[CS-FSLUG] Locking down a machine in the Church

Legatus lists at runyanrants.net
Fri Sep 8 15:03:17 CDT 2006 

Scott Parks wrote:
> Hello everyone!
> 
> I am working on a project where I will be installing a new computer  
> to be used for Worship.  The main reason for the replacement is
> the age of the machine, the other is the fact that this machine has  
> been basically destroyed with viruses, spyware, etc.
> 
> The problem with this machine is that it is mostly used by youth -  
> they did stop using it during the services - but it is connected to high
> speed to download lyrics from the Media Shout site and other multi- 
> media clips that the Pastors might need for the service.
> 
> Putting the thing on a proxy server will work for a little, but I am  
> sure the "talented youth" as they call themselves will figure it out and
> bypass it eventually.  What I ideally would like to do is force this  
> machine to use the proxy and filter all traffic on this machine only.
> It is a Windows machine so I have to baby it, but also can NOT filter  
> the rest of the office traffic.
> 
> So, my question is - where do I start and can it be done where I  
> force this machine and this machine only to have all traffic  
> filtered?  Can
> I simply set up a gateway on a Linux box and tell the WIndows machine  
> to use it?  They then could modify the gateway to the high
> speed connection (and yes, they would try something like that).
> 
> Looking for some thoughts.....
> 
> Thank you!
> 
> -Scott
> 
Install a transparent proxy as your gateway. Make all machines go 
through it to get to the internet. Make it a physical barrier like this


  _________________
|                 |
|  Local LAN      |----------Proxy------Internet Gateway
|_________________|


If physically the only system that has access to the gateway is the 
proxy, and the cabling is in a locked space, then they can't alter it. 
If you exempt some machines from the proxy, then they have a way to 
physically bypass the proxy. You can use mac addresses to decide what 
machine gets what access to the internet, of there could be a username 
and password to determine if you get access at all. It all depends on 
what you use for the proxy server.

More information about the Christiansource mailing list