Office security
June 8, 2008 1:59 PM   Subscribe

Disable USB devices (except USB HID - keyboards) fixes the copying files to usb, and meets the "free/low cost " requirement.

As for tracking web usage -- you could setup a proxy server to log traffic -- though you would have to make some assumptions. Then tell everyone they cant use non-work email accounts at work.

But in reality -- it sounds like a fairly hostile workplace you are attempting to create here. I would quit if you monitored my computer.
posted by SirStan at 2:06 PM on June 8, 2008 [1 favorite]

You could also install VNC on all the desktops -- there are numerous "record a screenshot" apps that can run with VNC. You could log all the JPG's to a single workstation/server.
posted by SirStan at 2:08 PM on June 8, 2008

Do all 11 computers need access to this sensitive data? Do all employees need access?

You can do a lot just by limiting the people who have permission to see the files and by limiting the computers that have access.

It sounds like a small company, so I doubt you have an HR department with legal resources, but some sort of contract may be a low cost way to insure so "social security" (heh) around the office...

Beyond that the scope of what you're tying do quickly falls out of the realm of "free or low cost" and becomes a large project in and of itself. There are entire IT firms which specialize in what you're proposing.

Browse the computer security shelf at Barnes and Noble sometime.
posted by wfrgms at 2:13 PM on June 8, 2008

You can do much of what you want by setting up a proper Windows Server based domain. Once the client PCs are part of that domain, and everyone is logging in using accounts managed by the domain, you get very fine-grained control. You can:

1) Disable USB storage devices
2) Lock down access to local and network files on per-user and per-group bases
3) Transparently force everyone's web traffic through a proxy which keeps access logs and can block access to various sites

This will require having a server, which you say you do not have. You also say you have sensitive and critical files. This means you want -- no, need a server. Not only will you be able to better control access to everything, but you'll be able to do things like backups, which I get the impression you don't currently do.
posted by CrayDrygu at 2:38 PM on June 8, 2008

Unfortunately, I think you have a bit of a untenable situation- high requirements with low budget.

If it was me, I would work on prevention. If you are in a situation where you have sensitive data, you simply can't allow people to have free reign on their desktop PCs. If data=money and data loss = money loss, then you have to treat all data access like a bank treats its cash. First thing is to create a security policy on the systems (as others have mentioned) that doesn't allow removable storage of any kind. Second, use some sort of access control on the network, both physically with your LAN and logically with limited accounts. And, unfortunately, physical locks on the hardware. All the computer security in the world can't stop someone from popping open a computer and swiping the hard drive.

Further, you need to make sure you have a good firewall that will stop unauthorized access from the outside. Good, secure and tested backups in place to be able to recover from data loss.

Beyond that, I don't know. I know auditing solutions exist, but I think they are pricey.
posted by gjc at 2:46 PM on June 8, 2008

Further, you need to make sure you have a good firewall that will stop unauthorized access from the outside.

Since they have 11 PC's and and don't want to spend money, I would assume they are running a consumer grade internet connection with a NATing router. Simply not using port forwarding and disabling UPNP would be functionally identical to a $2000 Cisco router (I doubt the OP wants remote access/VPN!).
posted by SirStan at 2:59 PM on June 8, 2008

curiousleo: "Can I be able to make current Windows XP Pro system (which acts kinda like server now) to become more like real server?"

There are two things that make a server a "real server."

1) Hardware -- server hardware is (generally) both higher quality, and more resistant to failure. The latter usually comes from having two or more of certain components. Two power supplies, so the server doesn't shut off if one dies. Two or more hard drives in a RAID array, so when (not if, but when) a hard drive dies, you don't lose your data. Things like that.

2) Operating System -- they run an operating system specifically designed for server-based tasks. In the case of Windows, this means Windows Server 2003, or 2008 if you're adventurous. This is what allows things like globally setting fine-grained access controls.

So I guess the answer to your question is: sure, you can make a desktop PC more like a "real" server by installing Windows Server 2003 on it. But you should carefully monitor the hardware, and make certain you have good backups of everything. Not just your company's data, but the server's configuration too.

I highly recommend that you do a lot of reading on how to set up a proper Windows Server domain first, though. It allows more control than making an XP machine pretend to be a server, yes -- but it's also more complicated.
posted by CrayDrygu at 4:14 PM on June 8, 2008

« Older What is the font used by Pylon...   |   Know of any dog-friendly bars ... Newer »

This thread is closed to new comments.