How to secure 3 computers on a "shared" network hub/switch?

I moved to a new floor in a new building.  All computers are physically connected to the same hub/switch, which also provides Internet access.

My 3 computers are in a workgroup called MSHOME.  Everything is working fine except, when I start windows explorer and navigate to
\My Network Places
\Entire Network
\Microsoft Windows Network
\MSHOME
 I see the workgoup MSHOME.  However, there are 8 other computers in the same workgroup.  If I click on there computer name, I can see the contents of there computer.  These 5 computers belong to other business(es).

How can I secure my network of 3 computers.  I don't want other business(es) to be able to see the contents of my shared folders.

Thanks for your help.



jimdormanAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
hbustanConnect With a Mentor Commented:
Connect the PCs to the switch and the router to the Internet and the switch.

The PCs should have a different IP range and their default gateway should be the Linksys router's LAN IP address.

For example.

Router's Internet IP can be 192.168.1.1 (Or whatever IP given by your building for Internet)
Router's LAN IP can be 192.168.2.1
PCs can be 192.168.2.2, 192.168.2.3, 192.168.2.4  (All with gateways 192.168.2.1)

0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
easiest way?  buy a network switch and put ONLY your computers into it.  Of course, that doesn't stop someone else from plugging in.  You can try to create new users and get away from the XP "friendly" networking which provides virtually no security, but frankly, this can be difficult to get and keep working properly.  Best way though would be to go get yourself a server running Small Business Server 2003 R2.  That would get you away from the workgroup style networking and instead put you in a domain which has much greater security controls.
0
 
newborn1281Commented:
I would assume you have NTFS partitions and not FAT, then you can protect your files by NTFS permissions, or when you share your folders you may protect them by using share permissions.
check this article.
http://support.microsoft.com/kb/304040
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

 
DistinctiveITConnect With a Mentor Commented:
The easiest solution would be to install a basic network router (as opposed to a Switch) between your three computers and the rest of the network. This will segregate you into your own separate network. If this isnt a possibility, than I suggest you change your workgroup name, make sure each Microsoft firewall is enabled and disable File and Print sharing in the network properties of each PC. If you would like more details, let me know!
0
 
debuggerauCommented:
Sorry guys, but another network switch or router will not be effective protection.
He needs a firewall, a cisco 501 4 port would be good for under a grand.
Disabling services works, but he may need them himself...
I would only allow internet traffic via the firewall and block all other ports...
port 80 and 443 should suffice for starters...


0
 
DistinctiveITConnect With a Mentor Commented:
debuggerau, A Cisco firewall would certainly do the job, but a basic router will easily provide the basic firewall features necessary.
0
 
dlp56Commented:
What is your relationship to the other computers (other than being on the same floor?) If you do not have a need for the other computers to ever access your machines than you do need a firewall.

Depending on how you use the internet, you could get by with a home-class broadband router/firewall. Or your data may warrant an enterprise solutions along the lines of a Cisco ASA or Sonicwall device. Do you need to host your own servers (email, web, etc. ?)  Do you want remote access to your machines?

By spending some time and detailing how you want to use your internet access we can give you better recommendations.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
debuggerau, he doesn't NEED a firewall... what he needs is a consultant to assess his situation and help him determine what level of protection is appropriate.  There's really too little information here to give anything more than basic recommendations.  
0
 
hbustanConnect With a Mentor Commented:
You will need to separate your switch (Connecting all your computers together) from the Internet and have the Internet connect to a router or firewall or a gateway - then connect that to the switch.

On the firewall/router/gateway you will need to block all Internet traffic from accessing your internal network yet allow packets to return back for the connections you have opened from inside. In other words, if a user in one of the 3 computers accesses the Internet, then the responses should come back to him (not blocked); but a user from the Internet will not be able to open a connection to one of the 3 computers.

0
 
debuggerauCommented:
Ok guys, maybe your right, he COULD just use a router and use access lists to port block, but that wont give him the peace of mind from intrusion detection, logging and activex/java filtering, plus VPN access to work if he liked.

But as long as he has a firewall configured in XP, it may be secure, assuming no one ever turns it off...

And leew, whatever.....

0
 
Fred MarshallConnect With a Mentor PrincipalCommented:
It's a matter of deciding where the real threats are.

Presumably the "other company" or tenants or whatever do have a firewall between them and the internet.  That's worth investigating.

