That ties in with my thinking. The "trusted" switch is locked down so only our known clients can connect using that.
So that tends to leave 5a or 5b, 5b probably being the preferred option because it makes things like backups much simpler. I was thinking WebDAV for the interface as it's seems a little less "bad" then trying to allow RPC/NetBIOS through. -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: 19 September 2011 21:18 To: NT System Admin Issues Subject: Re: Best way to restrict access to file server? On Mon, Sep 19, 2011 at 10:26, Paul Hutchings <[email protected]> wrote: > I think there are a few ways to skin this cat so I’m throwing it open > for any views on the pros and cons of each. > > An office, network ports are wall mounted and all go back to a central > comms cupboard. > > In the office are two groups of people. > > The two groups need an area where they can store/share files, but > whilst one group has access to the regular LAN one group is untrusted > so we want them as far away from the regular LAN as possible. > > How would you do it? This should do it. 1) visibly mark all jacks as either production or guest 2) make sure that any unused network jacks are disconnected on the back end. 3) segment your network so that machines that are plugged into jacks designated as guest don't have access to the production network - you'll need a router/firewall/separate connection to make this happen. 4) depending on your needs and your level of paranoia, put up something like arpwatch on the production network so that any new machines plugged into it are detected and you are notified immediately, probably via email. You'll need a managed switch to make this happen, or something similar. 5a) set up a small file server in the guest network to which staff on the production network have access, or 5b) set up a file upload/download facility on your production LAN (probably web based) and limit access to it via a firewall/router ACL. I'd go for 5a, personally, all other things being equal, but if circumstances dictated I wouldn't mumble too much about 5b. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 100 1464 84 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
