# I want to Create a Server at Work



## bretta91 (May 22, 2010)

Hello everyone, 

I am considering to build a professional server at work to manage all users and information. I want to create a sever room that does not exist currently where to keep everything needed. 

Currently, every user has two PC system units that they can scroll from one to another. one system unit for administrative works (that does not have internet on it in any way) and the other system unit for internet access and emailing. This is to keep administrative data secure and safe. (Probably you never heard of anything like this, but its just the way it is)

So now, if i want to put in a Server:
1. Do i need 2 servers? one for administration and another for internet?
2. How to keep all administrative data COMPLETELY separated from the internet access (although both should be on same PC)


Thanks


----------



## Squashman (Apr 4, 2003)

If someone has physical access to the data they can do whatever they want with it. What is stopping them from copying it to a USB drive or some other media and then taking it home with them or putting it on the PC that has access to the Internet?

How are you currently preventing them from accessing the Internet on these PC's?


----------



## bretta91 (May 22, 2010)

No, all users can access internet (by changing the screen by the Scroll button to the system unit that has internet on it) bcz every user has 2 system units under the desk.


----------



## aasimenator (Dec 21, 2008)

1. You would only need 1 server that too only to use for the administrative data, you don't require / its not necessary to have a server for the internet facing computers, an internet security suite will do. 

2. One way to keep administrative data separate on a single machine is by having a Virtual Machine that only connects to the internal network & not the internet. This would mean that you'd need to have 2 network cards. one for internet facing & the other for internal. The internal will be used by the VM and will thus prevent internet access.


----------



## bretta91 (May 22, 2010)

Thank you for your reply aasimenator.

1. if i install 1 server for the administrative data, where should the internet cable go so that it wont reach the administrative server? can you give me quick idea of the layout and the design regarding server, users, and internet connection? 

2. i dont think using virtual machine for daily work is good as it uses too much RAM and slows down the process software. isnt there any way to use the same OS without VMs to seperate them by creating two users? or by joining the PC to two servers one internet and one administrative?

thanks


----------



## aasimenator (Dec 21, 2008)

1. You don't need a server where internet will be connected to just user 2 switches with different network dns and gateway.

2. I don't see any other way instead of using a VM, as even if you create a new user the computer will still have access to internet and will be exposed.

See the diagram. 1st LAN port on client-1 will be connected to Internet, the other LAN Port will be used exclusively by VM and will be connected to the Server.


----------



## Squashman (Apr 4, 2003)

So your company would rather waste money on extra computers and extra licenses of Operating Systems and Software just so you can segregate them for taking data.

I don't think you saw the point of my first post. If they have access to the data on one computer, what is stopping them from copying the the data from that computer onto a USB stick or burning it to a CD and then doing what they please with it.

You would be better off using Terminal Services to remote into the Server and locking that down so that they can't transfer any data off of the server that they remote into. They they could still have one computer that could access the internet.


----------



## bretta91 (May 22, 2010)

aasimenator said:


> 1. You don't need a server where internet will be connected to just user 2 switches with different network dns and gateway.
> 
> 2. I don't see any other way instead of using a VM, as even if you create a new user the computer will still have access to internet and will be exposed.
> 
> See the diagram. 1st LAN port on client-1 will be connected to Internet, the other LAN Port will be used exclusively by VM and will be connected to the Server.


thanks for the diagram, it was very helpful. But with this way the server will be exposed to the internet trough every pc conneceted to it, right? no way to put a firewall or something between the switch and server to deny all access except from the administrative software?


----------



## bretta91 (May 22, 2010)

Squashman said:


> So your company would rather waste money on extra computers and extra licenses of Operating Systems and Software just so you can segregate them for taking data.
> 
> I don't think you saw the point of my first post. If they have access to the data on one computer, what is stopping them from copying the the data from that computer onto a USB stick or burning it to a CD and then doing what they please with it.
> 
> You would be better off using Terminal Services to remote into the Server and locking that down so that they can't transfer any data off of the server that they remote into. They they could still have one computer that could access the internet.


yes squashman, i understood your point in the first point and you are right they have access to all data on administrative pc. however, most employees are trusted and been working in the company for a long time (unlike me). nevertheless there should be restriction by a server on USB, floppy and CD yes.

However, my primary concern is keeping it away from the internet. thats the main reason that each user has 2 system units.


----------



## Waylander8 (Jul 17, 2010)

Use VLANS? One with access to the internet and one without. Place the server in say Vlan 10 without access to internet and the boxes needing internet access in say Vlan 20. 

If the switches is Cisco use the following commands

vlan 10
vlan 20

for every switchport with endpoint 
switchport mode access 
switchport access Vlan 10 or Vlan 20

Cisco anytime over Microsoft.


----------



## bretta91 (May 22, 2010)

Waylander8 said:


> Use VLANS? One with access to the internet and one without. Place the server in say Vlan 10 without access to internet and the boxes needing internet access in say Vlan 20.
> 
> If the switches is Cisco use the following commands
> 
> ...


Can i join 1 PC to two VLANs? would administrative data be seperated from the internet completly ?


----------



## Waylander8 (Jul 17, 2010)

If the NIC (network interface card) can have 802.1Q tags assigned to it, you would configure the port the NIC connects to as a trunk port, make that port a member of both VLANs, then tag appropriately on the NIC. Not all NICs allow you to tag packets though so double check with your NIC's vendor.

Server. Use the Windows Firewall with Advanced Security to configure outbound and inbound rules. Also disable all services not required to limit any attack surface. Google hardening your specific server OS for more detail. Your server will be using a private IP address therefore it would not be 'seen' from the internet.


----------