Then, a simple commodity router with NAT will do quite a bit to protect you.  Of course, you should test it from the WAN side trying to go back to the LAN side.  It won't stop you from seeing the other computers but it should stop them from seeing yours - assuming that private IP addresses won't be routed back from WAN to LAN which is usually the case.  Your IP addresses will change to a new private range.

So, if the current system is on 192.168.1.xxx then you might assign 192.168.2.xxx to the LAN side of the router.... something different in the 192.168.xxx.xxx range.
0
 
martin_babarikConnect With a Mentor Commented:
Uaaaa omg!:-) My fellow experts, isn't your approach too much technical according to what trivial problem are we discussing here?:-)
Jimdorman: make sure that you are using NTFS on your computers on all drives. If you find something like FAT32, simply convert the filesystem to NTFS using following command:
convert c: /FS:NTFS
don't worry, you're not going to loose any data, it will leave the data intact.
Once you have NTFS in place, go to properties of each drive, go to security tab, make sure that you don't have groups like Everyone or Guest in the list and give the propriate permissions just to the owner of the system or administrator.
Also make your computers to belong to different workgroup, just create your own not using some default name.
Be careful about sharing the drives. Just go to command prompt and type in "net share", you will see what you are sharing on each computer. Disable what you really don't need.
And of course: being on another LAN segment is another brick in the wall of security. If you are familiar with networking, just modify the TCP/IP settings (if it's possible according to circumstances).
0
 
hbustanConnect With a Mentor Commented:
Martin: although NTFS comes with nice security permissions, it does not stop brute-attack methods in discovering passwords with time. The best bet is not to have access whatsoever to these machines from the outside world in the first place.

Perhaps your suggestion can complement the other suggestions but as a solution, it has many holes.
0
 
martin_babarikCommented:
HBustan: I wouldn't dare to disagree with your opinion, you're definetly right. But frankly speaking - I wasn't assuming that we will talk about deploying HW firewals, VPN gateways, multifactor authentication and all of that hi-tech stuff just because of 3 very benevolently installed workstations. I was thinking about some reasonable ratio between cost and security. There is always a way in and the only thing we can do as security specialists is to mitigate the risks and at the same time try to avoid "security by obscurity".
Maybe I just misunderstood the scenario, I thought it's just 3 not-so-important office machines, where the asker doesn't want the others to be able to access the files by simply clicking on a computer in network neighbourhood.
My intention was not to say "you're all lamers here and only I'm the enlightened one"...I was just wondering how deep did all of you get in that discussion, it just seemed unapropriatelly to me. Take my apology for that.
0
 
jimdormanAuthor Commented:
All 3 computers have NTFS.  All 3 have the ENTIRE (drive C) hard drive as shared.  Only 1 computer has a laser printer.  The other 2 computers print to the shared printer.  The IP address that we are assigned (by the common router) is somthing like 10.1.10.1.

The building owner said we could use our own hub (note he did not say router or switch).  That would be great as long as we could still get our "free" internet.

I don't think the other companies are aware that there security is poor (since I was able to see the contents of one of there hard disk drives).  
0
 
jimdormanAuthor Commented:
We must have file and printer sharing enabled.  The Windows firewall is disabled.
0
 
jimdormanAuthor Commented:
In summary:  All three computers have to "see" each other and access each other's hard disk drive and share a printer.  All three computers have to go out to the internet.  I don't want any other company to access any of our hard drives (or shared printer).
0
 
jimdormanAuthor Commented:
Thanks for your help.
0
 
jimdormanAuthor Commented:
I have a generic 4 port hub/switch.  It's not programmable.  Would that work?  I also have a linksys router WRT54G (that was used in the old office building).  It is programmable.  Would that work?

Note:  The building manager created 20 offices on this floor.  He bundles phone, network and Internet together and leases to many companies.  Since the companies (including mine) is running peer-to-peer network, we see each other(s) workgoup and computers.
0
 
martin_babarikCommented:
1. Again - no problem with file sharing, but why entire disk? Make one shared folder on each computer and if you have 3 users for these 3 workstations, create 3 user accounts for all 3 users on each machine.
2. Remove Everyone from share permissions and instead of them put here either the group Users or Authenticated users or particular user accounts, like Jim, John, Sally. Give them required pesmissions - read and possibly modify.
3. Go to security tab of particular folder, make sure there is not Everyone group, and put here the same like in share permissions.
4. Have the windows firewall enabled, just configure the exception for file and printer sharing to be allowed.

