non domain computers on network

We have a couple of users (visitors) that insist on using their personal
computers on our windows 2003 network. Politics - so don't ask - believe me
you don't want to know.
They of course can surf the Internet (DHCP) and get their personal email
through Outlook or on the web. Now of course they want to print to the
network printers.
Is there any security issue with them just being on the network? I don't
know of any virus' etc. that can be spread unless they access the server
which they cannot do. I have no control over antivirus or anti-malware on
these machines so it make me nervous.
We will supply them with computers for the duration of their visit but they
don't want to use them. And I don't want to support non-domain computers -
we have enough to do, so I would be happy to hear that they may be a
security problem with using these computers. They run under the local
administrator accounts on their machines I am sure. So if they have a virus
or tojan etc. could it cause problems on our domain and be spread since they
are on the LAN?

Thanks
Linda

Linda Marie <(E-Mail Removed)> wrote:
> We have a couple of users (visitors) that insist on using their
> personal computers on our windows 2003 network. Politics - so don't
> ask - believe me you don't want to know.
> They of course can surf the Internet (DHCP) and get their personal
> email through Outlook or on the web. Now of course they want to
> print to the network printers.
> Is there any security issue with them just being on the network? I
> don't know of any virus' etc. that can be spread unless they access
> the server which they cannot do. I have no control over antivirus or
> anti-malware on these machines so it make me nervous.
> We will supply them with computers for the duration of their visit
> but they don't want to use them. And I don't want to support
> non-domain computers - we have enough to do, so I would be happy to
> hear that they may be a security problem with using these computers. They
> run under the local administrator accounts on their machines I
> am sure. So if they have a virus or tojan etc. could it cause
> problems on our domain and be spread since they are on the LAN?
>
> Thanks
> Linda

Yes, of course. This is an enormous security risk. Set up their own LAN or
WLAN for them, that does not touch your network at all.

"Linda Marie" <(E-Mail Removed)> skrev i meddelandet
news:(E-Mail Removed)...
> We have a couple of users (visitors) that insist on using their personal
> computers on our windows 2003 network. Politics - so don't ask - believe
> me you don't want to know.
> They of course can surf the Internet (DHCP) and get their personal email
> through Outlook or on the web. Now of course they want to print to the
> network printers.
> Is there any security issue with them just being on the network? I don't
> know of any virus' etc. that can be spread unless they access the server
> which they cannot do. I have no control over antivirus or anti-malware on
> these machines so it make me nervous.
> We will supply them with computers for the duration of their visit but
> they don't want to use them. And I don't want to support non-domain
> computers - we have enough to do, so I would be happy to hear that they
> may be a security problem with using these computers. They run under the
> local administrator accounts on their machines I am sure. So if they have
> a virus or tojan etc. could it cause problems on our domain and be spread
> since they are on the LAN?
>
> Thanks
> Linda
>

As you don't have control over their antivirus/firewall etc, you don't know
if they contain any kind of worm,backdoor etc which can be used for
attacking your network from the inside of your surrounding firewall..
Even if your servers aren't directly attacked, a hacker can first attack
your (weaker) workstations to get access to your Windows-network.
Have you ensured that all services on your servers are protected against any
kind of attack? For example, running services as service accounts instead of
bultin local system.
Disabled/uninstalled unnecessary services?
Risk for SQL-injections or DDOS-attacks?

A user should *never* have administrative rights in their normal work. This
is a security risk that should be avoided, and instead use 'runas' when they
nead to get temporary administrative rights.
Running as administrator will give the user full control of the local system
and gives the possibility for trojans,viruses etc to be installed in the
background.

