Browsing domain from non-domain PC

[Jordan]

I have a computer on the domain that needs to run tests 24x7. The
programmer of the software cannot seem to manage to get his testing software
to run with the console locked without crashing. I have even gotten one of
those programs that disables the keyboard and mouse and the program still
crashes. I have no idea what they are doing to cause the problem but they
are totally unable to fix the problem so, of course, now I am stuck to find
a way to allow this computer to run 24x7 with the console open yet still
maintain network security.

The computer is just running test data so there is no information on the
local computer that is of any concern. It would be great if I could just
leave this off the network unplugged but the programmer is always updating
the software and needs to copy the new versions down and maybe copy a gigs
worth of data up to a server for analyzing every now and then.

I was thinking about just removing it from the domain and giving all the
users that need to run the tests local accounts, but the problem is the
users can still browse the domain via Network Neighborhood and just map
drives and see things by just supplying their user names and passwords when
they are prompted. I know all of them are going to choose to save the
username and passwords which makes taking the computer off the domain
equally useless.

What can I do to allow this computer to run the tests yet prevent access to
domain resources even if the users has a domain password.

 

[Roger Abell [MVP]]

You could, as you indicate, make the machine a stand-alone, outside of
the domain(s), and provide machine local accounts to those that need to
use this test machine. If those users are not administrators on that
machine
then you could define an IPsec policy so that the machine is not able to
communicate with any other machines except those that you specifically
allow, like the one server where the test data goes.

The best approach however is to build a list of point items that details
the few options this software is allowing for implementation, and the
risks to the enterprise each of these presents. Then, use this to drive
a higher-level directive to the developers to get off their dufas and
learn how to do it correctly.

 

[Jordan]

Thanks,

If that problem was not bad enough you would not believe what happened
today. I had to do an Antivirus upgrade the other night and since his
program is a complete PIG with system resources he thinks we should exclude
all the stations that are going to use his program from AV protection yet
still allow him full Internet access to download things because he "will be
really careful and knows what [he] is doing."

Don't I have the legal right to shoot him for being that stupid or isn't at
least my obligation?

 

[Roger Abell [MVP]]

If you can shoot him with a brain-pill, it is an obligation.
Tell him he must detail a (short) list of (only) the essential files that
need to be exempted for AV checking.
You really need mgmt support that is above the IT and dev groups.
Build your cases, options, risks and compare costs if damage does
result with cost of getting it done correctly.

Thanks,

If that problem was not bad enough you would not believe what happened
today. I had to do an Antivirus upgrade the other night and since his
program is a complete PIG with system resources he thinks we should
exclude all the stations that are going to use his program from AV
protection yet still allow him full Internet access to download things
because he "will be really careful and knows what [he] is doing."

Don't I have the legal right to shoot him for being that stupid or isn't
at least my obligation?

You could, as you indicate, make the machine a stand-alone, outside of
the domain(s), and provide machine local accounts to those that need to
use this test machine. If those users are not administrators on that
machine
then you could define an IPsec policy so that the machine is not able to
communicate with any other machines except those that you specifically
allow, like the one server where the test data goes.

The best approach however is to build a list of point items that details
the few options this software is allowing for implementation, and the
risks to the enterprise each of these presents. Then, use this to drive
a higher-level directive to the developers to get off their dufas and
learn how to do it correctly.