Securing your office and home network 101 - for dummies

[bradlesliect]

Hi All,

Somehow I have lost sight of this but what the rules that should be applied when setting up workstations in a network environment for SOHO type environments. I have been so busy with bigger networks that I seem to have forgotten the fundamentals around securing your workstations, your LAN and your WAN...

Help me out here ....oh ..and yeah yeah ...i know...i should not be asking this...it should be second nature....so go easy...

[westin]

Could you explain a bit more about the network? What are the needs? Do you need to share files, printers, etc? Are you using primarily Windows systems? If so, you will want a good antivirus, and maybe an alternative to the built in firewall. Anti-malware programs are a good idea as well. If you can provide more information about the nature of the network, we could probably give you more specific input.

[keezel]

nd yeah yeah ...i know...i should not be asking this

Heh. Since you already wrote it I won't open with this.

- Schedule antivirus/antispyware regularly.
- Update definitions weekly (daily for bigger offices, but for SOHO...)
- Configure your router to restrict access based on MAC addresses, especially if you are using a wireless network.
- If using wireless, use WPA2 Enterprise if possible. WPA-PSK is okay but make sure your password is a non-dictionary word with upper/lower case letters, numbers, and at least one symbol. Do not use WEP.
- Configure the router's firewall.
- All your passwords should match the above requirements.
- Ensure passwords are never written down or transmitted via any electronic means.
- Buy a paper shredder. Use it.
- If you have the means, you may want to set up a linux proxy server to filter all your traffic through. Perhaps one with several gigabit connections so as to limit how much it slows down traffic. (Most boards have one gigabit port and you can install several more PCI).
- Lock this box down hard - use a Linux OS and configure IP tables to not respond to any outside connections. Only open the ports you actually need, only TCP *or* UDP unless you actually plan to use both, and configure windows of time for those to be open.

Those are off the top of the head. The bigger guns will be along shortly to fill in the holes I left I'm sure. ;-)

[gore]

Heh. Since you already wrote it I won't open with this.

- Schedule antivirus/antispyware regularly.
- Update definitions weekly (daily for bigger offices, but for SOHO...)
- Configure your router to restrict access based on MAC addresses, especially if you are using a wireless network.
- If using wireless, use WPA2 Enterprise if possible. WPA-PSK is okay but make sure your password is a non-dictionary word with upper/lower case letters, numbers, and at least one symbol. Do not use WEP.
- Configure the router's firewall.
- All your passwords should match the above requirements.
- Ensure passwords are never written down or transmitted via any electronic means.
- Buy a paper shredder. Use it.
- If you have the means, you may want to set up a linux proxy server to filter all your traffic through. Perhaps one with several gigabit connections so as to limit how much it slows down traffic. (Most boards have one gigabit port and you can install several more PCI).
- Lock this box down hard - use a Linux OS and configure IP tables to not respond to any outside connections. Only open the ports you actually need, only TCP *or* UDP unless you actually plan to use both, and configure windows of time for those to be open.

Those are off the top of the head. The bigger guns will be along shortly to fill in the holes I left I'm sure. ;-)

To add and talk about a few of these:

The scans for virii and spyware should obviously be done during out of office hours to avoid production loss. Waiting for something to open for 15 minutes because to scanners are going isn't plausible really.

Also, if you set the anti virii software to always look for a virii when things are opened or accessed, which is a simple process, you can skip the virus scans, as you can make Spyware scanners look at EVERY file, even archives, which you can change to have them check into those as well, and thus save yourself some time by only have the one app do a scan, and then if while it's scanning it happens to access a file to scan that is infected with a virus, the anti virus software will in itself pop up saying it found one.

I do this sometimes because I don't like leaving a laptop on overnight and there are two of them here. Seems to work well, however I would recommend that once a week or so, you do an actual virii scan to make sure the spyware scanner is accessing every file to do it's scan, which just makes sure you're getting a full scan each time. That way you'll know if you can use this method or not. If the virus scan finds something that the other one left alone you'll know to run both at night instead of just one.

Also, never install Windows Updates automatically. If a patch breaks an application, you should find that out before every machine in the office has installed it. Set up a test machine with all the software you'll be in charge of, and test Windows Updates on THAT BEFORE you install them on production machines.

Once you have a new patch, be it a security update, or a bugfix, or a service pack, install it on your test machine, reboot, and then once Windows has started again, run EVERY application to make sure it doesn't break any of them, and test them out. Once you know it doesn't break any, update the other machines.

If you install the update and once or more apps doesn't work anymore, make sure you didn't break the apps, and when you're sure, make sure you report it to MS so they can fix it. This prevents you from having an office full of machines that can't be worked with and losing a LOT of production.

Oh, and, if someone is watching porn instead of working, talk to them about it and how porn sites sometimes contain malicious software built in. And once you back up the porn for "Analysis" you might want to keep images of each desktop around so if they screw it up you can just back the whole thing up from a network image and keep going.

Stay away from Windows Media Player. Why anyone would use this at work when it itself needs security fixes, and why Microsoft would ship it with Server OSs is beyond me. Keep it out!

I realise some places do allow people to listen to music while they work, and I think it's a nice thing to do too, but have them using something that doesn't need a reboot every time it's fixed, or at least something that isn't going to call for un-needed downtime.

[The-Spec]

Oh, and, if someone is watching porn instead of working, talk to them about it and how porn sites sometimes contain malicious software built in.

I'd be more worried about what office supplies a person like that may have wiped themself off with.

[The-Spec]

Stay away from Windows Media Player. Why anyone would use this at work when it itself needs security fixes, and why Microsoft would ship it with Server OSs is beyond me. Keep it out!

I realise some places do allow people to listen to music while they work, and I think it's a nice thing to do too, but have them using something that doesn't need a reboot every time it's fixed, or at least something that isn't going to call for un-needed downtime.

It's not a service. It's a normal application...

Not only do I doubt people are currently crafting mpeg/mp3 files to exploit this program but... you would gain absolutely no privileges whatsoever from it anyway.If this program is a high security risk then you outright fail at maintaining computers in general.

And you make it sound as if it's included with the system updates. It's not. Meh... and it's not even something you would need to shutdown for.

[gore]

It's not a service. It's a normal application...

Not only do I doubt people are currently crafting mpeg/mp3 files to exploit this program but... you would gain absolutely no privileges whatsoever from it anyway.If this program is a high security risk then you outright fail at maintaining computers in general.

And you make it sound as if it's included with the system updates. It's not. Meh... and it's not even something you would need to shutdown for.

Actually, if you try out Windows Server 2003 Enterprise Edition, this thing has a bunch of security updates. At first, I thought "OK, it's dumb that a server would need a media player but whatever, no harm". Then I did Windows Update and saw it had a couple patches, one of them, I'm not sure which one, said it was one of those LOVELY half assed worded "Just do this and you won't get your computer taken over by an attacker" ones they made incredible vague. How they would go about taking a machine over with a media player, don't care, but the chance makes it a pain in the ass.

[nihil]

I would add some things for the desktops:

1. User authorities should be based on least privilege. They should have enough authority to do their jobs and no more. Definately no programs to be installed.

2. No accessing private e-mail accounts.

3. No accessing Facebook or other crap like that.

4. No attaching of unauthorised equipment to either the desktop or the network.

5. No USB stick or flash drives.

6. Aim for a standardised build and create an ISO for it.

7. Disable autorun.

8. If you need to use external media then build a stand alone "sheep dip" with daily updated antimalware on it. All media must be scanned on this machine first.

9. Try to establish a superuser with local admin rights if you cannot support locally or remotely. This person needs to know what they are doing and take full responsibility for their actions.

10. Restrict internet access to those who actually need it, if any.

11. Create an AUP and get all users to sign it, preferably every 3 months.

12. Make sure that applications are secured in the same way. Trust me, the boss doesn't want the storekeeper looking at his salary.

[keezel]

I would add some things for the desktops:

1. User authorities should be based on least privilege. They should have enough authority to do their jobs and no more. Definately no programs to be installed.

2. No accessing private e-mail accounts.

3. No accessing Facebook or other crap like that.

4. No attaching of unauthorised equipment to either the desktop or the network.

5. No USB stick or flash drives.

6. Aim for a standardised build and create an ISO for it.

7. Disable autorun.

8. If you need to use external media then build a stand alone "sheep dip" with daily updated antimalware on it. All media must be scanned on this machine first.

9. Try to establish a superuser with local admin rights if you cannot support locally or remotely. This person needs to know what they are doing and take full responsibility for their actions.

10. Restrict internet access to those who actually need it, if any.

11. Create an AUP and get all users to sign it, preferably every 3 months.

12. Make sure that applications are secured in the same way. Trust me, the boss doesn't want the storekeeper looking at his salary.

Not to detract, because these are solid points, but one or two seem a little stiff for a SOHO, no? I suppose it depends on the line of work.

[gore]

Not to detract, because these are solid points, but one or two seem a little stiff for a SOHO, no? I suppose it depends on the line of work.

They aren't stiff. Facebook has a two fold problem:

1. It's going to decrease productivity from people screwing around with friends instead of working. It may be fine during lunch but who really wouldn't do it when they wanted a "small break"?

2. The number of Worms facebook seems to have going about almost make it OK to go "phishing" with Yay word play!

As for auto run, that's more or less common sense really, I mean how else are people who don't know much about a computer going to realize that "Screw_My_Registry.mp3. - - - - -- .exe" isn't actually a song?

anyway, for a home machine or small office with computer literate users, sure, they may not need to be baby sat as much, but not many offices seem to have users like that.

My Mom works at a Medical institution. I get phone calls all the time from Her while She is at work because someone has screwed something up and "Well IT said they may not be up here to fix it for like 2 hours and we need it fixed now! How do we fix this?"....

I should ask them to start paying me. I've saved them at least 40 hours worth of time fixing problems due to user errors....Like the one time my Mom called and said the Windows 98 machine She used at work was "screwed up"...

I asked about it and She said "Well the screen is upside down!"...

Apparently a Doctor put his briefcase on the keyboard, and all of a sudden the screen was upside down.

I had a little fun by telling my Mom it was because the monitor was upside down but being that She is my MOM, She knew better and asked what to really do, and I told Her the key combo for flipping the Windows 98 screen.

IT showed up 3 hours later to a fixed machine and they asked what happened and who fixed it and one of my Mom's co-workers told the guy "We got tired of waiting for you and called Her Son".

Yea, I'm loved