/Henrik

Henrik Johansson <(E-Mail Removed)> wrote:
> "Linda Marie" <(E-Mail Removed)> skrev i meddelandet
> news:(E-Mail Removed)...
>> We have a couple of users (visitors) that insist on using their
>> personal computers on our windows 2003 network. Politics - so don't
>> ask - believe me you don't want to know.
>> They of course can surf the Internet (DHCP) and get their personal
>> email through Outlook or on the web. Now of course they want to
>> print to the network printers.
>> Is there any security issue with them just being on the network? I
>> don't know of any virus' etc. that can be spread unless they access
>> the server which they cannot do. I have no control over antivirus
>> or anti-malware on these machines so it make me nervous.
>> We will supply them with computers for the duration of their visit
>> but they don't want to use them. And I don't want to support
>> non-domain computers - we have enough to do, so I would be happy to
>> hear that they may be a security problem with using these computers.
>> They run under the local administrator accounts on their machines I
>> am sure. So if they have a virus or tojan etc. could it cause
>> problems on our domain and be spread since they are on the LAN?
>>
>> Thanks
>> Linda
>>
>
> As you don't have control over their antivirus/firewall etc, you
> don't know if they contain any kind of worm,backdoor etc which can be
> used for attacking your network from the inside of your surrounding
> firewall.. Even if your servers aren't directly attacked, a hacker can
> first
> attack your (weaker) workstations to get access to your
> Windows-network. Have you ensured that all services on your servers are
> protected
> against any kind of attack? For example, running services as service
> accounts instead of bultin local system.
> Disabled/uninstalled unnecessary services?
> Risk for SQL-injections or DDOS-attacks?
>
> A user should *never* have administrative rights in their normal
> work. This is a security risk that should be avoided, and instead use
> 'runas' when they nead to get temporary administrative rights.
> Running as administrator will give the user full control of the local
> system and gives the possibility for trojans,viruses etc to be
> installed in the background.
>
> /Henrik

This is all true, and is all excellent advice. But ultimately, the best way
to protect your network from malware/trojans lurking on rogue computers, is
to keep those computers off the network entirely. From the sounds of it,
this is a company policy problem more than a technical one, in Linda's case.

Hi Linda,

Yes, they could -definitely- cause problems and this is a big risk. You
mentioned the politics, so you are looking for a technical solution for
a management problem. Be very careful on how you approach this, as these
kind of things tend to turn ugly -quickly-, and guess who they will find
to blame.

My experience tells me sometimes its better just to say "Nope, sorry we
can't do that". If challenged on that you'll be able to find thousands
of reasons of why it cant be done, budget wise, security wise etc.

Have said all that (and yes, I know you knew all that ;-) the only
technical solution that seems to make a little sens is to get these
computers on their separate VLAN, and have then connected to the
printers that way, then make them print to the IP port of the printer
directly, instead of going through servers. (assuming these are network
printers).

Good luck with the politics....!

Paul

Linda Marie wrote:
> We have a couple of users (visitors) that insist on using their personal
> computers on our windows 2003 network. Politics - so don't ask - believe me
> you don't want to know.
> They of course can surf the Internet (DHCP) and get their personal email
> through Outlook or on the web. Now of course they want to print to the
> network printers.
> Is there any security issue with them just being on the network? I don't
> know of any virus' etc. that can be spread unless they access the server
> which they cannot do. I have no control over antivirus or anti-malware on
> these machines so it make me nervous.
> We will supply them with computers for the duration of their visit but they
> don't want to use them. And I don't want to support non-domain computers -
> we have enough to do, so I would be happy to hear that they may be a
> security problem with using these computers. They run under the local
> administrator accounts on their machines I am sure. So if they have a virus
> or tojan etc. could it cause problems on our domain and be spread since they
> are on the LAN?
>
> Thanks
> Linda
>
>

Thanks Paul,
I know how ugly the politcs can get and that is why I am being careful and
asking for a purely technical arguement against this practice
I need a couple of those thousands of reasons - budget wise it is cheaper,
that won't work. I need the security reasons spelled out - links are fine I
am not lazy about research I just have not found what I need in this case.

As to bad things turning ugly quickly - that is what will happen if the
network is damaged and I have not done a CYA. Or CMA in this case I guess.
I want to email the Home Office IT and say that I do not want non-domain
computers hooked up to the LAN because of the threat of 1).... 2).......
3)...... the threat is security and virus etc attacks. I would like to know
what specific threats there are to prove my points. Then if they say - well
make exceptions - it is not my fault. Or if I say no - I have the
documentation to back it up to the users. If they hook up anyway and I am
forced into making that exception then at least my A is not grass for not
stating my case.

We have VLAN's , we have several here and others in the regional offices.
I am working in Kabul, my problem is with Home Office staff- short term
assignments that want to use their own PC and more often with short term
consultants (spoiled bunch for the most part) that do not want to "learn" a
new computer and bring thier PC with them and plug into the LAN. The
offices are all wired LAN at 1 GB. They are all welcome to use them on the
VLAN's and we help set them up (guest houses) it it their insistance on
plugging them into the office LAN that is giving me sleepless nights. It is
politcs and I need information to win this one. Or at least information to
make it "I told you not to" when and if something goes wrong.
> Yes, they could -definitely- cause problems and this is a big risk. - What
> are the problems? I have to be specific to fight this.
Please anyone, the name of a specific virus or trojan or other threat that
connecting a non-domain computer to the windows domaiin LAN can cause.

