I need block all Windows OS in my network (only linux is permited inside office) but dont find any article about this. Is possible in Mikrotik? How i can do this? Thanks for any help!
You can’t block computer from operating, you can only block it’s access to internet.
So far, I don’t see how you could know what OS the device is running.
While you can’t really do it directly you could put in some measures to detect.
-
Log windows-like activity such as NetBIOS discovery and add the SRC addresses To a list which you then drop.
-
Use layer 7 and interrogate http headers to find the OS ?
Both are far from precise and clutching at straws for a purely router based solution 
normis, you right. I need remove internet access from windows machines.
rjickity, your solution is more advanced then i can do 
You can help-me with a step-by-step:
Thanks a lot!
I need block all Windows OS in my network
Easy to do, only Windows have some service than when starting send broadcast packet for search Windows Server Domain
only linux is permited inside office
WHY?
but dont find any article about this
Obviously, (FOR ME is an idiocy)…
Is possible in Mikrotik?
Yes as I have mentioned before.
How i can do this?
Create one address list by firewall rule, when see any packet sended by windows machine,
and drop all the traffic on that address list.
YOU STOP THE INTERNET, BUT NOT THE INTERACTION BETWEEN MACHINES…
YOU NEED ONE CONFIGURABLE ROUTEROS DEVICE BETWEEN EACH MACHINE FOR COMPLETELY CUT-OFF WINDOWS MACHINE…
/ip firewall filter
add action=drop chain=forward src-address-list=device_with_microsoft_rpc
add action=add-src-to-address-list address-list=device_with_microsoft_rpc chain=forward dst-port=445 protocol=tcp
add action=add-src-to-address-list address-list=device_with_microsoft_rpc chain=forward dst-port=445 protocol=udp
REMEMBER:
YOU ALSO BLOCK ALL MACHINE WHERE “WINE”, “VMWARE” AND OTHER VIRTUAL MACHINE INSTALLED.
YOU THINK ABOUT THAT?
THIS NOT BLOCK MAC OS, THERE IS NEEDED ANOTHER PORT TO CHECK…
P.S.:
Do not block device using NetBIOS: the same port are used also to some SMB / SAMBA services… you lock also Unix / Linux machine…
Read again, I have updated previous post, added 135 RPC discovery & removed 445 RPC pipe because are used also by SMB service.
Not work for win 1 / 2 / 3 / 95 / 98 / ME series 
Work only on NT / 2000 / XP / 7 / 8 / 8.1 / 8.1.1 and Server versions.
Perfect!
Why? The boss think: “Windows is evil”
I agree: This is idiocy
But, even not agreeing you helped me, thank you!
(remember to read again my prevous post: use only 135 port…)
The person act like “Windows is evil”, usually ignore the other important thing…
The man in the middle… 
Using one RouterBoard with RouterOS inside!!!
This should be able to do easily with RouterOS.
normis, you right. I need remove internet access from windows machines
Ok this is a more detailed information with which we are able to realize it in two different ways.
First variant:
Create two different VLANs one for Linux and one Windows PCs and then you could
organize it what the VLAN with the Windows PCs are able to do or what you
want to let them connect to!
Second variant:
Connect on one Port of the RouterBoard a network Switch and then connect the
Linux PCs at this Switch and then you set up at this LAN Port on the RouterBoard
side a subnet like 192.168.1.0/24 (255.255.255.0) and now you connect to another
LAN Port of the RouterBoard a second network Switch and connect there all Linux PCs
and then on this side on the LAN Port from the RouterBoard you will only set up a different
subnet likes 192.168.5.0/24 (255.255.255.0) and that is it, now you only need to set up
a rule set that’s prohibiting the entire LAN from the Windows PCs to connect to the internet.
Possible but with hole, of course. Everyone can install third party’s firewall and block outgoing traffic from windows on port 135. Or stop such service. What then? You can go around, check the os and grant access individually instead of making foolish filter rules in firewall. Hope you are happy with your job…
Usually Windows want Office for Works…
This time Office do not want Windows for Works!!!
ahahahaha!!!
For why do not understand: Microsoft Windows are defined one operative system, Office are one suit of Microsoft programs, and Works are another Micorosft product… 
Not work. I put the rules in my home to tests and dont block windows. In address-list print, empty. I use windows 7 64 and can write this post
Some idea?
Your PC are already powered up?
Reboot it to test…
Yes, reboot some times. In can see in my firewall only ports 137,138,139 (netbios) and 445 (smb) is listen. 135 port dont opened (firewall is disabled, only monitoring ports now). Maybe use other port?
The 445… read my previous post
http://forum.mikrotik.com/viewtopic.php?f=2&t=85682&p=429929#p429868
I remove 445 because I think: 2 ports? Only one are sufficent, but now I think I remove the wrong…
Any purely firewall/edge solution will be flawed for this.
for a network based solution you would need to look at something like NAP/NAC with 802.1x switches. Hopefully there’s a windows server on the network at least? otherwise you’re going to be up for some expensive ci$co gear.
Depending on how much staff cost, jarda’s option could be a cheaper and more definate way. Have someone check in computers prior to allowing access to the network and then perform periodic checks of the computers. Depending on your size and staff count this may/may not work for you.
Otherwise you give all users on your network a ‘welcome gift’ of a routerboard and secure per host with them which will = a nice massive operating admin overhead 
pfSense
https://www.pfsense.org/about-pfsense/features.html
Third bullet point under Firewall heading…
pfSense software utilizes p0f, an advanced passive OS/network fingerprinting utility to allow you to filter by the Operating System initiating the connection. Want to allow FreeBSD and Linux machines to the Internet, but block Windows machines? pfSense software allows for that (amongst many other possibilities) by passively detecting the Operating System in use.
I use pfsense a long time and know this option but my question is exact If i can reproduce this in mikrotik! Thanks.
Hello Lambert, this will be not a really solution related to the point that someone is able to set up
on the Linux and Windows PCs a Virtual Box or he is using VMWare Player and can install insite
of the Linuy OS a Windwos and onthe Windows PC a Linux virtual guest and then?
What is going on than!? The Linux VM guest is not able to connect to the internet and the
Windows PC with a viertual guest is able to do so.
So I really think it should be worked out and make it happend with isolated VLANs.