security in a peer to peer lan

I do some work at a medium sized school where they have a peer to peer
network. All machines are connected to a common router for DHCP. We have a
mix of 98se, 2k and XP machines with three distinct workgroups: the computer
lab (wkgpA), the school office (wkgpB) and the classrooms (wkgpC). We
thought that having distinct workgroups would be all that was needed to
keep, for example, computers in the classrooms from seeing and accessing
files on the office computers. But on the 98se machines, users can go into
Network Neighborhood, then click on Entire Network, and are able to see all
three workgroups, and can actually go in and open files on other workgroup's
computers. I know I can set a policy to remove Entire Network from each of
the 98 machines but what is the best answer to keep the three workgroups
entirely separate while still using the school's central router for DHCP?
File sharing is not enabled on the office computers, the machines of
greatest concern since they have financial and personnel files on them. The
office machines are all XP, and I believe they are all XP Pro.

Thanks.
Michael

You can't. Period. As long as all the workgroups and machines are in the
same address range and on the same router you cannot prevent one computer
from seeing or being able to access another.

--
Richard G. Harper [MVP Shell/User]
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


"mdb" wrote in message
news:94Ifg.45382$As2.12482@trnddc02...
I do some work at a medium sized school where they have a peer to peer
network. All machines are connected to a common router for DHCP. We have a
mix of 98se, 2k and XP machines with three distinct workgroups: the
computer lab (wkgpA), the school office (wkgpB) and the classrooms (wkgpC).
We thought that having distinct workgroups would be all that was needed to
keep, for example, computers in the classrooms from seeing and accessing
files on the office computers. But on the 98se machines, users can go into
Network Neighborhood, then click on Entire Network, and are able to see all
three workgroups, and can actually go in and open files on other
workgroup's computers. I know I can set a policy to remove Entire Network
from each of the 98 machines but what is the best answer to keep the three
workgroups entirely separate while still using the school's central router
for DHCP? File sharing is not enabled on the office computers, the machines
of greatest concern since they have financial and personnel files on them.
The office machines are all XP, and I believe they are all XP Pro.

Thanks.
Michael

You can't. Period. As long as all the workgroups and machines are in the
same address range and on the same router you cannot prevent one computer
from seeing or being able to access another.

--
Richard G. Harper [MVP Shell/User]
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


"mdb" wrote in message
news:94Ifg.45382$As2.12482@trnddc02...
I do some work at a medium sized school where they have a peer to peer
network. All machines are connected to a common router for DHCP. We have a
mix of 98se, 2k and XP machines with three distinct workgroups: the
computer lab (wkgpA), the school office (wkgpB) and the classrooms (wkgpC).
We thought that having distinct workgroups would be all that was needed to
keep, for example, computers in the classrooms from seeing and accessing
files on the office computers. But on the 98se machines, users can go into
Network Neighborhood, then click on Entire Network, and are able to see all
three workgroups, and can actually go in and open files on other
workgroup's computers. I know I can set a policy to remove Entire Network
from each of the 98 machines but what is the best answer to keep the three
workgroups entirely separate while still using the school's central router
for DHCP? File sharing is not enabled on the office computers, the machines
of greatest concern since they have financial and personnel files on them.
The office machines are all XP, and I believe they are all XP Pro.

Thanks.
Michael

mdb wrote:

I do some work at a medium sized school where they have a peer to peer
network. All machines are connected to a common router for DHCP. We
have a mix of 98se, 2k and XP machines with three distinct workgroups:
the computer lab (wkgpA), the school office (wkgpB) and the classrooms
(wkgpC). We thought that having distinct workgroups would be all that
was needed to keep, for example, computers in the classrooms from
seeing and accessing files on the office computers. But on the 98se
machines, users can go into Network Neighborhood, then click on Entire
Network, and are able to see all three workgroups, and can actually go
in and open files on other workgroup's computers. I know I can set a
policy to remove Entire Network from each of the 98 machines but what
is the best answer to keep the three workgroups entirely separate
while still using the school's central router for DHCP? File sharing
is not enabled on the office computers, the machines of greatest
concern since they have financial and personnel files on them. The
office machines are all XP, and I believe they are all XP Pro.

Thanks.
Michael

There is no security in using Workgroups. Workgroups are only an
organizational/cosmetic device. Computers running Microsoft operating
systems do not need to be in the same Workgroup to share resources.

You should be using a domain, at least for the Win2k/XP machines. For
that, you'll need to have a server.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

mdb wrote:

I do some work at a medium sized school where they have a peer to peer
network. All machines are connected to a common router for DHCP. We
have a mix of 98se, 2k and XP machines with three distinct workgroups:
the computer lab (wkgpA), the school office (wkgpB) and the classrooms
(wkgpC). We thought that having distinct workgroups would be all that
was needed to keep, for example, computers in the classrooms from
seeing and accessing files on the office computers. But on the 98se
machines, users can go into Network Neighborhood, then click on Entire
Network, and are able to see all three workgroups, and can actually go
in and open files on other workgroup's computers. I know I can set a
policy to remove Entire Network from each of the 98 machines but what
is the best answer to keep the three workgroups entirely separate
while still using the school's central router for DHCP? File sharing
is not enabled on the office computers, the machines of greatest
concern since they have financial and personnel files on them. The
office machines are all XP, and I believe they are all XP Pro.

Thanks.
Michael

There is no security in using Workgroups. Workgroups are only an
organizational/cosmetic device. Computers running Microsoft operating
systems do not need to be in the same Workgroup to share resources.

You should be using a domain, at least for the Win2k/XP machines. For
that, you'll need to have a server.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

mdb wrote:
I do some work at a medium sized school where they have a peer to
peer network. All machines are connected to a common router for
DHCP. We have a mix of 98se, 2k and XP machines with three distinct
workgroups: the computer lab (wkgpA), the school office (wkgpB) and
the classrooms (wkgpC). We thought that having distinct workgroups
would be all that was needed to keep, for example, computers in the
classrooms from seeing and accessing files on the office computers.
But on the 98se machines, users can go into Network Neighborhood,
then click on Entire Network, and are able to see all three
workgroups, and can actually go in and open files on other
workgroup's computers. I know I can set a policy to remove Entire
Network from each of the 98 machines but what is the best answer to
keep the three workgroups entirely separate while still using the
school's central router for DHCP? File sharing is not enabled on
the office computers, the machines of greatest concern since they
have financial and personnel files on them. The office machines are
all XP, and I believe they are all XP Pro.

For the XP machines - get them in a Windows Domain and get their internal
firewalls on and controll that through group policies - as to who can see
what.

Windows 98 is the same (pretty much) as having no security - get rid of
these machines or upgrade them ASAP.

Workgroups are not meant as any sort of security. To be truthful - neither
are badly managed domains. It is pretty much true that any workgroup/domain
resource can be access whether or not the machine in question is in said
workgroup/domain as long as the user knows how to use the correct
credentials. With Windows 9x - even that may not be needed. heh

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

mdb wrote:
I do some work at a medium sized school where they have a peer to
peer network. All machines are connected to a common router for
DHCP. We have a mix of 98se, 2k and XP machines with three distinct
workgroups: the computer lab (wkgpA), the school office (wkgpB) and
the classrooms (wkgpC). We thought that having distinct workgroups
would be all that was needed to keep, for example, computers in the
classrooms from seeing and accessing files on the office computers.
But on the 98se machines, users can go into Network Neighborhood,
then click on Entire Network, and are able to see all three
workgroups, and can actually go in and open files on other
workgroup's computers. I know I can set a policy to remove Entire
Network from each of the 98 machines but what is the best answer to
keep the three workgroups entirely separate while still using the
school's central router for DHCP? File sharing is not enabled on
the office computers, the machines of greatest concern since they
have financial and personnel files on them. The office machines are
all XP, and I believe they are all XP Pro.

For the XP machines - get them in a Windows Domain and get their internal
firewalls on and controll that through group policies - as to who can see
what.

Windows 98 is the same (pretty much) as having no security - get rid of
these machines or upgrade them ASAP.

Workgroups are not meant as any sort of security. To be truthful - neither
are badly managed domains. It is pretty much true that any workgroup/domain
resource can be access whether or not the machine in question is in said
workgroup/domain as long as the user knows how to use the correct
credentials. With Windows 9x - even that may not be needed. heh

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

As Malke advised workgroups are not security boundaries as they are strictly
for network browsing convenience. Having said that any sensitive files
should only be on computers running XP Pro with simple file sharing
disabled, the guest account disabled, and with folder/NTFS permissions to
allow only the users/groups that should have access to the file in the
permission list or XP Home computers with file and print sharing disabled if
it is not possible to use XP Pro. XP Pro computers can also have the user
right for access this computer from the network to be configured to allow
only authorized users/groups access from the network for computers that have
file and print sharing enabled. To manage user rights use Local Security
Policy. The Windows Firewall should also be enabled on the "office"
computers as an extra step to prevent access from unauthorized users or any
other computer needing such protection. Any computer with a share and using
XP Pro should have share permissions configured to only allow authorized
users to the share though that is not possible with XP Home because XP Home
authenticates all network users as guest. If you are using XP Home computers
where you need to limit user access to shares you need to upgrade those
computers to XP Pro or move the data in the shares to XP Pro computers with
simple file sharing disabled, with the guest account disabled, and
share/NTFS permissions configured appropriately. The links below will help
if you need further info on share and folder/NTFS permissions.--- Steve

http://support.microsoft.com/default...b;en-us;308418
http://www.mcmcse.com/microsoft/guid...missions.shtml

"mdb" wrote in message
news:94Ifg.45382$As2.12482@trnddc02...
I do some work at a medium sized school where they have a peer to peer
network. All machines are connected to a common router for DHCP. We have a
mix of 98se, 2k and XP machines with three distinct workgroups: the
computer lab (wkgpA), the school office (wkgpB) and the classrooms (wkgpC).
We thought that having distinct workgroups would be all that was needed to
keep, for example, computers in the classrooms from seeing and accessing
files on the office computers. But on the 98se machines, users can go into
Network Neighborhood, then click on Entire Network, and are able to see all
three workgroups, and can actually go in and open files on other
workgroup's computers. I know I can set a policy to remove Entire Network
from each of the 98 machines but what is the best answer to keep the three
workgroups entirely separate while still using the school's central router
for DHCP? File sharing is not enabled on the office computers, the machines
of greatest concern since they have financial and personnel files on them.
The office machines are all XP, and I believe they are all XP Pro.

Thanks.
Michael

As Malke advised workgroups are not security boundaries as they are strictly
for network browsing convenience. Having said that any sensitive files
should only be on computers running XP Pro with simple file sharing
disabled, the guest account disabled, and with folder/NTFS permissions to
allow only the users/groups that should have access to the file in the
permission list or XP Home computers with file and print sharing disabled if
it is not possible to use XP Pro. XP Pro computers can also have the user
right for access this computer from the network to be configured to allow
only authorized users/groups access from the network for computers that have
file and print sharing enabled. To manage user rights use Local Security
Policy. The Windows Firewall should also be enabled on the "office"
computers as an extra step to prevent access from unauthorized users or any
other computer needing such protection. Any computer with a share and using
XP Pro should have share permissions configured to only allow authorized
users to the share though that is not possible with XP Home because XP Home
authenticates all network users as guest. If you are using XP Home computers
where you need to limit user access to shares you need to upgrade those
computers to XP Pro or move the data in the shares to XP Pro computers with
simple file sharing disabled, with the guest account disabled, and
share/NTFS permissions configured appropriately. The links below will help
if you need further info on share and folder/NTFS permissions.--- Steve

http://support.microsoft.com/default...b;en-us;308418
http://www.mcmcse.com/microsoft/guid...missions.shtml

