Small office Server & firewall help

Viz · Aug 10, 2018

Namaste,
I run a small office of 8 employees, all are on windows 10, at the moment there is no server setup, everyone has internet access (using a basic dlink router connected via a 24 port switch), but as of recently I noticed that people are misusing it for game/movie downloads, can anyone help me on how to deal with this going forward, do you think I need a server to restrict access to USB's on each individual system, and restrict internet access to specific sites, like Saavan and our work related, do I need a firewall to achieve this (pfsense? or will it be an over kill)

Look forward to hearing back from you. Thank your for all your time and help in advance.

-Srinivas,

mk76 · Aug 10, 2018

@vivek.krishnan

vivek.krishnan · Aug 10, 2018

Hey Srinivas,

I believe we had spoken sometime back about a Tally server maybe?

Either way, for trying to restrict your usage, you need to see how you want to go ahead.

The cheapest would be getting hold of a dual port card with a desktop and running Sophos. They have a free home version which might work for you, plus free AV as well.

If you want a solution which will restrict bandwidth mainly, look at pfsense.

For the USB restrictions, you can try to implement GPO. If you need a server equivalent to do this, and free, look at Zentyal.

Alternatively, you can implement the USB restrictions in software via AV.

Viz · Aug 11, 2018

Namaste Vivek,
Yes we did spoke last time about Pfsense, I never had the time to build one for myself, but now looking forward to it, coming to the current situation, I first wanted to have restricting on internet access so they don't misuse it, only have access to select websites like Saavan, where they can listen to songs and work. Does Sophos do that for me, I have two internet connections both on PPOE ( I can check with my ISP to see if they can provide static IP if that is a must to have), due to space constraints, I would like to have a smaller foot print device that does that job for me, or something that fits in my existing dlink 4U rack or on top of it, preferably that accepts two isp's as a fallback in case one gets disconnected. Can we build a mini itx cabinet for this? or if it make sense to purchase device that supports Sophos/Pfsense which is lesser hassle,we can go with it.

We have Norton security, do you think I can use that to restrict USB's?

Thank you, much appreciated.

-Srinivas

vivek.krishnan · Aug 11, 2018

Yes, you can restrict via policies on Sophos. No need for static IP. It can do dual ISPs and etc, no issues.

For a smaller footprint, you can get one of the devices from Aliexpress. However, I would suggest to instead spend money on a desktop and do the needful, you can still downgrade it back if needed.

I am not sure about Norton, I will need to check and revert.

Party Monger · Aug 11, 2018

Srinivas_june23 said:
Namaste Vivek,
Yes we did spoke last time about Pfsense, I never had the time to build one for myself, but now looking forward to it, coming to the current situation, I first wanted to have restricting on internet access so they don't misuse it, only have access to select websites like Saavan, where they can listen to songs and work. Does Sophos do that for me, I have two internet connections both on PPOE ( I can check with my ISP to see if they can provide static IP if that is a must to have), due to space constraints, I would like to have a smaller foot print device that does that job for me, or something that fits in my existing dlink 4U rack or on top of it, preferably that accepts two isp's as a fallback in case one gets disconnected. Can we build a mini itx cabinet for this? or if it make sense to purchase device that supports Sophos/Pfsense which is lesser hassle,we can go with it.

We have Norton security, do you think I can use that to restrict USB's?

Thank you, much appreciated.

-Srinivas

Restricting Internet access should be easy if you make an admin account in w10 and have others as normal users. Some versions of w10 come with parental control.

You can restrict bandwidth to a client with a router like r7000 running on custom firmware like Advanced Tomato. It would be as simple as finding the ip address and mentioning speed restriction. Then verifying with a speed test.

https://redmondmag.com/articles/2017/06/27/prevent-the-use-of-usb-media-in-windows-10.aspx

https://prajwaldesai.com/how-to-disable-usb-devices-using-group-policy/

6pack · Aug 11, 2018

Why not just send a mail to employees that misusing internet for torrents, facebook, etc will result in losing their jobs. Tell them what sites can be accessed and what cannot. Make it clear from the beginning.

That will stop the misuse really fast. If it does not, you can put a transparent proxy on a machine and fire the first person you see who downloads illegal content the most. The rest will stop once they see you mean business.

Viz · Aug 11, 2018

6pack said:
Why not just send a mail to employees that misusing internet for torrents, facebook, etc will result in losing their jobs. Tell them what sites can be accessed and what cannot. Make it clear from the beginning.

That will stop the misuse really fast. If it does not, you can put a transparent proxy on a machine and fire the first person you see who downloads illegal content the most. The rest will stop once they see you mean business.

Thanks mate, did that, but I wanted to have something concrete so looking for options in the long run.

Viz · Aug 11, 2018

Party Monger said:
Restricting Internet access should be easy if you make an admin account in w10 and have others as normal users. Some versions of w10 come with parental control.

