If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
security in a peer to peer lan
I do some work at a medium sized school where they have a peer to peer
network. All machines are connected to a common router for DHCP. We have a mix of 98se, 2k and XP machines with three distinct workgroups: the computer lab (wkgpA), the school office (wkgpB) and the classrooms (wkgpC). We thought that having distinct workgroups would be all that was needed to keep, for example, computers in the classrooms from seeing and accessing files on the office computers. But on the 98se machines, users can go into Network Neighborhood, then click on Entire Network, and are able to see all three workgroups, and can actually go in and open files on other workgroup's computers. I know I can set a policy to remove Entire Network from each of the 98 machines but what is the best answer to keep the three workgroups entirely separate while still using the school's central router for DHCP? File sharing is not enabled on the office computers, the machines of greatest concern since they have financial and personnel files on them. The office machines are all XP, and I believe they are all XP Pro. Thanks. Michael |
#2
|
|||
|
|||
security in a peer to peer lan
You can't. Period. As long as all the workgroups and machines are in the
same address range and on the same router you cannot prevent one computer from seeing or being able to access another. -- Richard G. Harper [MVP Shell/User] * PLEASE post all messages and replies in the newsgroups * for the benefit of all. Private mail is usually not replied to. * My website, such as it is ... http://rgharper.mvps.org/ * HELP us help YOU ... http://www.dts-l.org/goodpost.htm "mdb" wrote in message news:94Ifg.45382$As2.12482@trnddc02... I do some work at a medium sized school where they have a peer to peer network. All machines are connected to a common router for DHCP. We have a mix of 98se, 2k and XP machines with three distinct workgroups: the computer lab (wkgpA), the school office (wkgpB) and the classrooms (wkgpC). We thought that having distinct workgroups would be all that was needed to keep, for example, computers in the classrooms from seeing and accessing files on the office computers. But on the 98se machines, users can go into Network Neighborhood, then click on Entire Network, and are able to see all three workgroups, and can actually go in and open files on other workgroup's computers. I know I can set a policy to remove Entire Network from each of the 98 machines but what is the best answer to keep the three workgroups entirely separate while still using the school's central router for DHCP? File sharing is not enabled on the office computers, the machines of greatest concern since they have financial and personnel files on them. The office machines are all XP, and I believe they are all XP Pro. Thanks. Michael |
#3
|
|||
|
|||
security in a peer to peer lan
You can't. Period. As long as all the workgroups and machines are in the
same address range and on the same router you cannot prevent one computer from seeing or being able to access another. -- Richard G. Harper [MVP Shell/User] * PLEASE post all messages and replies in the newsgroups * for the benefit of all. Private mail is usually not replied to. * My website, such as it is ... http://rgharper.mvps.org/ * HELP us help YOU ... http://www.dts-l.org/goodpost.htm "mdb" wrote in message news:94Ifg.45382$As2.12482@trnddc02... I do some work at a medium sized school where they have a peer to peer network. All machines are connected to a common router for DHCP. We have a mix of 98se, 2k and XP machines with three distinct workgroups: the computer lab (wkgpA), the school office (wkgpB) and the classrooms (wkgpC). We thought that having distinct workgroups would be all that was needed to keep, for example, computers in the classrooms from seeing and accessing files on the office computers. But on the 98se machines, users can go into Network Neighborhood, then click on Entire Network, and are able to see all three workgroups, and can actually go in and open files on other workgroup's computers. I know I can set a policy to remove Entire Network from each of the 98 machines but what is the best answer to keep the three workgroups entirely separate while still using the school's central router for DHCP? File sharing is not enabled on the office computers, the machines of greatest concern since they have financial and personnel files on them. The office machines are all XP, and I believe they are all XP Pro. Thanks. Michael |
#4
|
|||
|
|||
security in a peer to peer lan
mdb wrote:
