network security

[Guest]

once you set up a network is it also vulnurable to the outside world. When
you enable file sharing and printer sharing are then inviting if you dont do
it right other people to mess with your stuff. do the firewalls also protect
from informaton of yours leaking out. I jsut want to make sure I dont open
everyhting up to the whole world. i want to protect the ntwork as best as
possible

thanks

 

[Chuck]

once you set up a network is it also vulnurable to the outside world. When
you enable file sharing and printer sharing are then inviting if you dont do
it right other people to mess with your stuff. do the firewalls also protect
from informaton of yours leaking out. I jsut want to make sure I dont open
everyhting up to the whole world. i want to protect the ntwork as best as
possible

thanks

What devices connect your computers to the internet? Do you connect thru a NAT
router? If you don't, then get and use one. Today.

A NAT router is the first layer in a good layered defense. Each layer is
necessary because no layer produces complete protection.

One NAT router protects your entire LAN. It prevents your shared files, and
other personal information, from leaking out to the internet.

The second layer is a software firewall, or a port monitor like Port Explorer
(free) from <http://www.diamondcs.com.au/portexplorer/index.php?page=home>. See
various discussions in comp.security.firewall for good advice on choosing a
firewall. A software firewall can selectively block incoming or outgoing
traffic, and a port monitor can at least let you know what's going on.

You need a software firewall on each computer in your LAN; in case one computer
gets infected, a software firewall on the others could save you a lot of
trouble.

The third layer is good software, also on each computer. This layer has
multiple components.

AntiVirus protection. Realtime, plus a regularly scheduled virus scan.
Regularly updated. AV protection is not all that's needed today.

Adware / spyware protection. Realtime, plus a regularly run adware / spyware
scan. Regularly updated.
Complete instructions, using Spybot S&D and HijackThis (both free) are here:
<http://forums.spywareinfo.com/index.php?showtopic=227>.

Harden your browser. There are various websites which will check for
vulnerabilities, here are three which I use.
http://www.jasons-toolbox.com/BrowserSecurity/
http://bcheck.scanit.be/bcheck/
https://testzone.secunia.com/browser_checker/

Consider using an alternative browser, like Firefox, for the majority of your
browsing activities.
<http://www.spreadfirefox.com/?q=affiliates&id=4507&t=61>

Block Internet Explorer ActiveX scripting from hostile websites (Restricted
Zone).
<https://netfiles.uiuc.edu/ehowes/www/main.htm> (IE-SpyAd)

Block known dangerous scripts from running.
<http://www.javacoolsoftware.com/spywareblaster.html>

Block known spyware from installing.
<http://www.javacoolsoftware.com/spywareguard.html>

Make sure that the spyware detection / protection products that you use are
reliable:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Harden your operating system. Check at least monthly for security updates.
http://windowsupdate.microsoft.com/

Block possibly dangerous websites with a Hosts file. Three Hosts file sources I
use:
http://www.accs-net.com/hosts/get_hosts.html
http://www.mvps.org/winhelp2002/hosts.htm
(The third is included, and updated, with Spybot (see above)).

Maintain your Hosts file (merge / eliminate duplicate entries) with:
eDexter <http://www.accs-net.com/hosts/get_hosts.html>
Hostess <http://accs-net.com/hostess/>

Secure your operating system, and applications. Don't use, or leave activated,
any accounts with names or passwords with trivial (guessable) values. Don't use
an account with administrative authority, except when you're intentionally doing
administrative tasks.

The fourth layer is common sense. Yours. Don't install software based upon
advice from unknown sources. Don't install free software, without researching
it carefully. Don't open email unless you know who it's from, and how and why
it was sent.

The fifth layer is education. Know what the risks are. Stay informed. Read
Usenet, and various web pages that discuss security problems. Check the logs
from the other layers regularly, look for things that don't belong, and take
action when necessary.

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.

 

[Jack \(MVP\)]

Hi.

For real adequate protection you have to use a Cable/DSL Router which
provides NAT-Firewall, and few other security measures.

In addition each computer on a Peer to peer Network should have software
Firewall, Anti-Virus, and AntiSpyware protection.

If already upgraded to WinXP SP2 you can use the new Software Firewall, it
provides a Good Flexible Protection.

Add to it Microsoft AntiSpyware:
http://www.microsoft.com/athome/security/spyware/software/default.mspx

And you are basically set.

For additional issues and solutions look here:

Internet -Basic protection: http://www.ezlan.net/firewall.html

Internet Infestation: http://www.ezlan.net/infestation.html

Basic Steps in cleaning Internet "Junk" - http://www.ezlan.net/clean.html

Jack (MVP-Networking).

