help me secure my network pls!

[jcmuse]

hi...
i have a office network of about 11 computers. all are running windows xp home or pro. I am using a Linksys BEFSX41 router w/ vpn functionality and a "firewall." We use the vpn combined with Windows Remote Desktop to work with programs containing sensitive data from various locations (mostly home). None of the computers are running a software firewall except the windows sp2 one (dont know if it can be considered a firewall?). My main concern is someone accessing through the remote desktop service we have running on some machines. Do you think i should be concerned? What does someone need to login to one of those machines... just username +pw right? Since i only use the remote desktop service over VPN, can i limit it to only LAN connections? What software firewall/programs do u suggest i run if any? Are windows updates a must?
btw, i dont use the "Firewall" function of the Linksys BEFSX41 cause it seems to stop all internet traffic. I guess NAT is still enabled though. I think the firewall is actually Stateful Packet Inspection (SPI).. don't know what it means.. maybe someone can explain.

 

[RebateMonger]

The first thing I would worry about is password security. Microsoft has published some good articles on the topic.

Microsoft TechNet articles on passwords and passphrases.

Make all passwords LONG (at least 15 characters). It's much easier to break passwords than to break VPN or RDP encryption.

Second, be concerned about the fact that, by using a VPN with no other security controls, you are putting home computers directly on your Office network. Home computers are sources of all kinds of viruses, spyware, trojans, and worms. When a remote computer ONLY uses Remote Desktop, it isolates the remote computer from the office computer. But a VPN is just like bringing that home computer (that somebody's kid just used to surf the 'Net) and hooking it right up in your office.

Computers that are used from home to VPN into an office network should generally be owned and controlled by the Company. They shouldn't be used by anyone but employees. They should be kept updated with Security Updates and Antivirus updates, and it'd be best if the users had only "User" rights and no Local Administrator rights. That way, they can't install most programs on those PCs.

 

[blemoine]

Where to begin. a few question

1. How secure do you want your network?
2. How much are you willing to spend?
3. Do you want to do it right?


1st you should have all workstations running Windows XP Pro. If you have a file server running server 2003 great promote it to a domain controller. if you don't have one then get one. join your clients to the domain so you can secure them with group policy and atleast you have all your workstations on the same page. everyone should only have "user rights" unless they run software that absolutly has to have admin rights.

2nd think about getting a hardware firewall like IPCOP. its free and linux based. you can keep an eye on internet surfing and who is connecting via vpn.

this is a starting point. good luck

 

[jcmuse]

thanks. PWs are a problem... a lot of them now are weak, but unfortunatley, the people that work on these computers are not very computer savvy, and use passwords like Doe99. I have tried to implement some other pws, but it ends up being a mess because they can't manage to remember it. I didn't realize you could make a phrase... maybe i'll try that instead.. may be easier to remember+ more secure. The server i have running now has xp pro, and shares are restricted with NTFS permissions. I don't think i can afford sbs or anything like that, so i will have to do with what i have.
VPN users are computers managed by me... so i don't think it is much of a problem.. at least not any more than the rest.

i will look in to IPCOP, thanks.

any other suggestions?

 

[Atheus]

You _really_ should run xp sp2 on all machines. If you had a server you could have employees keep all important data on network drives, this way you know exactly who's accesing it, and you only have to worry about one machine.

Samba (for linux, in case you didn't know) can be a domain server, so you might want to consider that. Easy on the system requirements too.

In my opinion a good password written down somewhere safe is better than a rubbish password remembered. Consider generating some 10 character alphanumeric strings and let people pick one. Tell them to only write it down _once_ and keep it somewhere out of sight until they can remember it.

Linux firewalls are good, inluding IPcop.

 

[RebateMonger]

Originally posted by: jcmuse
thanks. PWs are a problem... a lot of them now are weak, but unfortunatley, the people that work on these computers are not very computer savvy, and use passwords like Doe99. I have tried to implement some other pws, but it ends up being a mess because they can't manage to remember it. I didn't realize you could make a phrase... maybe i'll try that instead.. may be easier to remember+ more secure.

With Windows 2000 and XP, pass phrases work great. They are SO easy to remember, and with a bit of thought, are quite secure. Current password guessing and cracking techniques are not equipped to handle 20-character pass phrases.

