security in a peer to peer lan

[mdb]

I do some work at a medium sized school where they have a peer to peer
network. All machines are connected to a common router for DHCP. We have a
mix of 98se, 2k and XP machines with three distinct workgroups: the computer
lab (wkgpA), the school office (wkgpB) and the classrooms (wkgpC). We
thought that having distinct workgroups would be all that was needed to
keep, for example, computers in the classrooms from seeing and accessing
files on the office computers. But on the 98se machines, users can go into
Network Neighborhood, then click on Entire Network, and are able to see all
three workgroups, and can actually go in and open files on other workgroup's
computers. I know I can set a policy to remove Entire Network from each of
the 98 machines but what is the best answer to keep the three workgroups
entirely separate while still using the school's central router for DHCP?
File sharing is not enabled on the office computers, the machines of
greatest concern since they have financial and personnel files on them. The
office machines are all XP, and I believe they are all XP Pro.

Thanks.
Michael

 

[Malke]

I do some work at a medium sized school where they have a peer to peer
network. All machines are connected to a common router for DHCP. We
have a mix of 98se, 2k and XP machines with three distinct workgroups:
the computer lab (wkgpA), the school office (wkgpB) and the classrooms
(wkgpC). We thought that having distinct workgroups would be all that
was needed to keep, for example, computers in the classrooms from
seeing and accessing files on the office computers. But on the 98se
machines, users can go into Network Neighborhood, then click on Entire
Network, and are able to see all three workgroups, and can actually go
in and open files on other workgroup's computers. I know I can set a
policy to remove Entire Network from each of the 98 machines but what
is the best answer to keep the three workgroups entirely separate
while still using the school's central router for DHCP? File sharing
is not enabled on the office computers, the machines of greatest
concern since they have financial and personnel files on them. The
office machines are all XP, and I believe they are all XP Pro.

Thanks.
Michael

There is no security in using Workgroups. Workgroups are only an
organizational/cosmetic device. Computers running Microsoft operating
systems do not need to be in the same Workgroup to share resources.

You should be using a domain, at least for the Win2k/XP machines. For
that, you'll need to have a server.

Malke

 

[Shenan Stanley]

I do some work at a medium sized school where they have a peer to
peer network. All machines are connected to a common router for
DHCP. We have a mix of 98se, 2k and XP machines with three distinct
workgroups: the computer lab (wkgpA), the school office (wkgpB) and
the classrooms (wkgpC). We thought that having distinct workgroups
would be all that was needed to keep, for example, computers in the
classrooms from seeing and accessing files on the office computers.
But on the 98se machines, users can go into Network Neighborhood,
then click on Entire Network, and are able to see all three
workgroups, and can actually go in and open files on other
workgroup's computers. I know I can set a policy to remove Entire
Network from each of the 98 machines but what is the best answer to
keep the three workgroups entirely separate while still using the
school's central router for DHCP? File sharing is not enabled on
the office computers, the machines of greatest concern since they
have financial and personnel files on them. The office machines are
all XP, and I believe they are all XP Pro.

For the XP machines - get them in a Windows Domain and get their internal
firewalls on and controll that through group policies - as to who can see
what.

Windows 98 is the same (pretty much) as having no security - get rid of
these machines or upgrade them ASAP.

Workgroups are not meant as any sort of security. To be truthful - neither
are badly managed domains. It is pretty much true that any workgroup/domain
resource can be access whether or not the machine in question is in said
workgroup/domain as long as the user knows how to use the correct
credentials. With Windows 9x <- even that may not be needed. heh

 

[Steven L Umbach]

As Malke advised workgroups are not security boundaries as they are strictly
for network browsing convenience. Having said that any sensitive files
should only be on computers running XP Pro with simple file sharing
disabled, the guest account disabled, and with folder/NTFS permissions to
allow only the users/groups that should have access to the file in the
permission list or XP Home computers with file and print sharing disabled if
it is not possible to use XP Pro. XP Pro computers can also have the user
right for access this computer from the network to be configured to allow
only authorized users/groups access from the network for computers that have
file and print sharing enabled. To manage user rights use Local Security
Policy. The Windows Firewall should also be enabled on the "office"
computers as an extra step to prevent access from unauthorized users or any
other computer needing such protection. Any computer with a share and using
XP Pro should have share permissions configured to only allow authorized
users to the share though that is not possible with XP Home because XP Home
authenticates all network users as guest. If you are using XP Home computers
where you need to limit user access to shares you need to upgrade those
computers to XP Pro or move the data in the shares to XP Pro computers with
simple file sharing disabled, with the guest account disabled, and
share/NTFS permissions configured appropriately. The links below will help
if you need further info on share and folder/NTFS permissions.--- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;308418
http://www.mcmcse.com/microsoft/guides/ntfs_and_share_permissions.shtml

 

[mdb]

Thanks for the quick and clear replies to my question about peer to peer lan
security, or the lack thereof. I understand that I can have some control
over the access to the XP Pro machines. But is there a workaround that will
take care of all machines, regardless of OS? Any such thing as a single
folder that can be either hidden or locked? Any third party software that
would provide the security needed?

Thanks.

Michael

 

[Kerry Brown]

Yes, install a server. It can be Linux, Windows, Solaris, anything, as long
as it is a server OS. Only share files and folders on the server. You will
never have a secure network using P2P and win9x or XP Home. XP Pro only
allows 10 connections and it sounds like you have more than 10 computers so
Pro is most likely out. You need a server. Linux is probably your cheapest
alternative but the learning curve can be steep.

 

[Steven L Umbach]

There are third party programs that are able to password protect a folder
but I believe they are mostly for local logon users and not for shared
folders. In the long run IMHO the lowest total cost of ownership solution
would be to use XP Pro computers wherever security is a concern and evaluate
implementing an Active Directory domain that is using at least two Windows
2003 domain controllers. Windows 9X computers are inherently insecure and
were designed that way [ease of use being most important] and should not be
used to store any sensitive files in an environment where another
unauthorized user could easily access the computer. XP Home can provide a
measure of security for sensitive files if the NTFS file system is used and
folders that contain sensitive files are not shared or better yet the
computer does not have file and print sharing enabled. Keep in mind that the
data on any computer for any operating system can be obtained by a malicious
user if that user has full physical access to the computer unless the data
files are encrypted properly which is why servers in many organizations are
locked in rooms and/or cages or even in a bank type vault for servers such
as a Certificate Authority. The link below may be of help as a general guide
to securing a network and it's data.. --- Steve

http://www.microsoft.com/smallbusiness/support/checklist/default.mspx

 

[local]

Thanks for the quick and clear replies to my question about peer to peer lan
security, or the lack thereof. I understand that I can have some control
over the access to the XP Pro machines. But is there a workaround that will
take care of all machines, regardless of OS? Any such thing as a single
folder that can be either hidden or locked? Any third party software that
would provide the security needed?

Thanks.

Michael

If you assign each of the three workgroups a different subnet and mask
wouldn't that solve your problems? Wouldn't that stop each group's
ability to share or browse other groups?

 

[Steven L Umbach]

While that could help that alone would not be a very secure solution as a
malicious user could sniff network traffic and reconfigure his computer with
the subnet mask of the computers he wants to access or change his routing
table to do the same. There are switches such as some HP Procurve that have
a feature called port isolation [different from Vlans] that could prevent
groups of ports on the switch from accessing other groups of ports on the
switch while allowing common access to the port that goes to the default
gateway. --- Steve