Given the scenario I think this should be ok. If you are affraid of being attacked by skilled hacker putting all his effort to break into these machines, the battle would be lost for you even before it starts. But for normal operation I don't see any problem.
Of course, if somebody uses a sniffer on the same network segment, he would be able to easily capture your SMB traffic, thus being able to break all the passwords.
Consider implementing IPSec on your three machines or configure the local policies on each of them to use stronger authentication than the old NTLM.
0
 
DistinctiveITConnect With a Mentor Commented:
jimdorman:  Yes, the Linksys router will work, the switch will not. Just use the Linksys router and you are good to go! (Make sure you configure it off of its defaults!)
0
 
hbustanConnect With a Mentor Commented:
Also make sure your Router has NAT enabled
0
 
jimdormanAuthor Commented:
Ok, I'll give it a try.
0
 
debuggerauCommented:
I have no problem with a d-link, linksys etc.. router providing nat for your protection, its minimalist and will provide no protection for your staff, or help them to avoid malicious content over the internet, and depending on their habits, may compromise your computers.
But it will make your PC's invisible to the other business when they look into the computer browser.
I normally don't comment  if others have adequately answered the question, and I believe DistinctiveIT make the first correct reply, but I didn't see that one until posting...



0
 
jimdormanAuthor Commented:
The IT person, supplied by the bulding management installed the Linksys router.  However, When I start Windows exploer and click  
\My Network Places
\Entire Network
\Microsoft Windows Network (I still see other workgroups from other companies)
\MSHOME
I see other computers in MSHOME, except my secretary's computer.  It's missing from the list.
There network person will look into it tomorrow.

0
 
DistinctiveITCommented:
I would assume the IT person installed the router incorectly. Perhaps he connected the outside line into a regular LAN port instead of the WAN port. Only your three PCs should be connected to the LAN ports.
0
 
debuggerauCommented:
OMG, looks like those outsources auto mechanics that took the computer power training course over the web are getting another call out fee, who said they weren't cunning..

0
 
debuggerauConnect With a Mentor Commented:
also, might be worthwhile to just print out the IP config of the three PC's you have.
ipconfig /all at a command prompt and that will show you your IP addresses.

If its something like 192.168.10.10 with a subnet of 255.255.255.0, then after the changes, that IP should change and also the default gateway too..
If they haven't done that, changes are your on the same segment...
0
 
hbustanConnect With a Mentor Commented:
I concur with debuggerau

But also check your router's LAN IP against the router's Internet IP as well

0
 
jimdormanAuthor Commented:
My IP address is 10.1.1.71, other pcs:  10.1.1.70 & 10.1.1.72
subnet mask is 255.255.255.0
Default gateway is 10.1.1.1

The DHCP Server is 10.44.0.1
The DNS Server is:
12.127.16.67
12.127.17.71
216.73.128.2
216.73.128.3
No Wins Server

I can still see other companies computers in the MSHome workgroup.

I told the building's IT person, that when I look at my "Microsoft Windows Network" in
Windows explorer, I should only see my 3 computers (that belong to my company)
and be able to browse the Internet.
0
 
debuggerauCommented:
Yes, well, I'd bet that the other computers don't have firewalls either.

If its all working, you may want to block some ports so that your computers don't access the other unprotected PC's and get infected, block 139. 455, but that is completely optional...
0
 
hbustanCommented:
I assume your router us 10.1.1.1 and your Internet IP is not 10.1.1.x range

If this is the case then you should be fine; otherwise the configuration is incorrect
0
 
debuggerauCommented:
If you would like a quick and nasty test from the outside, the 'shields up' test from
http://www.grc.com/default.htm
0
 
DistinctiveITCommented:
just an FYI . You may want to check that your PC isnt automatically connecting to any unsecured wireless networks that are a part of the same buildings network.
0
 
jimdormanAuthor Commented:
Even though I can still see other companies computers in the same workgroup (after my router/switch) was installed by the building IT person, she came by the office today.  She said, there was nothing more she could do.  She suggested we use passwords (whatever that means).  So I am going to try the solutions you guys mentioned above.  Here I goooooooooo ....
0
 
DistinctiveITCommented:
Wow, what a useless IT person. Good luck!
0
 
jimdormanAuthor Commented:
I conducted an experiment.

Using the Linksys BEFSR81 router, this is what has happened:
I went to the Linksys web site to see about "connecting" two routers.
It gave two scenarios.

Hardware configuration:
Router 1 - 48 ports and Internet access
Router 2 - my router

Scenario 1:  Plug a RJ45 cable into a port in Router 1, and the other end of the cable into a port on Router 2.  I tested this.  But was able to see other companies computers.

