[CS-FSLUG] Locking down a machine in the Church
Legatus
lists at runyanrants.net
Fri Sep 8 15:03:17 CDT 2006
Scott Parks wrote:
> Hello everyone!
>
> I am working on a project where I will be installing a new computer
> to be used for Worship. The main reason for the replacement is
> the age of the machine, the other is the fact that this machine has
> been basically destroyed with viruses, spyware, etc.
>
> The problem with this machine is that it is mostly used by youth -
> they did stop using it during the services - but it is connected to high
> speed to download lyrics from the Media Shout site and other multi-
> media clips that the Pastors might need for the service.
>
> Putting the thing on a proxy server will work for a little, but I am
> sure the "talented youth" as they call themselves will figure it out and
> bypass it eventually. What I ideally would like to do is force this
> machine to use the proxy and filter all traffic on this machine only.
> It is a Windows machine so I have to baby it, but also can NOT filter
> the rest of the office traffic.
>
> So, my question is - where do I start and can it be done where I
> force this machine and this machine only to have all traffic
> filtered? Can
> I simply set up a gateway on a Linux box and tell the WIndows machine
> to use it? They then could modify the gateway to the high
> speed connection (and yes, they would try something like that).
>
> Looking for some thoughts.....
>
> Thank you!
>
> -Scott
>
Install a transparent proxy as your gateway. Make all machines go
through it to get to the internet. Make it a physical barrier like this
_________________
| |
| Local LAN |----------Proxy------Internet Gateway
|_________________|
If physically the only system that has access to the gateway is the
proxy, and the cabling is in a locked space, then they can't alter it.
If you exempt some machines from the proxy, then they have a way to
physically bypass the proxy. You can use mac addresses to decide what
machine gets what access to the internet, of there could be a username
and password to determine if you get access at all. It all depends on
what you use for the proxy server.
More information about the Christiansource
mailing list