Workgroup Security Help Needed.

[Guest]

Please help solve this workgroup security problem…

My network consists of the following;
A small network with 2 separate workgroups, workgroup A and workgroup B,
both workgroups have 6 computers each, two of the 6 computers are Windows XP
Pro Ser. PK. 2, two are Windows XP Home Edition Ser. PK. 2, and the last 2
have Windows 2000 Ser. PK. 4.

THE IDEAL END RESULT - any computers in Workgroup A cannot access computers
in Workgroup B, and vise versa. Is this possible? Is it possible to isolate
the Workgroups from being able to access one another while sharing a
Broadband Connection through the router?

Computers and hardware are as follows;

1. DSL Modem
2. Linksys 4 port cable/DSL router model BEFSR4.
3. 12 port hub.
4. 9 Dell desktop PC’s and 1 Dell 9200 laptop.

Here is the current issue;
The entire C drive on all machines are Shared within their own Workgroup,
the current problem is that all machines in both Workgroups can see one
another…

How can I isolate the 2 Workgroups from seeing or accessing one another?

 

[Steve Winograd [MVP]]

Please help solve this workgroup security problem…

My network consists of the following;
A small network with 2 separate workgroups, workgroup A and workgroup B,
both workgroups have 6 computers each, two of the 6 computers are Windows XP
Pro Ser. PK. 2, two are Windows XP Home Edition Ser. PK. 2, and the last 2
have Windows 2000 Ser. PK. 4.

THE IDEAL END RESULT - any computers in Workgroup A cannot access computers
in Workgroup B, and vise versa. Is this possible? Is it possible to isolate
the Workgroups from being able to access one another while sharing a
Broadband Connection through the router?

Computers and hardware are as follows;

1. DSL Modem
2. Linksys 4 port cable/DSL router model BEFSR4.
3. 12 port hub.
4. 9 Dell desktop PC’s and 1 Dell 9200 laptop.

Here is the current issue;
The entire C drive on all machines are Shared within their own Workgroup,
the current problem is that all machines in both Workgroups can see one
another…

How can I isolate the 2 Workgroups from seeing or accessing one another?

Workgroups don't provide any type of security or access control. A
computer in any workgroup can access a computer in any other workgroup
on the same physical network.

The simplest solution is to get two more broadband routers to set up
independent and isolated physical networks that share a common
Internet connection:

1. Connect the Workgroup A computers to the first new router.
2. Connect the Workgroup B computes to the second new router.
3. Connect the WAN (Internet) port of each new router to a LAN port of
the original router.

I use that setup at home. The first network is for my own computers.
The second network is for working on a customer's computer that might
have viruses and worms and needs to be isolated while using the
Internet.

Broadband routers usually have only four LAN ports, so you'll probably
need to get another hub or switch with at least 6 ports.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[johnsuth]

Please help solve this workgroup security problem…

My network consists of the following;
A small network with 2 separate workgroups, workgroup A and workgroup B,
both workgroups have 6 computers each, two of the 6 computers are Windows XP
Pro Ser. PK. 2, two are Windows XP Home Edition Ser. PK. 2, and the last 2
have Windows 2000 Ser. PK. 4.

THE IDEAL END RESULT - any computers in Workgroup A cannot access computers
in Workgroup B, and vise versa. Is this possible? Is it possible to isolate
the Workgroups from being able to access one another while sharing a
Broadband Connection through the router?

Computers and hardware are as follows;

1. DSL Modem
2. Linksys 4 port cable/DSL router model BEFSR4.
3. 12 port hub.
4. 9 Dell desktop PC’s and 1 Dell 9200 laptop.

Here is the current issue;
The entire C drive on all machines are Shared within their own Workgroup,
the current problem is that all machines in both Workgroups can see one
another…

How can I isolate the 2 Workgroups from seeing or accessing one another?

I have read about this in this group but not done it, so I don't know if it will help, but it is a zero cost option.

Assuming you are using NetBT protocol, use static IP addressing and assign the different workgroups to different sub nets. I am guessing that computers on different sub nets will not see each other. You could try a Google Advanced Group Search on microsoft.public.windowsxp.* for the string "subnet".

 

[Michael W. Ryder]

Please help solve this workgroup security problem…

My network consists of the following;
A small network with 2 separate workgroups, workgroup A and workgroup B,
both workgroups have 6 computers each, two of the 6 computers are Windows XP
Pro Ser. PK. 2, two are Windows XP Home Edition Ser. PK. 2, and the last 2
have Windows 2000 Ser. PK. 4.