On the other hand, with passwords like Doe99, a dictionary attack will get half your user passwords in two minutes or less. I wouldn't worry about your encryption technology when you are using Doe99 as a password.

BTW, Small Business Server 2003 may not be as expensive as you might think. The actual Server and software, complete with a RAID 1 array for extra data protection, can be purchased for less than $1000. You can use inexpensive USB hard drives for backup. (You need these anyway, unless you don't care if your company's data gets lost next time a single hard drive fails.)

A single SBS Server solves a LOT of common business communication, information sharing, contact sharing, email, security, SPAM, virus, and backup problems in a single pass. Companies often report a payback period of only a few months. It makes managing your XP Professional client computers MUCH easier, since you modify all of them with a single setting on the computer. And did I mention Remote Web workplace, giving users and bosses web access to every computer in the office automatically?

 

[thriemus]

This is where I shout in with Linux!

Install it onto you slowest computer and give it raid if you can and heh presto a cheap secure server that very few can interfere with.

Even a novice can jump into that very quickly these days and configure it easily to act as a domain controller. Remote Management can be easily achieved using the lovely vnc protocol.
(My favourite VNC client: http://ultravnc.sf.net Read up on iptables or use an easy to use automagicaly updating version of suse Linux with easy to configure firewall system by way of yast2.

Linux is good, secure, easy to use these days and most of all, on a tight budget: FREE

Just my two bits.

Edit: PS also bear in mind that Windows XP can only handle 10 connects at a time, so if you have more than that connections get dropped, in other words please spend more money on a server version please.
With linux that is not the case.

 

[JackMDS]

Originally posted by: jcmuseI guess NAT is still enabled though. I think the firewall is actually Stateful Packet Inspection (SPI).. don't know what it means.. maybe someone can explain.

The NAT is the core of the Firewall and the Router would not work without it. SPI is an augmentation for specific filtering.

This page might explain, http://www.ezlan.net/routers1.html

You did not explain what is that you are worried about, if it is the Internet, then you should run Software Firewall on each computer.

Why? See here, Basic Protection for Broadband Internet Installation.

If you are concern about workers cracking office computers (given the size of the office) you might have a Social problem that is more crucial then Security technology.

In general, WinXP Pro SP2 provides better security and you should consider upgrading.

:sun:

 

[blemoine]

i agree with Jackmds. with a small office your problem is going to be users give each other there passwords because "they know them & are 100% sure they would never do anything wrong" you may want to think about getting "thumb print scanners" for your workstations. the cost would be about $100.00 per station.

 

[jcmuse]

Awesome replies. thanks a lot. Yeah, all machines are running sp2. I have considered linux solutions, but unfortunatley, quickbooks requires a windows machine. To make it clear, i am more worried about hackers/the internet than employees. I do keep all important data on the server, and it is limited to only a few computers that need access to it.
"a good password written down somewhere safe is better than a rubbish password remembered" ... i think this makes a lot of sense. Maybe i will make a PW sheet and have that person keep it in their desk for reference. Like i said, i am not really worried about employees, but rather, foreign attacks.
IPCop is attractive.. i think i will try it at home first... just to get the feel for it.

"I wouldn't worry about your encryption technology when you are using Doe99 as a password." I guess you're right... although they're not as bad as doe99

For 1K, that seems like a really good deal, but i dont think we're looking to spend any money. I'm sure there are endless features that are really attractive (like contact sharing), but atm, it is not really necessary. Maybe in the future as we grow. Computers aren't really a big part of the business... they're mainly used for data entry. I tried vnc vs windows remote desktop (terminal service client) and i prefer the latter. Integrates much better w/ windows and looks better (although a lot slower).

So what software firewall do you guys recommend. Hopefully something not to expensive (i doubt there are free business solutions?).

 

[RebateMonger]

Originally posted by: jcmuse
Like i said, i am not really worried about employees, but rather, foreign attacks.
IPCop is attractive.. i think i will try it at home first... just to get the feel for it.

Unfortunately, the reality is that MUCH more damage is caused by employees, either accidentally or intentionally, then is caused by outsiders. Common problems include employees accidentally deleting data and bringing viruses and worms into the network by email or web browsing. And, of course, there's the angry employee who is getting fired....