Scenario 2:  Create a different LAN IP segment.  Change the local IP of router 2 to 192.168.2.1 and connect an RJ45 cable from a port on Router 1 to the WAN port of Router 2.
I tested this.  I did not see other companies computers on my network, plus I still had access to the Internet.  

Here is my question,
Since my real IP address is 10.1.1.71, all I should have to do is change the local IP address of Router 2 to 10.1.2.1.  This would put me on a different segment.
Enable DHCP on Router 2.  
Router 2 should assign:
Computer 1:  10.1.2.100
Computer 2:  10.1.2.101
Computer 3:  10.1.2.102
This should result in my computers being on there own network, and allow Internet Access.
Is that correct?



0
 
DistinctiveITConnect With a Mentor Commented:
Yes, that is corrrect. Just make sure you change the LAN side address (local) not the WAN side address of your router (router 2)
0
 
hbustanConnect With a Mentor Commented:
Yes and also set the default gateways on the PCs to 10.1.2.1
0
 
jimdormanAuthor Commented:
Okay.  I will try that after 3 pm today (pacific time).
0
 
jimdormanAuthor Commented:
Here is the complete scenario I will implement this afternoon.
Does it appear to be correct?

My IP address currently 10.1.1.71, would change to 10.1.2.71
The subnet mask (255.255.255.0) would not change.

Default gateway, currently 10.1.1.1 (building router 1)
would become 10.1.2.1 (my personal router 2)

(then I would run a cable from a port on the building router 1
to the WAN port on my personal router 2).

The DHCP Server, currenlty 10.44.0.1 would change to 10.1.2.1

The DNS Server, currently:
12.127.16.67
12.127.17.71
216.73.128.2
216.73.128.3
would not change.
0
 
hbustanConnect With a Mentor Commented:
Everything seems correct except for the DHCP server IP.

If the DHCP Service is coming from your personal router, then it is correct; but if the DHCP service is located on a separate machine then it should be something like 10.1.2.2 or any other available IP in your new segment.
0
 
jimdormanAuthor Commented:
It worked.  I change the routers IP address to 10.1.2.1.  Enabled the DHCP Server.  My computer now has  an IP address of 10.1.2.100 (the other two computers, 10.1.2.101 and 10.1.2.102).  All three computers also have access to the internet.  

I  ran windows explorer and checked the Microsoft Windows Network.  I am the only workgoup called MSHOME.  There are no other companies computers nor workgroups appearing in the list.  

I called the building IT lady and told her I am using subnet 10.1.2.x.  That she should not give that subnet address to anyone else.  She should not have anyone connect a cable to the open ports on my router.

I do have one question though.  When I changed the routers ip address to 10.1.2.1 and clicked save, it changed fine.  However, since I did not change the routers password (which is the default for Linksys), I was not able to go back in the change the password.  

Prior to changing the routers ip address, i could type 192.168.1.1 and access the router.  Now, if I type 10.1.2.1, it says, page cannot be displayed.  Which means, I cannot access the routers menu to change the password.  Any solution for this?
0
 
hbustanConnect With a Mentor Commented:
Great.

Since you are using NAT on your local router, the IT lady does not need to be concerned about your 10.1.2.x range as it will not be seen by the other router anyway.

Regarding not being able to access your router's new IP 10.1.2.1, that is strange. The only thing that comes to mind is perhaps you entered the wrong subnet mask when you changed its IP address. By default, the 10.x.x.x range would give a subnet mask of 255.0.0.0, you should change it to 255.255.255.0.

The router should be accessible similar to before with the same password as before.

Try pinging it.

0
 
jimdormanAuthor Commented:
I did not change the subnet mask.  I left it at 255.255.255.0
I only changed the router's ip address to 10.1.2.1
(unless the subnet mask changes by itself when I changed the router's ip address).
I'll check the subnet mask on Tuesday (Monday is a holiday).
0
 
hbustanConnect With a Mentor Commented:
Also double-check the subnet mask on your PC (it should also be 255.255.255.0).

If this is the case then you should be able to ping 10.1.2.1 and if that works, you should be able to access the router through the web; unless, of course, if you have access restricted it on the router to be accessed only by a specific IP address (most likely your old IP address) - you will then need to change that to your new IP if that is the case.
0
 
jimdormanAuthor Commented:
And the Oscar goes to?  There is so many to thank.  All is working great now.  In Navy terminology: Brazo Zulu (Well Done).
0
All Courses

From novice to tech pro — start learning today.