Securing your office and home network 101 - for dummies
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Securing your office and home network 101 - for dummies

  1. #1
    Member bradlesliect's Avatar
    Join Date
    Apr 2006
    Location
    CT - SA
    Posts
    74

    Unhappy Securing your office and home network 101 - for dummies

    Hi All,

    Somehow I have lost sight of this but what the rules that should be applied when setting up workstations in a network environment for SOHO type environments. I have been so busy with bigger networks that I seem to have forgotten the fundamentals around securing your workstations, your LAN and your WAN...

    Help me out here ....oh ..and yeah yeah ...i know...i should not be asking this...it should be second nature....so go easy...
    .....I rather not say....

  2. #2
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,188
    Could you explain a bit more about the network? What are the needs? Do you need to share files, printers, etc? Are you using primarily Windows systems? If so, you will want a good antivirus, and maybe an alternative to the built in firewall. Anti-malware programs are a good idea as well. If you can provide more information about the nature of the network, we could probably give you more specific input.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  3. #3
    0_o Mastermind keezel's Avatar
    Join Date
    Jun 2003
    Posts
    1,024
    nd yeah yeah ...i know...i should not be asking this
    Heh. Since you already wrote it I won't open with this.

    - Schedule antivirus/antispyware regularly.
    - Update definitions weekly (daily for bigger offices, but for SOHO...)
    - Configure your router to restrict access based on MAC addresses, especially if you are using a wireless network.
    - If using wireless, use WPA2 Enterprise if possible. WPA-PSK is okay but make sure your password is a non-dictionary word with upper/lower case letters, numbers, and at least one symbol. Do not use WEP.
    - Configure the router's firewall.
    - All your passwords should match the above requirements.
    - Ensure passwords are never written down or transmitted via any electronic means.
    - Buy a paper shredder. Use it.
    - If you have the means, you may want to set up a linux proxy server to filter all your traffic through. Perhaps one with several gigabit connections so as to limit how much it slows down traffic. (Most boards have one gigabit port and you can install several more PCI).
    - Lock this box down hard - use a Linux OS and configure IP tables to not respond to any outside connections. Only open the ports you actually need, only TCP *or* UDP unless you actually plan to use both, and configure windows of time for those to be open.

    Those are off the top of the head. The bigger guns will be along shortly to fill in the holes I left I'm sure. ;-)
    Last edited by keezel; February 8th, 2009 at 06:51 AM.

  4. #4
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Quote Originally Posted by keezel View Post
    Heh. Since you already wrote it I won't open with this.

    - Schedule antivirus/antispyware regularly.
    - Update definitions weekly (daily for bigger offices, but for SOHO...)
    - Configure your router to restrict access based on MAC addresses, especially if you are using a wireless network.
    - If using wireless, use WPA2 Enterprise if possible. WPA-PSK is okay but make sure your password is a non-dictionary word with upper/lower case letters, numbers, and at least one symbol. Do not use WEP.
    - Configure the router's firewall.
    - All your passwords should match the above requirements.
    - Ensure passwords are never written down or transmitted via any electronic means.
    - Buy a paper shredder. Use it.
    - If you have the means, you may want to set up a linux proxy server to filter all your traffic through. Perhaps one with several gigabit connections so as to limit how much it slows down traffic. (Most boards have one gigabit port and you can install several more PCI).
    - Lock this box down hard - use a Linux OS and configure IP tables to not respond to any outside connections. Only open the ports you actually need, only TCP *or* UDP unless you actually plan to use both, and configure windows of time for those to be open.

    Those are off the top of the head. The bigger guns will be along shortly to fill in the holes I left I'm sure. ;-)
    To add and talk about a few of these:

    The scans for virii and spyware should obviously be done during out of office hours to avoid production loss. Waiting for something to open for 15 minutes because to scanners are going isn't plausible really.

    Also, if you set the anti virii software to always look for a virii when things are opened or accessed, which is a simple process, you can skip the virus scans, as you can make Spyware scanners look at EVERY file, even archives, which you can change to have them check into those as well, and thus save yourself some time by only have the one app do a scan, and then if while it's scanning it happens to access a file to scan that is infected with a virus, the anti virus software will in itself pop up saying it found one.

