T
Travis
Here's a tough one... I was called to help out a small business owner
that operates a retail store. He has about 6 point of sale (POS)
workstations [Dell, all running XP Pro] with access to a LAN managed by
Microsoft SBS2003. There are lots of quirky software packages installed
on these machines as part of the business - they all have shares and
mapped drives that required Administrator access by the various
packages. In turn, each POS system autologs on to the network as a
member of the Administrator group on the domain.
The problem is that employees have begun surfing the web on these POS
workstations. It's unprofessional and inappropriate in this
high-traffic retail setting. The POS workstations need some Net access
to receive autoupdates to XP, receive updates from the various software
vendors, etc. In addition, I don't want to remove them from the
administrator group for fear of breaking one or more links in the
intricate communications path between the various nodes on the network.
My plan at this point is to install a firewall like the SonicWall
TZ170, assign static-IP's to the POS systems, and then create a policy
for each workstation. In those policies I will block port 80 traffic.
My concern with tackling the problem this way is that I may
inadvertently be blocking legitimate traffic between the systems and
the vendor apps if they happen to silently use port 80 as part of their
communications flow. Also, I don't know how long it will take these
employees to figure out they can change the IP address of their POS
workstation and thereby get around my policies. If I eliminate DHCP and
shut off all traffic except for those with policies in the firewall, it
will become a huge nuisance to manage - there are another dozen non-POS
systems in this environment.
Any other suggestions? Perhaps installing a proxy server?
that operates a retail store. He has about 6 point of sale (POS)
workstations [Dell, all running XP Pro] with access to a LAN managed by
Microsoft SBS2003. There are lots of quirky software packages installed
on these machines as part of the business - they all have shares and
mapped drives that required Administrator access by the various
packages. In turn, each POS system autologs on to the network as a
member of the Administrator group on the domain.
The problem is that employees have begun surfing the web on these POS
workstations. It's unprofessional and inappropriate in this
high-traffic retail setting. The POS workstations need some Net access
to receive autoupdates to XP, receive updates from the various software
vendors, etc. In addition, I don't want to remove them from the
administrator group for fear of breaking one or more links in the
intricate communications path between the various nodes on the network.
My plan at this point is to install a firewall like the SonicWall
TZ170, assign static-IP's to the POS systems, and then create a policy
for each workstation. In those policies I will block port 80 traffic.
My concern with tackling the problem this way is that I may
inadvertently be blocking legitimate traffic between the systems and
the vendor apps if they happen to silently use port 80 as part of their
communications flow. Also, I don't know how long it will take these
employees to figure out they can change the IP address of their POS
workstation and thereby get around my policies. If I eliminate DHCP and
shut off all traffic except for those with policies in the firewall, it
will become a huge nuisance to manage - there are another dozen non-POS
systems in this environment.
Any other suggestions? Perhaps installing a proxy server?