[Lynnex1138]

Hello,

I oversee a small (>150) network of PCs and a couple of Macs. We are a non-profit health care facility that has clients in and out all day using the computers. The majority of our computers are old, P4's some with 256k fo ram running windows 2000 sp4.Most of our users log in with a common userid that gives them very limited rights on the network however most of what they do is surf the web and most of this is not business related but done for entertainment.

We have alot of people who want to download music, look at porn, chat, download and install programs like limewire and upload to file sharing sites. When I started working here there was virtually no security or web filter in place. We have the following:

The lowest level content filter from the sonic wall pro 2040
Symantec antivirus 10.0.1

Last fall we were blacklisted due to a trojan sending out emails. We scanned all our machines and found several viruses not detected by our anti-virus program. I am always finding various trojans on the network.

Right now, I have done the following:

• enacted group policies to prevent downloads and installations
• disabled floppy, cd-rom and usb drives
• blocked all chat and instant messaging
• Allow personal computers to access the network only under IT supervision
• Blocked smtp on all machines except our mail server

I am testing websense as a content filter and hope to be able to use it so I can block streaming video and a whole host of other stuff our old content filter doesn't cover. I am also wondering if there are better anti-virus programs for our network, like trend micro?

I am looking for suggestions as to how any of you would further secure this network if it were up to you. Any and all suggestions and questions are welcome as I am rather a novice when it comes to security.

thanks for any and all help!

[lunarlander]

I would enable Software Restriction policy so only apps in \program files and \winnt can run. Then go to each station and remove all the apps you don't want. The reason is that a limited user account user can still install programs to their documents folder and nothing will stop it from running unless you have Software Restriction policy.

A very restrictive set of firewall rules can also be used, like just allowing port 80 and 443 outbound, if that is possible for your site. So no FTP, IRC etc. While not a serious barrier to those apps that can change their own ports, it will stop some bad apps.

Put your work machines under another router, separating them from the casual browser machines. This way these work machines cannot be directly accessed because it is hidden by the NAT of the router. And worms and such will have a harder time spreading to the really important machines. Important work machines would be those that house patient data.

Find out where important data is stored. And make the manager establish a no surfing policy for those machines or that person will be penalized. This a manual administrative measure, and it is important to establish this with management help. You have obligation to protect private patient data under HPIAA I think.

[Jason08]

A way would be to have a good software firewall running.

[rhynes]

Have you ever looked at the linux gateways? i've installed a few in non-profit organizations and they are great little boxes. easy to set up and acts as a tranparent gateway for monitoring, blocking etc.

Endian is great, pretty basic but gets the job done.
Smoothwall has always been great but i'm not sure if it's free for non-profit.
IPCOP is another one, but can be painful to get installed and running.

these would be a replacement option for your sonicwall - or you can have a second gateway on your network if you wish.

good luck