I do some work at a medium sized school where they have a peer to peer network. All machines are connected to a common router for DHCP. We have a mix of 98se, 2k and XP machines with three distinct workgroups: the computer lab (wkgpA), the school office (wkgpB) and the classrooms (wkgpC). We thought that having distinct workgroups would be all that was needed to keep, for example, computers in the classrooms from seeing and accessing files on the office computers. But on the 98se machines, users can go into Network Neighborhood, then click on Entire Network, and are able to see all three workgroups, and can actually go in and open files on other workgroup's computers. I know I can set a policy to remove Entire Network from each of the 98 machines but what is the best answer to keep the three workgroups entirely separate while still using the school's central router for DHCP? File sharing is not enabled on the office computers, the machines of greatest concern since they have financial and personnel files on them. The office machines are all XP, and I believe they are all XP Pro. Thanks. Michael There is no security in using Workgroups. Workgroups are only an organizational/cosmetic device. Computers running Microsoft operating systems do not need to be in the same Workgroup to share resources. You should be using a domain, at least for the Win2k/XP machines. For that, you'll need to have a server. Malke -- Elephant Boy Computers www.elephantboycomputers.com "Don't Panic!" MS-MVP Windows - Shell/User |
#5
|
|||
|
|||
security in a peer to peer lan
mdb wrote:
I do some work at a medium sized school where they have a peer to peer network. All machines are connected to a common router for DHCP. We have a mix of 98se, 2k and XP machines with three distinct workgroups: the computer lab (wkgpA), the school office (wkgpB) and the classrooms (wkgpC). We thought that having distinct workgroups would be all that was needed to keep, for example, computers in the classrooms from seeing and accessing files on the office computers. But on the 98se machines, users can go into Network Neighborhood, then click on Entire Network, and are able to see all three workgroups, and can actually go in and open files on other workgroup's computers. I know I can set a policy to remove Entire Network from each of the 98 machines but what is the best answer to keep the three workgroups entirely separate while still using the school's central router for DHCP? File sharing is not enabled on the office computers, the machines of greatest concern since they have financial and personnel files on them. The office machines are all XP, and I believe they are all XP Pro. Thanks. Michael There is no security in using Workgroups. Workgroups are only an organizational/cosmetic device. Computers running Microsoft operating systems do not need to be in the same Workgroup to share resources. You should be using a domain, at least for the Win2k/XP machines. For that, you'll need to have a server. Malke -- Elephant Boy Computers www.elephantboycomputers.com "Don't Panic!" MS-MVP Windows - Shell/User |
#6
|
|||
|
|||
security in a peer to peer lan
mdb wrote:
I do some work at a medium sized school where they have a peer to peer network. All machines are connected to a common router for DHCP. We have a mix of 98se, 2k and XP machines with three distinct workgroups: the computer lab (wkgpA), the school office (wkgpB) and the classrooms (wkgpC). We thought that having distinct workgroups would be all that was needed to keep, for example, computers in the classrooms from seeing and accessing files on the office computers. But on the 98se machines, users can go into Network Neighborhood, then click on Entire Network, and are able to see all three workgroups, and can actually go in and open files on other workgroup's computers. I know I can set a policy to remove Entire Network from each of the 98 machines but what is the best answer to keep the three workgroups entirely separate while still using the school's central router for DHCP? File sharing is not enabled on the office computers, the machines of greatest concern since they have financial and personnel files on them. The office machines are all XP, and I believe they are all XP Pro. For the XP machines - get them in a Windows Domain and get their internal firewalls on and controll that through group policies - as to who can see what. Windows 98 is the same (pretty much) as having no security - get rid of these machines or upgrade them ASAP. Workgroups are not meant as any sort of security. To be truthful - neither are badly managed domains. It is pretty much true that any workgroup/domain resource can be access whether or not the machine in question is in said workgroup/domain as long as the user knows how to use the correct credentials. With Windows 9x - even that may not be needed. heh -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html |
#7
|
|||
|
|||
security in a peer to peer lan
mdb wrote:
I do some work at a medium sized school where they have a peer to peer network. All machines are connected to a common router for DHCP. We have a mix of 98se, 2k and XP machines with three distinct workgroups: the computer lab (wkgpA), the school office (wkgpB) and the classrooms (wkgpC). We thought that having distinct workgroups would be all that was needed to keep, for example, computers in the classrooms from seeing and accessing files on the office computers. But on the 98se machines, users can go into Network Neighborhood, then click on Entire Network, and are able to see all three workgroups, and can actually go in and open files on other workgroup's computers. I know I can set a policy to remove Entire Network from each of the 98 machines but what is the best answer to keep the three workgroups entirely separate while still using the school's central router for DHCP? File sharing is not enabled on the office computers, the machines of greatest concern since they have financial and personnel files on them. The office machines are all XP, and I believe they are all XP Pro. For the XP machines - get them in a Windows Domain and get their internal firewalls on and controll that through group policies - as to who can see what. Windows 98 is the same (pretty much) as having no security - get rid of these machines or upgrade them ASAP. Workgroups are not meant as any sort of security. To be truthful - neither are badly managed domains. It is pretty much true that any workgroup/domain resource can be access whether or not the machine in question is in said workgroup/domain as long as the user knows how to use the correct credentials. With Windows 9x - even that may not be needed. heh -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html |
#8
|
|||
|
|||
security in a peer to peer lan
As Malke advised workgroups are not security boundaries as they are strictly
for network browsing convenience. Having said that any sensitive files should only be on computers running XP Pro with simple file sharing disabled, the guest account disabled, and with folder/NTFS permissions to allow only the users/groups that should have access to the file in the permission list or XP Home computers with file and print sharing disabled if it is not possible to use XP Pro. XP Pro computers can also have the user right for access this computer from the network to be configured to allow only authorized users/groups access from the network for computers that have file and print sharing enabled. To manage user rights use Local Security Policy. The Windows Firewall should also be enabled on the "office" computers as an extra step to prevent access from unauthorized users or any other computer needing such protection. Any computer with a share and using XP Pro should have share permissions configured to only allow authorized users to the share though that is not possible with XP Home because XP Home authenticates all network users as guest. If you are using XP Home computers where you need to limit user access to shares you need to upgrade those computers to XP Pro or move the data in the shares to XP Pro computers with simple file sharing disabled, with the guest account disabled, and share/NTFS permissions configured appropriately. The links below will help if you need further info on share and folder/NTFS permissions.--- Steve http://support.microsoft.com/default...b;en-us;308418 http://www.mcmcse.com/microsoft/guid...missions.shtml "mdb" wrote in message news:94Ifg.45382$As2.12482@trnddc02... I do some work at a medium sized school where they have a peer to peer network. All machines are connected to a common router for DHCP. We have a mix of 98se, 2k and XP machines with three distinct workgroups: the computer lab (wkgpA), the school office (wkgpB) and the classrooms (wkgpC). We thought that having distinct workgroups would be all that was needed to keep, for example, computers in the classrooms from seeing and accessing files on the office computers. But on the 98se machines, users can go into Network Neighborhood, then click on Entire Network, and are able to see all three workgroups, and can actually go in and open files on other workgroup's computers. I know I can set a policy to remove Entire Network from each of the 98 machines but what is the best answer to keep the three workgroups entirely separate while still using the school's central router for DHCP? File sharing is not enabled on the office computers, the machines of greatest concern since they have financial and personnel files on them. The office machines are all XP, and I believe they are all XP Pro. Thanks. Michael |
#9
|
|||
|
|||
security in a peer to peer lan
As Malke advised workgroups are not security boundaries as they are strictly
for network browsing convenience. Having said that any sensitive files should only be on computers running XP Pro with simple file sharing disabled, the guest account disabled, and with folder/NTFS permissions to allow only the users/groups that should have access to the file in the permission list or XP Home computers with file and print sharing disabled if it is not possible to use XP Pro. XP Pro computers can also have the user right for access this computer from the network to be configured to allow only authorized users/groups access from the network for computers that have file and print sharing enabled. To manage user rights use Local Security Policy. The Windows Firewall should also be enabled on the "office" computers as an extra step to prevent access from unauthorized users or any other computer needing such protection. Any computer with a share and using XP Pro should have share permissions configured to only allow authorized users to the share though that is not possible with XP Home because XP Home authenticates all network users as guest. If you are using XP Home computers where you need to limit user access to shares you need to upgrade those computers to XP Pro or move the data in the shares to XP Pro computers with simple file sharing disabled, with the guest account disabled, and share/NTFS permissions configured appropriately. The links below will help if you need further info on share and folder/NTFS permissions.--- Steve http://support.microsoft.com/default...b;en-us;308418 http://www.mcmcse.com/microsoft/guid...missions.shtml "mdb" wrote in message news:94Ifg.45382$As2.12482@trnddc02... I do some work at a medium sized school where they have a peer to peer network. All machines are connected to a common router for DHCP. We have a mix of 98se, 2k and XP machines with three distinct workgroups: the computer lab (wkgpA), the school office (wkgpB) and the classrooms (wkgpC). We thought that having distinct workgroups would be all that was needed to keep, for example, computers in the classrooms from seeing and accessing files on the office computers. But on the 98se machines, users can go into Network Neighborhood, then click on Entire Network, and are able to see all three workgroups, and can actually go in and open files on other workgroup's computers. I know I can set a policy to remove Entire Network from each of the 98 machines but what is the best answer to keep the three workgroups entirely separate while still using the school's central router for DHCP? File sharing is not enabled on the office computers, the machines of greatest concern since they have financial and personnel files on them. The office machines are all XP, and I believe they are all XP Pro. Thanks. Michael |
#10
|
|||
|
|||
security in a peer to peer lan
Thanks for the quick and clear replies to my question about peer to peer lan
security, or the lack thereof. I understand that I can have some control over the access to the XP Pro machines. But is there a workaround that will take care of all machines, regardless of OS? Any such thing as a single folder that can be either hidden or locked? Any third party software that would provide the security needed? Thanks. Michael "Steven L Umbach" wrote in message . .. As Malke advised workgroups are not security boundaries as they are strictly for network browsing convenience. Having said that any sensitive files should only be on computers running XP Pro with simple file sharing disabled, the guest account disabled, and with folder/NTFS permissions to allow only the users/groups that should have access to the file in the permission list or XP Home computers with file and print sharing disabled if it is not possible to use XP Pro. XP Pro computers can also have the user right for access this computer from the network to be configured to allow only authorized users/groups access from the network for computers that have file and print sharing enabled. To manage user rights use Local Security Policy. The Windows Firewall should also be enabled on the "office" computers as an extra step to prevent access from unauthorized users or any other computer needing such protection. Any computer with a share and using XP Pro should have share permissions configured to only allow authorized users to the share though that is not possible with XP Home because XP Home authenticates all network users as guest. If you are using XP Home computers where you need to limit user access to shares you need to upgrade those computers to XP Pro or move the data in the shares to XP Pro computers with simple file sharing disabled, with the guest account disabled, and share/NTFS permissions configured appropriately. The links below will help if you need further info on share and folder/NTFS permissions.--- Steve http://support.microsoft.com/default...b;en-us;308418 http://www.mcmcse.com/microsoft/guid...missions.shtml "mdb" wrote in message news:94Ifg.45382$As2.12482@trnddc02... I do some work at a medium sized school where they have a peer to peer network. All machines are connected to a common router for DHCP. We have a mix of 98se, 2k and XP machines with three distinct workgroups: the computer lab (wkgpA), the school office (wkgpB) and the classrooms (wkgpC). We thought that having distinct workgroups would be all that was needed to keep, for example, computers in the classrooms from seeing and accessing files on the office computers. But on the 98se machines, users can go into Network Neighborhood, then click on Entire Network, and are able to see all three workgroups, and can actually go in and open files on other workgroup's computers. I know I can set a policy to remove Entire Network from each of the 98 machines but what is the best answer to keep the three workgroups entirely separate while still using the school's central router for DHCP? File sharing is not enabled on the office computers, the machines of greatest concern since they have financial and personnel files on them. The office machines are all XP, and I believe they are all XP Pro. Thanks. Michael |
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Wiindows Updates -- Part 1, Win98 Gold | Gary S. Terhune | General | 74 | March 23rd 06 07:53 AM |
823559: Security Update for Microsoft Windows Why is it such a repetitive critical uopdate | DOSrelic | General | 2 | October 12th 05 11:16 PM |
FYI: Security Problems Plague XP SP2 via Symantec/McAfee | Dan | General | 36 | February 27th 05 06:31 PM |
Microsoft Security Bulletin MS04-018 - Cumulative Security Update for Outlook Express (823353) | PA Bear | General | 5 | July 15th 04 05:49 AM |