    I do this sometimes because I don't like leaving a laptop on overnight and there are two of them here. Seems to work well, however I would recommend that once a week or so, you do an actual virii scan to make sure the spyware scanner is accessing every file to do it's scan, which just makes sure you're getting a full scan each time. That way you'll know if you can use this method or not. If the virus scan finds something that the other one left alone you'll know to run both at night instead of just one.

    Also, never install Windows Updates automatically. If a patch breaks an application, you should find that out before every machine in the office has installed it. Set up a test machine with all the software you'll be in charge of, and test Windows Updates on THAT BEFORE you install them on production machines.

    Once you have a new patch, be it a security update, or a bugfix, or a service pack, install it on your test machine, reboot, and then once Windows has started again, run EVERY application to make sure it doesn't break any of them, and test them out. Once you know it doesn't break any, update the other machines.

    If you install the update and once or more apps doesn't work anymore, make sure you didn't break the apps, and when you're sure, make sure you report it to MS so they can fix it. This prevents you from having an office full of machines that can't be worked with and losing a LOT of production.

    Oh, and, if someone is watching porn instead of working, talk to them about it and how porn sites sometimes contain malicious software built in. And once you back up the porn for "Analysis" you might want to keep images of each desktop around so if they screw it up you can just back the whole thing up from a network image and keep going.

    Stay away from Windows Media Player. Why anyone would use this at work when it itself needs security fixes, and why Microsoft would ship it with Server OSs is beyond me. Keep it out!

    I realise some places do allow people to listen to music while they work, and I think it's a nice thing to do too, but have them using something that doesn't need a reboot every time it's fixed, or at least something that isn't going to call for un-needed downtime.

  5. #5
    Banned
    Join Date
    Jan 2008
    Posts
    605
    Oh, and, if someone is watching porn instead of working, talk to them about it and how porn sites sometimes contain malicious software built in.
    I'd be more worried about what office supplies a person like that may have wiped themself off with.

  6. #6
    Banned
    Join Date
    Jan 2008
    Posts
    605
    Stay away from Windows Media Player. Why anyone would use this at work when it itself needs security fixes, and why Microsoft would ship it with Server OSs is beyond me. Keep it out!

    I realise some places do allow people to listen to music while they work, and I think it's a nice thing to do too, but have them using something that doesn't need a reboot every time it's fixed, or at least something that isn't going to call for un-needed downtime.
    It's not a service. It's a normal application...

    Not only do I doubt people are currently crafting mpeg/mp3 files to exploit this program but... you would gain absolutely no privileges whatsoever from it anyway.If this program is a high security risk then you outright fail at maintaining computers in general.

    And you make it sound as if it's included with the system updates. It's not. Meh... and it's not even something you would need to shutdown for.

  7. #7
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Quote Originally Posted by The-Spec View Post
    It's not a service. It's a normal application...

    Not only do I doubt people are currently crafting mpeg/mp3 files to exploit this program but... you would gain absolutely no privileges whatsoever from it anyway.If this program is a high security risk then you outright fail at maintaining computers in general.

    And you make it sound as if it's included with the system updates. It's not. Meh... and it's not even something you would need to shutdown for.
    Actually, if you try out Windows Server 2003 Enterprise Edition, this thing has a bunch of security updates. At first, I thought "OK, it's dumb that a server would need a media player but whatever, no harm". Then I did Windows Update and saw it had a couple patches, one of them, I'm not sure which one, said it was one of those LOVELY half assed worded "Just do this and you won't get your computer taken over by an attacker" ones they made incredible vague. How they would go about taking a machine over with a media player, don't care, but the chance makes it a pain in the ass.

  8. #8
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    I would add some things for the desktops:

    1. User authorities should be based on least privilege. They should have enough authority to do their jobs and no more. Definately no programs to be installed.

    2. No accessing private e-mail accounts.

    3. No accessing Facebook or other crap like that.

    4. No attaching of unauthorised equipment to either the desktop or the network.

    5. No USB stick or flash drives.

    6. Aim for a standardised build and create an ISO for it.

    7. Disable autorun.

    8. If you need to use external media then build a stand alone "sheep dip" with daily updated antimalware on it. All media must be scanned on this machine first.