Thanks
Linda



"Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message
news:47dda60b$0$7555$(E-Mail Removed)4al l.nl...
> Hi Linda,
>
> Yes, they could -definitely- cause problems and this is a big risk. You
> mentioned the politics, so you are looking for a technical solution for a
> management problem. Be very careful on how you approach this, as these
> kind of things tend to turn ugly -quickly-, and guess who they will find
> to blame.
>
> My experience tells me sometimes its better just to say "Nope, sorry we
> can't do that". If challenged on that you'll be able to find thousands of
> reasons of why it cant be done, budget wise, security wise etc.
>
> Have said all that (and yes, I know you knew all that ;-) the only
> technical solution that seems to make a little sens is to get these
> computers on their separate VLAN, and have then connected to the printers
> that way, then make them print to the IP port of the printer directly,
> instead of going through servers. (assuming these are network printers).
>
> Good luck with the politics....!
>
> Paul
>
> Linda Marie wrote:
>> We have a couple of users (visitors) that insist on using their personal
>> computers on our windows 2003 network. Politics - so don't ask - believe
>> me you don't want to know.
>> They of course can surf the Internet (DHCP) and get their personal email
>> through Outlook or on the web. Now of course they want to print to the
>> network printers.
>> Is there any security issue with them just being on the network? I don't
>> know of any virus' etc. that can be spread unless they access the server
>> which they cannot do. I have no control over antivirus or anti-malware
>> on these machines so it make me nervous.
>> We will supply them with computers for the duration of their visit but
>> they don't want to use them. And I don't want to support non-domain
>> computers - we have enough to do, so I would be happy to hear that they
>> may be a security problem with using these computers. They run under the
>> local administrator accounts on their machines I am sure. So if they
>> have a virus or tojan etc. could it cause problems on our domain and be
>> spread since they are on the LAN?
>>
>> Thanks
>> Linda

"Linda Marie" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> As to bad things turning ugly quickly - that is what will happen if the
> network is damaged and I have not done a CYA. Or CMA in this case I
> guess. I want to email the Home Office IT and say that I do not want
> non-domain computers hooked up to the LAN because of the threat of 1)....
> 2)....... 3)...... the threat is security and virus etc attacks. I would
> like to know what specific threats there are to prove my points.

I'm afraid I am not going to be "politically correct" with the IT industry's
common beliefs here,...but:

Although for years I have heard it said that non-members are a "risk" to the
Domain,...I am not totally convinced of that. I have not had anyone list
any tangable valid risks that I thought were really worth worrying about.
Non-Members are less capable than members, so it would seem to me that there
is less risk. Think about Unix, Linux, Macs, ect. that may be on a LAN and
none of those can "join" a domain. I never hear the same "warnings" against
not joining those to the Domain.

As far as a Virus,..a virus doesn't care squat about Domain membership,...it
will spread from machine to machine no matter if it is a Domain Member or
not. As far as Spyware/Malware,...the Domain does not give you any real
"control" over these,...just like the viruses, they will spread around to
machines equally no matter if they are a Member or not. What gives you
control over these is your anti-virus and anti-spyware systems that you have
in place and those typically don't care squat about domains either.

The strongest argument against non-members is the managability loss. None
of the Domain's Managament Tools and functionalities (like Group Policy and
many of the MMC based tools) will not work on them,...so the non-members
create a lot more work to manage them since they have to be managed the way
you would a workgroup. Now obvoiusly, managability (or the lack of) will
play into your security,...so that will give you the security element of
your argument,...but the foundation of the argument is still the manability
element.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

The most important reason for managed desktops is total cost of
ownership. If you have to convince any management that is worth
anything, this would be the reason. If they do not understand the
concept of TCO, they are in the wrong place (or millennium).

Any computer that is not managed is prone to issues that will:
1. occur more frequently, since 'anything goes'.
2. will be new to you, and take more time.
3. will take your tie away from what you -should- be doing: manage the
network, and as such add risk to the company.
4. infect other none-managed systems
5. cause network traffic issues
6. will create/introduce business risks: would you like some bots on
your net sending out pr0n spam? The marketing manager will have a good time!
7. will mostly likely (in case of outbreak) bring the mailservers to a halt.
8. Unmanaged computers also introduce a security-risk; what kind of
confidential company information is being store on home-systems?

