XP Pro 32bit, need to restrict network creation in Admin account

[DrB0b]

Hello Gentlemen and Ladies,

Got a bit of a conundrum on my hands. I am in "charge" of helping CNC machines get set up and an interesting phenomenon has been brought to my attention. A user could theoretically plug in their phone via USB and use it to have the browser on the CNC connect to the internet bypassing my settings. Granted, they would need the driver for their phone and knowledge enough of how to set it up, but it is feasible in the most part. All of these CNC machines are XP Pro embedded powered with Admin accounts and have to be run that way. Also, I cant just disable USB connections because they constantly transport programs for jobs on USB thumb drives.

Is there anyway to restrict or disable new network creation via the registry or another way to keep these machines safe from our midnight shift experimenting?

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

 

[BadBigBen]

>> another way to keep these machines safe

The only way I see, considering that all have ADMIN rights on these machines, would be to have them on a totally separate network, that does not have any internet connectivity...

but perhaps someone else might know another way...


Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

 

[DrB0b]

That is what I was afraid of. This place doesnt have intelligent switches to VLAN anything and an entire separate network is going to be a pain.
Why we are on the topic of XP Pro, do we know what version of Adobe Reader can function with SP1? From all Ive been able to find it looks like version 9 and below...

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

 

[BadBigBen]

Does it have to be Adobe Reader? How about an alternative, like Foxit or Nitro Reader 3, though I've not tested any on SP1...

There are also others, see: Windows PDF Viewers Wikipedia List

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

 

[hairlessupportmonkey]

do the machines need to have a default gateway set? if not, remove it and lock down network settings in GPO

ACSS - SME
General Geek

 

[DrB0b]

Default gateway is already removed and those network settings can be set to not be able to be changed. What Im worried about is someone with enough knowledge to tether their phone via USB to the machine and use it as a hotspot for connectivity.

Foxit only works on SP2 and above, already looked into that. Unaware of any other types of PDF readers, but I will start looking into them. Wasn't aware there was much of a market for free PDF readers outside of Adobe and Foxit.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

 

[hairlessupportmonkey]

Sorry - I read it late last night, I see what you mean now. I think you can set a GPO to stop installation of new hardware / software. Would need to look it up, but that should stop it from happening, as the CNC machines will need to install modem drivers etc for it to work.

ACSS - SME
General Geek

 

[DrB0b]

True but wouldnt that stop new USB thumb drives from being used as well? I know Windows has the basic drivers but it still has to go through the install process for a newly introduced thumb drive. Since they constantly use them on the CNC machine, I don't think I can go that route. That is why I was curious if there was a GPO setting for stopping creation of a new network or connection.


Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

 

[goombawaho]

What Im worried about is someone with enough knowledge to tether their phone via USB to the machine and use it as a hotspot for connectivity.

This is a theoretical possibility, but not very likely. Is that good enough for management??? This is where you need someone from Human Resources to put a policy in place that forbids such activities on work computers. If you can't solve it technically (for free or by spending money) then you have to have an administrative solution. That is not as reliable as a technical solution, but it's FREE!!!

Tell management the limitations you have and then ask for an administrative solution or to heck with it. A good CYA email to your boss is important here listing the POSSIBILITIES/risks/solutions.

 

[DrB0b]

@Goom - We do have a "No Cell Phones" policy in place all ready so the CYA is basically in place from a managerial standpoint as well as a no games or internet usage policy. But as you and everyone in the workplace knows, policies are guidelines to follow, and most people if they can get away with it will choose to not follow them. I was just hoping that someone out there had dealt with a somewhat similar situation and had a way to go about disabling new network creation so I was assured my backside was covered and not rely on policy as my only defense in case of said situation.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

 

[goombawaho]

You're probably taking it too far then LACKING the necessary infrastructure to handle it for you. No infrastructure, no easy way to "fix". CYA note means you've done all you can WITHOUT $$$$$$$$$$$$$