    9. Try to establish a superuser with local admin rights if you cannot support locally or remotely. This person needs to know what they are doing and take full responsibility for their actions.

    10. Restrict internet access to those who actually need it, if any.

    11. Create an AUP and get all users to sign it, preferably every 3 months.

    12. Make sure that applications are secured in the same way. Trust me, the boss doesn't want the storekeeper looking at his salary.


  9. #9
    0_o Mastermind keezel's Avatar
    Join Date
    Jun 2003
    Posts
    1,024
    Quote Originally Posted by nihil View Post
    I would add some things for the desktops:

    1. User authorities should be based on least privilege. They should have enough authority to do their jobs and no more. Definately no programs to be installed.

    2. No accessing private e-mail accounts.

    3. No accessing Facebook or other crap like that.

    4. No attaching of unauthorised equipment to either the desktop or the network.

    5. No USB stick or flash drives.

    6. Aim for a standardised build and create an ISO for it.

    7. Disable autorun.

    8. If you need to use external media then build a stand alone "sheep dip" with daily updated antimalware on it. All media must be scanned on this machine first.

    9. Try to establish a superuser with local admin rights if you cannot support locally or remotely. This person needs to know what they are doing and take full responsibility for their actions.

    10. Restrict internet access to those who actually need it, if any.

    11. Create an AUP and get all users to sign it, preferably every 3 months.

    12. Make sure that applications are secured in the same way. Trust me, the boss doesn't want the storekeeper looking at his salary.

    Not to detract, because these are solid points, but one or two seem a little stiff for a SOHO, no? I suppose it depends on the line of work.

  10. #10
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Quote Originally Posted by keezel View Post
    Not to detract, because these are solid points, but one or two seem a little stiff for a SOHO, no? I suppose it depends on the line of work.
    They aren't stiff. Facebook has a two fold problem:

    1. It's going to decrease productivity from people screwing around with friends instead of working. It may be fine during lunch but who really wouldn't do it when they wanted a "small break"?

    2. The number of Worms facebook seems to have going about almost make it OK to go "phishing" with Yay word play!

    As for auto run, that's more or less common sense really, I mean how else are people who don't know much about a computer going to realize that "Screw_My_Registry.mp3. - - - - -- .exe" isn't actually a song?

    anyway, for a home machine or small office with computer literate users, sure, they may not need to be baby sat as much, but not many offices seem to have users like that.

    My Mom works at a Medical institution. I get phone calls all the time from Her while She is at work because someone has screwed something up and "Well IT said they may not be up here to fix it for like 2 hours and we need it fixed now! How do we fix this?"....

    I should ask them to start paying me. I've saved them at least 40 hours worth of time fixing problems due to user errors....Like the one time my Mom called and said the Windows 98 machine She used at work was "screwed up"...

    I asked about it and She said "Well the screen is upside down!"...

    Apparently a Doctor put his briefcase on the keyboard, and all of a sudden the screen was upside down.

    I had a little fun by telling my Mom it was because the monitor was upside down but being that She is my MOM, She knew better and asked what to really do, and I told Her the key combo for flipping the Windows 98 screen.

    IT showed up 3 hours later to a fixed machine and they asked what happened and who fixed it and one of my Mom's co-workers told the guy "We got tired of waiting for you and called Her Son".

    Yea, I'm loved

Similar Threads

  1. Terrorism
    By Tedob1 in forum Cosmos
    Replies: 9
    Last Post: May 7th, 2006, 06:06 AM
  2. The history of the Mac line of Operating systems
    By gore in forum Operating Systems
    Replies: 3
    Last Post: March 7th, 2004, 08:02 AM
  3. Tcp/ip
    By gore in forum Newbie Security Questions
    Replies: 11
    Last Post: December 29th, 2003, 08:01 AM
  4. Newbies, list of many words definitions.
    By -DaRK-RaiDeR- in forum Newbie Security Questions
    Replies: 9
    Last Post: December 14th, 2002, 08:38 PM
  5. The Worlds Longest Thread!
    By Noble Hamlet in forum AntiOnline's General Chit Chat
    Replies: 1100
    Last Post: March 17th, 2002, 09:38 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •