8

Our domain consists of around 60 computers. I have been tasked with making sure that Windows 10 workstations cannot communicate with each other. My manager asked that I create static routes so that computers can only communicate with the network printers, file server, DC, and access the Internet.

Since all of theses computers are on the same network I don't believe static routes are going to prevent these computers from seeing each other. What is the best way to allow computers on the domain to use network resources, but not communicate directly with each other?

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
taiwie
  • 83
  • 1
  • 4
  • 12
    Routes are not the way to do this. Firewall rules are. – EEAA Jul 25 '17 at 12:50
  • Do you have manageable switches and firewall? –  Jul 25 '17 at 14:34
  • 2
    If workstations are wirelessly connected, client isolation in advanced access points will prevent any 2 wifi client to communicate with each other. –  Jul 25 '17 at 14:36
  • @EEAA I think objective might be to totally prevent layer2 attacks from compromised machines to other ones. –  Jul 25 '17 at 14:37
  • 1
    @sdkks Those attacks are easily mitigated via strict inbound firewall rules. – EEAA Jul 25 '17 at 14:43
  • @EEAA are you referring to Windows firewall or firewall appliance? –  Jul 25 '17 at 14:45
  • Unless you have a line-speed firewall in your switch, he's probably referring to host-based firewalls. – mfinni Jul 25 '17 at 15:40
  • The firewall is a host based firewall. Also yes we do have a manageable switch. Clients are allowed to connect wired and wireless. – taiwie Jul 26 '17 at 13:18
  • what is the goal of the manager? intellectual property protection? prevent malware spreading? prevent users from sharing files/resources directly? generic 'security increase' as 'I heard it in the news'? depending on the goal, the solution may be very different. – Paolo Jul 27 '17 at 12:05
  • @Paolo My experience says these all. And the OP has to do what the boss said. If the boss won't buy a manageable switch, or a high-level wifi AP, what would be the adequate and professional solution for the task, he likely doesn't have any other option as using a linux server with a lot of ethernet ports for the task. – peterh Aug 13 '17 at 03:40

3 Answers3

16

If you have a switch that supports it, 'protected ports' for cabled connections or 'client isolation' for access points on Wi-Fi can help you eliminate traffic between hosts in the same Layer-2 network.

For example, this is from Cisco switch manual:

Protected ports have these features: A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only control traffic, such as PIM packets, is forwarded because these packets are processed by the CPU and forwarded in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.

So if you don't intend to transfer data between them, you don't need to take action once they are 'protected'.

Forwarding behavior between a protected port and a nonprotected port proceeds as usual.

Your clients can be protected, DHCP server, gateway, etc. can be on unprotected ports.

Update 27-07-2017
As @sirex pointed out, if you have more than one switches which are not stacked, meaning they are virtually NOT a single switch, protected ports won't stop traffic between those.

Note: Some switches (as specified in the Private VLAN Catalyst Switch Support Matrix ) currently support only the PVLAN Edge feature. The term "protected ports" also refers to this feature. PVLAN Edge ports have a restriction that prevents communication with other protected ports on the same switch. Protected ports on separate switches, however, can communicate with each other.

If that is the case you would need Isolated Private VLAN ports:

In some situations, you need to prevent Layer 2 (L2) connectivity between end devices on a switch without the placement of the devices in different IP subnets. This setup prevents the waste of IP addresses. Private VLANs (PVLANs) allow the isolation at Layer 2 of devices in the same IP subnet. You can restrict some ports on the switch to reach only specific ports that have a default gateway, backup server, or Cisco LocalDirector attached.

If PVLAN is spanning over multiple switches, VLAN trunks between the switches should be standard VLAN ports.

You can extend PVLANs across switches with the use of trunks. Trunk ports carry traffic from regular VLANs and also from primary, isolated, and community VLANs. Cisco recommends the use of standard trunk ports if both switches that undergo trunking support PVLANs.

If you are Cisco user, you can use this matrix to see whether your switches support the options you need.

11

You could do this, if you did something as horrible as make 1 subnet per client. This would be a management nightmare.

The Windows Firewall, with appropriate policies, will help with this. You could do something like Domain Isolation, but even more restrictive. You could enforce rules per OU, with the servers in one OU and the workstations in another. You'd also want to make sure that printers (and servers) are not on the same subnet as the workstations to make this simpler.

https://technet.microsoft.com/en-us/library/cc730709(v=ws.10).aspx

Regarding network printers - you could make this even easier if you didn't allow direct printing, but hosted the printers as shared queues from a print server. This has been a good idea for a long time for multiple reasons.

Can I ask what the actual business goal of this is? Is it to help prevent malware outbreaks? Keeping the big picture/finish line in mind helps define requirements, so that should always be part of your question.

mfinni
  • 35,711
  • 3
  • 50
  • 86
  • I'm guessing this is to protect from attacks like wannacry exploit. –  Jul 25 '17 at 14:35
  • 3
    Sure, that was my guess too, but I like the remind question-askers about this facet of question-asking. – mfinni Jul 25 '17 at 15:39
  • Yes the goal here is to limit the spread of any malware outbreaks. – taiwie Jul 26 '17 at 13:21
  • As long as there is no BYOD device that is not a member of domain, this solution will be of zero cost to OP. (Assuming all machines are Windows) –  Jul 27 '17 at 01:13
-3

If you can bind each workstation to a specific user you are able to allow only that user to access that workstation.

It is a domain policy setting: logon locally right.

This does not prevent the user to go to the nearest workstation and enter his/her password to access his/her designated machine, but it is easily detectable.

Also this only affects Windows-related services so a webserver on the machines would still be accessible.

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
Paolo
  • 262
  • 1
  • 11
  • 1
    It also doesn't prevent malware that uses unpatched exploits from moving between workstations. – mfinni Jul 25 '17 at 20:33
  • @mfinni Sure. Unfortunately op did not specify if the requirement is actual (technical savy manager) or a manager asking for buzzwords. Also the goal is important: for real protection for the threats you mention low osi level solution is required, as stated in other answers. And if hosts communicate with servers there is still no protection from malware spreading... – Paolo Jul 25 '17 at 21:05