With regards to risk that is imposed: any worm that exploits know
vulnerabilities will be introduced to your managed network through these
PC's. Even a number of such rogue systems can bring your companies
network traffic to a halt. No more E-Mail, no more printing, etc. For a
list of such animals I would recommend checking out McAfee's Avert website.

If you -must- have a technical solution:
As I mentioned: what you could explore is physically separating such
systems from your managed LAN. You mentioned these people having the
requirement to print, that's where VLAN's could be used.

Hope this helps.
regards,

Paul

Linda Marie wrote:
> Thanks Paul,
> I know how ugly the politcs can get and that is why I am being careful and
> asking for a purely technical arguement against this practice
> I need a couple of those thousands of reasons - budget wise it is cheaper,
> that won't work. I need the security reasons spelled out - links are fine I
> am not lazy about research I just have not found what I need in this case.
>
> As to bad things turning ugly quickly - that is what will happen if the
> network is damaged and I have not done a CYA. Or CMA in this case I guess.
> I want to email the Home Office IT and say that I do not want non-domain
> computers hooked up to the LAN because of the threat of 1).... 2).......
> 3)...... the threat is security and virus etc attacks. I would like to know
> what specific threats there are to prove my points. Then if they say - well
> make exceptions - it is not my fault. Or if I say no - I have the
> documentation to back it up to the users. If they hook up anyway and I am
> forced into making that exception then at least my A is not grass for not
> stating my case.
>
> We have VLAN's , we have several here and others in the regional offices.
> I am working in Kabul, my problem is with Home Office staff- short term
> assignments that want to use their own PC and more often with short term
> consultants (spoiled bunch for the most part) that do not want to "learn" a
> new computer and bring thier PC with them and plug into the LAN. The
> offices are all wired LAN at 1 GB. They are all welcome to use them on the
> VLAN's and we help set them up (guest houses) it it their insistance on
> plugging them into the office LAN that is giving me sleepless nights. It is
> politcs and I need information to win this one. Or at least information to
> make it "I told you not to" when and if something goes wrong.
>> Yes, they could -definitely- cause problems and this is a big risk. - What
>> are the problems? I have to be specific to fight this.
> Please anyone, the name of a specific virus or trojan or other threat that
> connecting a non-domain computer to the windows domaiin LAN can cause.
>
> Thanks
> Linda
>
>
>
> "Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message
> news:47dda60b$0$7555$(E-Mail Removed)4al l.nl...
>> Hi Linda,
>>
>> Yes, they could -definitely- cause problems and this is a big risk. You
>> mentioned the politics, so you are looking for a technical solution for a
>> management problem. Be very careful on how you approach this, as these
>> kind of things tend to turn ugly -quickly-, and guess who they will find
>> to blame.
>>
>> My experience tells me sometimes its better just to say "Nope, sorry we
>> can't do that". If challenged on that you'll be able to find thousands of
>> reasons of why it cant be done, budget wise, security wise etc.
>>
>> Have said all that (and yes, I know you knew all that ;-) the only
>> technical solution that seems to make a little sens is to get these
>> computers on their separate VLAN, and have then connected to the printers
>> that way, then make them print to the IP port of the printer directly,
>> instead of going through servers. (assuming these are network printers).
>>
>> Good luck with the politics....!
>>
>> Paul
>>
>> Linda Marie wrote:
>>> We have a couple of users (visitors) that insist on using their personal
>>> computers on our windows 2003 network. Politics - so don't ask - believe
>>> me you don't want to know.
>>> They of course can surf the Internet (DHCP) and get their personal email
>>> through Outlook or on the web. Now of course they want to print to the
>>> network printers.
>>> Is there any security issue with them just being on the network? I don't
>>> know of any virus' etc. that can be spread unless they access the server
>>> which they cannot do. I have no control over antivirus or anti-malware
>>> on these machines so it make me nervous.
>>> We will supply them with computers for the duration of their visit but
>>> they don't want to use them. And I don't want to support non-domain
>>> computers - we have enough to do, so I would be happy to hear that they
>>> may be a security problem with using these computers. They run under the
>>> local administrator accounts on their machines I am sure. So if they
>>> have a virus or tojan etc. could it cause problems on our domain and be
>>> spread since they are on the LAN?
>>>
>>> Thanks
>>> Linda
>
>