Lan security questions

[RB]

Does implementing logon password protection offer any protection against
an online virus or Trojan attack?
Or does it only prevent local physical (or Lan) users from unauthorized access ?

What does the term "common" user account mean ?
Is this the same thing as "limited" user account ?

 

[David H. Lipman]

From: "RB" <NoMail@NoSpam>

| Does implementing logon password protection offer any protection against
| an online virus or Trojan attack?
| Or does it only prevent local physical (or Lan) users from unauthorized access ?

| What does the term "common" user account mean ?
| Is this the same thing as "limited" user account ?


Account authentication has NOTHING to do with malware infections.

What it helps to protect against is...

1. The insider threat
2. Personnel from accessing another person's account and data
3. Data protection in general

Common User or Limited User accounts have nothing to do with passwords either. It has to
do with the level of authorization given to a LAN user to access resources or the ability
to perform tasks.

A "Limited User" is just that, the person is limited in what they are authorized to do
such as installing software or making modifications to trhe system.

As for passords, they should be REQUIRED and be "strong". Strong as in meaing a level of
complexity such that it is difficult to guess or break. For example; 8 digits minimum,
using; 2 uppercase, 2 lowercase and 2 numbers and at least one special character.

Having LAN accounts with "Limited User" capabilities reduces the threat of malware
infection but does not eliminate that threat.

 

[RB]

Thank you for the reply.
I realize the logon ramifications of physical users but if you would be so kind
please give me your input on the following:

1. If you disable File and Print sharing does this make your LAN more
secure from an online infection jumping from one node to the other ?

2. I really need some folders shared, is there any way to password protect
the access to these folders on the LAN?
(does this only again protect from physcial logon users)

 

[David H. Lipman]

From: "RB" <NoMail@NoSpam>

| Thank you for the reply.
| I realize the logon ramifications of physical users but if you would be so kind
| please give me your input on the following:

| 1. If you disable File and Print sharing does this make your LAN more
| secure from an online infection jumping from one node to the other ?


Yes but it also makes administration of the LAN nodes more difficult. It is better to
keep F&P Sharing enabled and the PC locked down. For example, all accounts *MUST* have
strong passwords to mitigate worms and bots that spread on a LAN via password dictionary
attacks.


| 2. I really need some folders shared, is there any way to password protect
| the access to these folders on the LAN?
| (does this only again protect from physcial logon users)


Is this a Workgroup or Domain account ?

In a Domain account you have File Server Shares and access priveledges as well as NTFS
priveledges which will limit who gets access to what.

 

[RB]

Is this a Workgroup or Domain account ?

Well I'm still learning terminology but what I have is a Linksys router
(Wireless running TKIP security with a long alpha numeric key) .
My cable modem connects to the linksys (so I assume I have NAT )
and my one Desktop hardwire connects to the linksys and all of our
laptops connect to the linksys (wireless). I have the broadcast off.
I have all the computers configured to the same workgroup ( if that
is what your are asking )

In a Domain account you have File Server Shares and access priveledges as well as NTFS
priveledges which will limit who gets access to what.

Ugh well ok, I thinkg I have a workgroup but I would not know if I had a domain account
or not ? (dummy). And if I did I would not know how to set the NTFS priveledges ?

So if I put all my user accounts on a password it will keep me from logging onto a node
from another node unless I give it the user acct password ?

 

[David H. Lipman]

| Well I'm still learning terminology but what I have is a Linksys router
| (Wireless running TKIP security with a long alpha numeric key) .
| My cable modem connects to the linksys (so I assume I have NAT )
| and my one Desktop hardwire connects to the linksys and all of our
| laptops connect to the linksys (wireless). I have the broadcast off.
| I have all the computers configured to the same workgroup ( if that
| is what your are asking )

| Ugh well ok, I thinkg I have a workgroup but I would not know if I had a domain account
| or not ? (dummy). And if I did I would not know how to set the NTFS priveledges ?

| So if I put all my user accounts on a password it will keep me from logging onto a node
| from another node unless I give it the user acct password ?


Yes, it sounds like you have a workgroup. Very limited in scope. What you have is often
called a Small Office Home Office (SOHO) LAN.

The NAT Router will act as a simplistic FireWall and will help keep those on the Internet
from hacking into your LAN as well as keeping out Internet worms.

As for what you are doing on the SOHO LAN for sharing data, well that is more complex. It
all depends on what you are doing an how many nodes are on the SOHO LAN. Since you are a
Linksys Router, the maximum number of nodes is ~253.

 

[RB]

As for what you are doing on the SOHO LAN for sharing data, well that is
more complex. It all depends on what you are doing an how many nodes are
on the SOHO LAN. Since you are a Linksys Router, the maximum number of
nodes is ~253.

Ok so a domain would mean purchasing server software OS (MS WindowsServer etc).
I surmise this is expensive but would have more professional abilities.

As far a my Lan, I have a total ( if all active ) of 5 possible nodes. They all go through
the NAT linksys. I am confused on my reading though, if I go through a NAT am I still
considered Peer to Peer ?
Anyhow I only need to share certain folders on various nodes (not the whole drive) but
would like to make them password protected. If I set up passwords on user logon
would this do this ?

Is there another way to make passwords for node folders ?

I will have to give my laptop user acct Admin priveledges or my broadcom wireless
driver will freeze the unit in a limited access account.

 

[David H. Lipman]

| Ok so a domain would mean purchasing server software OS (MS WindowsServer etc).
| I surmise this is expensive but would have more professional abilities.

| As far a my Lan, I have a total ( if all active ) of 5 possible nodes. They all go
| through
| the NAT linksys. I am confused on my reading though, if I go through a NAT am I still
| considered Peer to Peer ?
| Anyhow I only need to share certain folders on various nodes (not the whole drive) but
| would like to make them password protected. If I set up passwords on user logon
| would this do this ?

| Is there another way to make passwords for node folders ?

| I will have to give my laptop user acct Admin priveledges or my broadcom wireless
| driver will freeze the unit in a limited access account.

NAT Router means it does Network Address Translation. Routing betwen subnet 192.168.1.x
to the WAN address your Cable Internet provider,road Runner, gives you.

As you get more complex, you need a server. Microsoft has SBS. Peer-to-Peer (aka; P2P)
means that all the LAN nodes acts as "peers" to each other. P2P doesn't have anything
more than either Read and Write or Read Only capabilities. A server provides
restrictions.

 

[Anteaus]

A domain offers centralized control of resources, which is useful in larger
networks. It does not, however, make anything more secure. In fact, a
misconfigured domain in which users have excessive rights can be very
insecure, since those rights will apply to every computer including the
server, not just their own.

Regardless of that, I would suggest that selecting one computer as the
centralized file store is a better way to go, securitywise. Backup is then
much easier, and you can stop the server service on machines with no shares,
which closes several attack-vectors.

As regards workstation security, running as a limited user and/or
implementing a software-restriction policy are good options. With both of
these in-place, malware will find it very hard to gain a foothold.

Providing you are using Firefox, IE8 or similar, and NOT IE6, the online
security issue stems mainly from plugins. Therefore minimize the number of
plugins and you minimize the attack-surface. Those which you do retain, keep
patched. Those which you seldom use, consider removing or disabling. The
Adobe Reader plugin is especially a case for removal, as it is NOT needed to
read Acrobat documents, only the reader is needed. Java is very seldom used.
Quicktime, occasionally. Flash, well you can't really do without that so keep
it patched.