XP Logons and security issues

[Guest]

Hello everyone,

One of our new clients has various XP Professional, XP Home and Windows 98
PCs. They are all on a workgroup. They access the internet through a
broadband router which apparently has no firewall capability and each PC has
a static public ip address assigned. There are around 14 PCs in all.

There are numerous problems.

Some of the PCs can see all the other PCs when viewing workgroup connections
in 'my network places' and others cannot. Also, those PCs which can see
workgroup computers, when trying to access files on another PC, a
username/password box shows up. The username is greyed out with guest account
username.

Even some of the XP Professional PCs cannot view workgroup connections, yet
some can ping each other by ip address but not by name. Others can ping by
name and ip address.

Users log onto the PCs using the same username and a blank password, so an
account will be setup on each PC anyway.

They also get quite a few viruses as expected and windows messenger critical
alert messages popping up.

I wondered if the best option would be to install a fresh router with a
firewall, a firewall on each PC. Set each PC with private ip addresses and
ensure each PC is running the same O/S, preferably XP Professional.

Many thanks for al your help,
Jeff

 

[Robert Moir]

jeffuk123 wrote:
[snip]

I wondered if the best option would be to install a fresh router with
a firewall, a firewall on each PC. Set each PC with private ip
addresses and ensure each PC is running the same O/S, preferably XP
Professional.

That would be a good start.

As XP Pro has a limit of 10 peer to peer sharing connections (XP Home has
less) you might also consider if its time to suggest they get a server in,
to act as a central file store and the like. If financing a Windows based
server is an issue you can always push a "free" solution like Linux at them
to save the up front cost.

--
--
Rob Moir, Microsoft MVP for Security
Blog Site - http://www.robertmoir.com
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
I'm always surprised at "professionals" who STILL have to be asked:
"Have you checked (event viewer / syslog)".

 

[Steven L Umbach]

Using only XP Pro for the workstations would greatly increase security and
yes a new router would be a good idea. Just look for one that says it has a
stateful firewall. If the budget allows I highly recommend a real firewall
like the Sonicwall TZ170 and you would want one that can accommodate 25 or
unlimited computers. Such a firewall can also do a great job of managing
outbound access to the internet to allow users to access only authorized
ports and also interface with affordable subscription based virus scan and
content filtering . Only one public IP would be needed which should lead to
savings. When considering the cost of such device and services take into
account potential productivity improvements for workers. If that is above
the budget and security needs the Netgear ProSafe line are pretty good.

http://www.sonicwall.com/products/tz170.html
http://www.sonicguard.com/TZ170.asp

For a classic NT type security yes you want each user to have their own user
account/password and it is best to enforce strong passwords. To do that you
would need to disable simple file sharing on each XP Pro computer so that
users authenticate to network shares as themselves and not guest. Depending
on the needs and budget you may also want to consider Small Business Server
2003 for the network which will make it much easier to manage user accounts
and enforce consistent settings on each computer as SBS 2003 would enable
the use of an Active Directory domain. To minimize risk of viruses and
spyware it is best if the users of the computers are not also local
administrators. The link below may be helpful. --- Steve

http://www.microsoft.com/smallbusiness/support/computer-security.mspx