THE IDEAL END RESULT - any computers in Workgroup A cannot access computers
in Workgroup B, and vise versa. Is this possible? Is it possible to isolate
the Workgroups from being able to access one another while sharing a
Broadband Connection through the router?

Computers and hardware are as follows;

1. DSL Modem
2. Linksys 4 port cable/DSL router model BEFSR4.
3. 12 port hub.
4. 9 Dell desktop PC’s and 1 Dell 9200 laptop.

Here is the current issue;
The entire C drive on all machines are Shared within their own Workgroup,
the current problem is that all machines in both Workgroups can see one
another…

How can I isolate the 2 Workgroups from seeing or accessing one another?

A simple and flexible option is to install a firewall such as ZoneAlarm
along with assigning each computer a fixed IP address. You can then
instruct the firewall which IP addresses can access the computer and
which are blocked.

 

[allan_grossman]

Two good suggestions here, Michael. I prefer Steve's daisychaining
router suggestion since if need be you can configure security features
on each router independently.

But - if you're looking for a zero cost option, setting static IPs and
using a tight subnet mask will also work - let's say for sake of
argument that you want to use the 192.168.1.* network for both
workgroups. We'll assume the router has the 192.168.1.1 address.

1. You can use addresses 192.168.1.2 through .127 for machines in
workgroup A.

2. You can use addresses 192.168.1.128 through .254 for machines in
workgroup B.

3. Set the gateway address to 192.168.1.1 on all machines.

4. Set the subnet mask on all machines to 255.255.255.128

Hope this helps -

 

[Guest]

Hi Steve,
Thanks so much for your reply, sounds like a winner...

2 Additional Questions:

1. Original routers IP address is 192.168.1.1, do the 2 new routers get
changed to say 192.168.1.2, and 192.168.1.3 so the don’t conflict with each
other.

2. Original router is doing DHCH, do the 2 new routers also do DHCH for
their own computers or must I disable the DCHP in new routers?

 

[Steve Winograd [MVP]]

Hi Steve,
Thanks so much for your reply, sounds like a winner...

2 Additional Questions:

1. Original routers IP address is 192.168.1.1, do the 2 new routers get
changed to say 192.168.1.2, and 192.168.1.3 so the don’t conflict with each
other.

2. Original router is doing DHCH, do the 2 new routers also do DHCH for
their own computers or must I disable the DCHP in new routers?

Kind Regards,
Mike

You're welcome, Mike. The new routers must use a different subnet
than the original one. For example, if the original uses 192.168.1.1,
change the new ones to 192.168.0.1 (subnet mask 255.255.255.0 on all).
Since the new routers are completely isolated from each other, it's OK
for them to have the same address.

All three routers should do DHCP. The original one assigns IP
addresses to the WAN (Internet) ports of the new routers. The new
routers do DHCP for their own computers.

An advantage of this setup is that you don't have to change settings
on any of the computers.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Guest]

Two good suggestions here, Michael. I prefer Steve's daisychaining
router suggestion since if need be you can configure security features
on each router independently.

But - if you're looking for a zero cost option, setting static IPs and
using a tight subnet mask will also work - let's say for sake of
argument that you want to use the 192.168.1.* network for both
workgroups. We'll assume the router has the 192.168.1.1 address.

1. You can use addresses 192.168.1.2 through .127 for machines in
workgroup A.

2. You can use addresses 192.168.1.128 through .254 for machines in
workgroup B.

3. Set the gateway address to 192.168.1.1 on all machines.

4. Set the subnet mask on all machines to 255.255.255.128

Hope this helps -

If this is the case, let's assume that there is only one printer and which
is attaching to a PC in workgroup A, is it possible to allow the PCs in
workgroup B to reach it?

 

[Guest]

Two good suggestions here, Michael. I prefer Steve's daisychaining
router suggestion since if need be you can configure security features
on each router independently.

But - if you're looking for a zero cost option, setting static IPs and
using a tight subnet mask will also work - let's say for sake of
argument that you want to use the 192.168.1.* network for both
workgroups. We'll assume the router has the 192.168.1.1 address.

1. You can use addresses 192.168.1.2 through .127 for machines in
workgroup A.

2. You can use addresses 192.168.1.128 through .254 for machines in
workgroup B.

3. Set the gateway address to 192.168.1.1 on all machines.

4. Set the subnet mask on all machines to 255.255.255.128

Hope this helps -

If the above zero cost option is used, and let's also assume that there is
only one printer that is attached to a PC in workgoup A. Is it possible to
reach it from PCs in workgroup B?

 

[Guest]

Thanks again, this was of great help...