 

[Guest]

chuck thanks for all the information greatly helpful...I as for the Nat
router how do you find that out. I am using a D-Link Di-524 router, are you
able to tell if that is sufficent for the first layer. if you get one of
these other firewalls do you disable the windows firewall. thanks for
everything

 

[Chuck]

chuck thanks for all the information greatly helpful...I as for the Nat
router how do you find that out. I am using a D-Link Di-524 router, are you
able to tell if that is sufficent for the first layer. if you get one of
these other firewalls do you disable the windows firewall. thanks for
everything

A DI-524 is a WiFi NAT router, and will adequately protect you from hostile
internet traffic. It won't protect your individual computers from each other,
nor will it completely protect you from the wireless neighborhood.

The Windows Firewall will protect each individual computer from the others, and
to a slight amount, from the wireless neighborhood. If you wish to share files
between your computers, you should enable the File and Printer Sharing
exception.

The wireless neighborhood is another story. Here's a story about somebody's
very stupid wireless neighbor. Don't expect all wireless neighbors to be this
stupid.
<http://www.canoe.ca/NewsStand/LondonFreePress/News/2003/11/22/264890.html>.

The point is, you need to protect a wireless LAN with more precautions than just
the NAT protection on the router.

Change the router management password, and disable remote (WAN) management.

Enable WEP (minimal) / WPA (preferable). Use non-trivial (non-guessable) values
for encryption. (No "My dog has fleas"). The DI-524 will do WPA-TKIP. Use it.

Enable MAC filtering.

Change the subnet of your LAN - don't use the default.

Disable DHCP, and assign an address to each computer manually.

Install a software firewall on every computer connected to a wireless LAN. Put
manually assigned ip addresses in the Local (highly trusted) Zone. Open the
firewall for file sharing, only in the Local Zone.

Don't disable SSID broadcast - some configurations require the SSID broadcast.
But change the SSID itself - to something that doesn't identify you, or the
equipment.

Enable the router activity log. Examine it regularly. Know what each
connection listed represents - you? a neighbor?.

Use non-trivial accounts and passwords on every computer connected to a wireless
LAN. Disable or delete Guest userid, if possible (XP Home is a bad choice
here). Rename Administrator, to a non-trivial value, and give it a non-trivial
password. Never use the Administrator renamed account for day to day
activities, only when intentionally doing administrative tasks.

Stay educated - know what the threats are. Newsgroups alt.internet.wireless and
microsoft.public.windows.networking.wireless are good places to start.

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.

 

[Guest]

chuck wrote:
Secure your operating system, and applications. Don't use, or leave
activated,
any accounts with names or passwords with trivial (guessable) values. Don't
use
an account with administrative authority, except when you're intentionally
doing
administrative tasks.

Chuck can you explain this part a little more for me if you can. Especially
teh last sentance. What do yo mean about, dont use an account with
administrative authority, except when you are intentionally doing admin
tasks. If you can tell me a little more that wuld be great. All the other
info that you have helped me with is great and I appreciate it so much


thanks

jake frederick

 

[Chuck]

chuck wrote:
Secure your operating system, and applications. Don't use, or leave
activated,
any accounts with names or passwords with trivial (guessable) values. Don't
use
an account with administrative authority, except when you're intentionally
doing
administrative tasks.

Chuck can you explain this part a little more for me if you can. Especially
teh last sentance. What do yo mean about, dont use an account with
administrative authority, except when you are intentionally doing admin
tasks. If you can tell me a little more that wuld be great. All the other
info that you have helped me with is great and I appreciate it so much


thanks

jake frederick

Jake,

A lot of malware tries to install itself into the operating system, and needs
administrative privilege during the process. If you surf to a website with
malevolent code on it, and it installs code on your computer, the install
proceeds under your privilege level. If you're not an administrator, the
install will fail and your computer will remain cleaner.

Intentional installs of any complexity require that you close all open
applications, and when you're done, they will restart the computer to finish the
install. The less applications you have running during an install, the cleaner
the install will be, which may result in less problems in the future. And the
install will run faster too.

Separating your web surfing, from administrative tasks like installs, makes
sense.
1) Surf the web with user privilege.
2) When you're ready to install software, restart the computer, login as an
administrator, do the install, and restart the computer again.
3) Login as a user, and resume surfing the web.

The less holes you have in your system security the better. A lot of hacks
start with trying to guess the password for well known accounts like
"Administrator" or "Guest". If your Administrator account is named
"Administrator" and has a password of "password", the hack will succeed.

If you change the administrator account name to "AdM1N1StRaT0R" and give it a
complex password like "AlZm12Zz!@#$%^&*()_+", you'll make it a lot harder for
the hacker (or his hack program, since a lot of hacking is done using software).
Of course, it will take a little longer for YOU to type the name in too. YMMV.

If you have Windows XP Pro, and use non-Guest authentication, get rid of the
Guest account. Or do like some sadistic administrators do, leave the Guest
account there, with no password, and give it NO access to anything.

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.

 

[Eric Cross [MVP]]

Jake, also have a good read here.

http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/157962.aspx

_________________
Eric Cross
Microsoft MVP (Windows Networking)
http://mvp.support.microsoft.com