"mdb" wrote in message
news:94Ifg.45382$As2.12482@trnddc02...
I do some work at a medium sized school where they have a peer to peer
network. All machines are connected to a common router for DHCP. We have a
mix of 98se, 2k and XP machines with three distinct workgroups: the
computer lab (wkgpA), the school office (wkgpB) and the classrooms (wkgpC).
We thought that having distinct workgroups would be all that was needed to
keep, for example, computers in the classrooms from seeing and accessing
files on the office computers. But on the 98se machines, users can go into
Network Neighborhood, then click on Entire Network, and are able to see all
three workgroups, and can actually go in and open files on other
workgroup's computers. I know I can set a policy to remove Entire Network
from each of the 98 machines but what is the best answer to keep the three
workgroups entirely separate while still using the school's central router
for DHCP? File sharing is not enabled on the office computers, the machines
of greatest concern since they have financial and personnel files on them.
The office machines are all XP, and I believe they are all XP Pro.

Thanks.
Michael

Thanks for the quick and clear replies to my question about peer to peer lan
security, or the lack thereof. I understand that I can have some control
over the access to the XP Pro machines. But is there a workaround that will
take care of all machines, regardless of OS? Any such thing as a single
folder that can be either hidden or locked? Any third party software that
would provide the security needed?

Thanks.

Michael

"Steven L Umbach" wrote in message
. ..
As Malke advised workgroups are not security boundaries as they are
strictly for network browsing convenience. Having said that any sensitive
files should only be on computers running XP Pro with simple file sharing
disabled, the guest account disabled, and with folder/NTFS permissions to
allow only the users/groups that should have access to the file in the
permission list or XP Home computers with file and print sharing disabled
if it is not possible to use XP Pro. XP Pro computers can also have the
user right for access this computer from the network to be configured to
allow only authorized users/groups access from the network for computers
that have file and print sharing enabled. To manage user rights use Local
Security Policy. The Windows Firewall should also be enabled on the
"office" computers as an extra step to prevent access from unauthorized
users or any other computer needing such protection. Any computer with a
share and using XP Pro should have share permissions configured to only
allow authorized users to the share though that is not possible with XP
Home because XP Home authenticates all network users as guest. If you are
using XP Home computers where you need to limit user access to shares you
need to upgrade those computers to XP Pro or move the data in the shares
to XP Pro computers with simple file sharing disabled, with the guest
account disabled, and share/NTFS permissions configured appropriately.
The links below will help if you need further info on share and
folder/NTFS permissions.--- Steve

http://support.microsoft.com/default...b;en-us;308418
http://www.mcmcse.com/microsoft/guid...missions.shtml

"mdb" wrote in message
news:94Ifg.45382$As2.12482@trnddc02...
I do some work at a medium sized school where they have a peer to peer
network. All machines are connected to a common router for DHCP. We have a
mix of 98se, 2k and XP machines with three distinct workgroups: the
computer lab (wkgpA), the school office (wkgpB) and the classrooms
(wkgpC). We thought that having distinct workgroups would be all that was
needed to keep, for example, computers in the classrooms from seeing and
accessing files on the office computers. But on the 98se machines, users
can go into Network Neighborhood, then click on Entire Network, and are
able to see all three workgroups, and can actually go in and open files on
other workgroup's computers. I know I can set a policy to remove Entire
Network from each of the 98 machines but what is the best answer to keep
the three workgroups entirely separate while still using the school's
central router for DHCP? File sharing is not enabled on the office
computers, the machines of greatest concern since they have financial and
personnel files on them. The office machines are all XP, and I believe
they are all XP Pro.

Thanks.
Michael