I see no need for this and I have plugged one router into another many times. Also, a second router does not isolate each public PC from the other public PCs. And I would not use TP-Link for anything as they do a poor job of keeping their routers up to date on bug fixes.

          Get up to speed on router security at RouterSecurity.org

          • #2153476 Reply
            Paul T
            AskWoody MVP

            DMZ links the second router directly to the internet. Otherwise it has access to your local network – may not be an issue but why chance it.

            I would not use TP-Link for anything as they do a poor job of keeping their routers up to date

            Do any of the consumer router manufacturers?

            cheers, Paul

      • #2141834 Reply
        Paul T
        AskWoody MVP

        Would something like “Reboot/Restore” do the same?

        Yes, it seems the free version does the same job. And the paid version is well priced.
        Let us know if it works.

        cheers, Paul

        1 user thanked author for this post.
      • #2142119 Reply
        jabeattyauditor
        AskWoody Lounger

        Realistically, all of the PCs in this facility are already loaded with malware.

        Go ahead and put the hardware pieces in place to properly isolate the public PCs from the staff machines, but plan to wipe & reload everything before you bother installing security or other software.

        Trust me – no passwords (local admin accounts, most likely), no security software, and no network segmentation?

        They’re all infected.

        1 user thanked author for this post.
        • #2152766 Reply
          Fred
          AskWoody Plus

          Jabeattyauditor:  I too think these pc’s cannot be trusted in any way. One has to start from zero, 0,…. Repartition the harddisk(s) and than use all these advises;

          ~ ~ ~
      • #2142171 Reply
        Mike
        AskWoody Plus

        My thanks to everyone here.  I appreciate all the ideas.

        Mike

    Viewing 7 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Securtiy in a small office with public access

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.