You can restrict bandwidth to a client with a router like r7000 running on custom firmware like Advanced Tomato. It would be as simple as finding the ip address and mentioning speed restriction. Then verifying with a speed test.

https://redmondmag.com/articles/2017/06/27/prevent-the-use-of-usb-media-in-windows-10.aspx

https://prajwaldesai.com/how-to-disable-usb-devices-using-group-policy/

Thanks, will look into the articles, is the router you suggested can do access restriction to certain sites.

manju_rn · Aug 11, 2018

Srinivas_june23 said:
restrict internet access to specific sites, like Saavan and our work related

Most of the dlink routers have the access control.

Srinivas_june23 said:
server to restrict access to USB's on each individual system

Assuming that the machines are desktop, use the BIOS to restrict the USB access and control access to BIOS thru a password. Since there are only 8 machines, this would be convenient one. If employees get their own laptops, then thats a different matter.

meetdilip · Aug 11, 2018

Parental control and normal user accounts are a good way to deal with this things. Even if they access something illegal ( not allowed ), you can talk to them with proof. You can disable the USB access with utility software. A lot of admins do that for security reason.

nRiTeCh · Aug 11, 2018

If it isnt a server-client scenario its convenient to apply registry tweak to disable usb access. It will disable all usb ports for storage though keyboard/mouse and wifi receivers arent affected.
There are various registry tweaks for specific tasks, just google around.

Else if it ever was a client-server scene then using group policy you could have control in very simple ways such as:
disabling certain browser features if you only intend to use IE,
disabling desktop/taskbar/my computer features,
usb blocking,
blocking installation of new softwares etc,
setup custom password policy and lots more.
And set a login banner as well stating in short the restriction and rules etc.

Few of the above mentioned features can be done via win 10 limited user account and parental control setup.

Party Monger · Aug 11, 2018

Srinivas_june23 said:
Thanks, will look into the articles, is the router you suggested can do access restriction to certain sites.

The router I suggested can do a lot of stuff. Check out advanced tomato (and shibby tomato on which it is based).

If you want to control sites, you can get a raspberry pi and install pi-hole on it . Change DNS to the pi's ip address. And include what sites you want to allow and which you dont want on pi hole.

Viz · Aug 12, 2018

Party Monger said:
The router I suggested can do a lot of stuff. Check out advanced tomato (and shibby tomato on which it is based).

If you want to control sites, you can get a raspberry pi and install pi-hole on it . Change DNS to the pi's ip address. And include what sites you want to allow and which you dont want on pi hole.

Thank you for your time, got my old Asus RT N66U dusted out and rooted advanced tomato into it, looking at pihole, can it do web site blocking based on mac ID, so some systems (like my team leads) have full access to internet and others just a few sites. thank you again!

k_m_Arya · Aug 12, 2018

Srinivas_june23 said:
Thank you for your time, got my old Asus RT N66U dusted out and rooted advanced tomato into it, looking at pihole, can it do web site blocking based on mac ID, so some systems (like my team leads) have full access to internet and others just a few sites. thank you again!

Change all your employees computer DNS to the pihole's IP address, Also make sure it's the only DNS they can use leave the second column blank. Make sure the pihole has a static IP. The rest of the systems like team leads just set the DNS to google or ISP's so their traffic won't be filtered by pihole. For the pihole you can also add custom sites to the blacklist like saavn,amazon,flipkart just block the sites they frequently use.

Viz · Aug 12, 2018

Thank you, will do that, just ordered Raspberry pi 3+ model on Amazon, will let you know how it goes, thanks all for your help

k_m_Arya · Aug 12, 2018

Srinivas_june23 said:
Thank you, will do that, just ordered Raspberry pi 3+ model on Amazon, will let you know how it goes, thanks all for your help

A Pi 3+ is overkill if you are only going to run pihole, a pi zero w (https://www.thingbits.net/products/raspberry-pi-zero-w) is enough.

Viz · Aug 12, 2018

Ok thank you, placed order, I can cancel the order it, but just checking if we have any other uses later? Please let me know

k_m_Arya · Aug 12, 2018

Srinivas_june23 said:
Ok thank you, placed order, I can cancel the order it, but just checking if we have any other uses later? Please let me know

I can only think of some use cases for the 3+ since it's an office setting
1)Running Cups and setting the Pi as a network printer. https://pimylifeup.com/raspberry-pi-print-server/
2)Attach an external HDD to it and run samba or FTP to share some common files? It will be limited to usb 2.0 speeds.
3)Run a cheap cctv setup using motioneye. https://medium.com/@gonzalovazquez/rasp

Party Monger · Aug 13, 2018

Srinivas_june23 said:
Thank you for your time, got my old Asus RT N66U dusted out and rooted advanced tomato into it, looking at pihole, can it do web site blocking based on mac ID, so some systems (like my team leads) have full access to internet and others just a few sites. thank you again!

Happy to help!

As someone mentioned, simplest way would be to change the dns on the machines. You can check a few guides of Pi hole to see the possibilities.

Small office Server & firewall help

Viz

mk76

vivek.krishnan

BLR~ZRS-TX-1-MX

Viz

vivek.krishnan

BLR~ZRS-TX-1-MX

Party Monger

6pack

Viz

Viz

manju_rn

meetdilip

nRiTeCh

Party Monger

Viz

k_m_Arya

Viz

k_m_Arya

Viz

k_m_Arya

Party Monger