Skip to main content

Windows 9.x policies?

More
20 years 8 months ago #2811 by Kn1ght
Windows 9.x policies? was created by Kn1ght
Anyone know anything about Windows 9.x? Not sure the details of it. We are trying to take some Windows 98 machines and make them so the internet doesn't work on them yet still give them network capitilities. My boss said to look that up. Any info anyone knows would be helpful.

Thanks
More
20 years 8 months ago #2814 by sahirh
Replied by sahirh on topic Re: Windows 9.x policies?
When you say you want to disable the internet do you mean disable websurfing or the net as a whole ? I assume when you say give them network capabilities you want them to still be able to access file shares etc right ?

Hmm well its been a while, but if you unbind TCP/IP from the adapter but leave NetBEUI and File & Printer sharing in, then F&P sharing should start using NetBEUI to communicate.. however this is non routable. (NetBEUI cannot leave its subnet)

Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
More
20 years 8 months ago #2819 by tfs
Replied by tfs on topic Re: Windows 9.x policies?
You could also delete your gateway from the Network settings, as well as DNS entries.

Thanks,

Tom
More
20 years 8 months ago #2821 by sahirh
Replied by sahirh on topic Re: Windows 9.x policies?
Yep that would also be an option.. once again you'd only get intra-subnet communication. What you could do would be give them their gateway, but ACL off their internet access at the border router.. this will be easier if they're all in one subnet...

supposing their ip range is 10.0.0.0-255

access-list 10 deny ip 10.0.0.0 0.0.0.255 any log

slap it on the appropriate interface and check the logs for any evil-doers.. smoke them out of their holes.

The advantage here is that its a more secure solution than the last two. For example supposing those users need to be local administrators on their machines.. they could very easily get around tfs and my earlier solutions by
1. Binding TCP/IP
2. Setting the default gateway

Here however, they have no control over the router.. so the only thing they can do is grumble about how evil their network admin is.

Of course this is not a win9x solution as you'd asked.. but it is more flexible.. look at the benefits :
1. Single point of administration, you don't have to configure 254 individual machines
2. Scalable solution.. its really easy to add other blocked subnets
3. IP connectivity still available for them to access internal FTP / HTTP servers
4. They are still routed around all the internal subnets
5. I like this solution :)

Anyone see any flaws in this approach ?

Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
More
20 years 8 months ago #2822 by Chris
Replied by Chris on topic Re: Windows 9.x policies?
Sahir's proposal sounds like what I would do. Of course, in every network, you would normaly have a firewall as your gateway and I'm not talking about a router, but a Linux or Windows firewall (I'd personally prefer the first option).

With such a firewall, you simply apply the rules at the gateway/firewall level and your ready to earn some enemies in your office!

Of course, in the case your router is the only piece of equipment between your lan and your ISP, then you would apply the suggested rules to it, blocking the hosts you want.

Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
More
20 years 8 months ago #2824 by sahirh
Replied by sahirh on topic Re: Windows 9.x policies?
Chris is right, it would make much more sense to deal with something like this on a dedicated firewall rather than making that poor router do extra work.

There's nothing more fun than swatting down peoples packets.. its almost like the government offices here.. you go to get something stamped.. if they like how you look, they'll stamp it.. otherwise.. wham ;).

Never make a network admin your enemy hehe..

My favourite humour... the Bastard Operator From Hell
members.iinet.net.au/~bofh/bofh/bofh1.html

I have the whole archive somewhere on CD.. good fun :)

Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.139 seconds