Equipping You to Communicate Effectively
library of 19K+ images, videos, etc
Go Pro!
Equipping You to Communicate Effectively | support CMN & share a library of 19K+ images, videos, etc Go Pro! |
 |  |
| |||||||
 |
| | Thread Tools | Search this Thread | Rate Thread | Display Modes |
Friday, April 2nd, 2010, 05:59 AM
| |||
| |||
| Help securing network? Hello All, Trying to secure the network at our church and could really use some insight. Currently running a single sbs 2003 server with 1 nic. Currently using as DNS, DHCP, AD and file server (25 users). No exchange (thank you google). Also have 9 Mac users. 6mb DSL comes into Netopia modem/wifi router (1) bridged mode, then to two 20 port switches. One cat5 to server for DNS & DHCP, wireless router (2) configured as AP (Linksys) wireless router (3) configured as AP (Linksys) wireless router (4) configured as AP (SMC) and switch for 2 iMacs & 3 printers wireless router (5) configured as AP (SMC) and switch for 2 Win XP boxes All the above are on the same subnet 192.168.0.x Staff needs access to server for file shares via wireless. But I also need to allow "public" wifi internet access some rooms (teachers/non staff users) Problem I've got now is the all wifi routers are on the same subnet and just about everyone has the password to log on to get internet. Second problem is some of the youth pastors freely give their Windows User passwords to their "helpers" (teens). The other day one of the select teens "helped out" by logging into the server to get a file for the youth pastor - on his personal laptop. I've reduced account privileges for these pastors to "user" so they can't get into admin stuff but I'm still concerned. (All they ever need is to access graphics files on the server with their macbooks.) Question is how do I setup a separate subnet for "semi public" internet access and a different one for the staff to access the file shares (on server) and internet. Do I need to add additional routers? Can I do it with SBS 2003 DHCP scopes? Both? Ideas? Also secure the wired lan from the public but still have it available to the staff. I have read dozens of post so far and googled for a couple of days now but still can't seem to find a good explanation. I'm not a network guru by trade so I'm still trying to wrap my head around this. I'll also be the first to admit that I'm not "the sharpest tool in the shed" either. I really want to figure this out, appreciate any help anyone has to offer. Thanks to everyone for contributing to this forum. It has been a goto resource for us for a long time now. OWG   |
|
Thursday, April 22nd, 2010, 08:30 PM
| |||
| |||
| This is what I would do to fix wireless issues, may require you purchase a new wireless router. Modem > 4 Port Switch >> Staff Wireless >>> Staff Server >>> Staff Printer >>> Staff Switchers >>> Staff Computers >> Guest Wireless >>> Guest Printer >>> Guest Computer I would recommend doing the following on the guest wireless: 1. Password Protect (Something simple as its not private) 2. Automatically Assign IP's in the range of 292.268.2.1 through 292.268.2.99 3. Either purchase a firewall or use a free program such as OpenDNS.com to protect from fowl play. You would not want to provide a gateway to unnecessary searches. I would recommend doing the following on the Staff wireless: 1. Password protect with a random password (Such as: '04059385930dlgGGdgG') 2. Only provide password to top of Staff, keep private from general staff, if they need on you should type the password in your self. This will prevent from accidental sharing. 3. Use a normal IP range 192.168.2.1 or what ever it is currently set up on your router. 4. You may choose to use Static IP addresses This is what I would do as far as hardware security: 1. If you are not currently, implement Active Directory. This will allow for easier file protection. 2. Use your server to share Staff printers, this will allow you to specify witch user has access to which printers. 3. Set up a safe file structure within your server such as: //Church_Server_01 >> Staff$ (The '$' sign after a folder name will hide from general server browsing) >>> Staff Name (Use for staff user folders) >>> Staff Name >> Public >>> Anything that needs to be accessed by every one >> Company >>> Use this for secretary files >>> And Private Staff Shares I would set your user system up as follows: Staff Server >> Administrators >>> Any Staff that should have all rights on server >> General Staff >>> Any Staff who needs access to just their folder and the public >> Secretarial Staff >>> Any Staff who need access to their folder, public, and company folder. >> Volunteers >>> Any volunteers that may need access to the public folder. You can add more folders out side of these that may need to be given to specific users only. If I were you, I would create volunteer user accounts for any volunteer that may need access to the public folder. This would allow them to login to the church computers, print if necessary (and allowed), and access the public folder on the server. This would only be allowed if they were on the Staff network, not if they logged in to the Guest Wireless. Mac users as I am sure you are aware can still use the windows server, create an account in the appropriate area and they will be able to login to the server and all permissions should apply just as if they were on a pc. You can even map drives to the desktop and other areas, I just don't specifically remember how.. |
Linear Mode
