Security Issues

0725424183 · 05-13-2008, 06:06 AM

In a network there are about 65 users.All with ip addresses ranging from 192.168.0.2 and upwards. dsl router ( 192.168.0.2) and win2003 server (192.168.0.100). there are 3 diffferent workgroups. I need to share files and folders on the server and from other p.c.'s .
QUESTION: HOW CAN I PREVENT THE OTHER USERS ON THE NETWORK FROM ACCESSING THESE FILES AND FROM PINGING THESE COMPUTERS ALTHOUGH THE RIGHTS HAVE BEEN SET ON THE SERVER?

Slapshot · 05-13-2008, 01:18 PM

Encrypt the files?
As for the pinging, if the computers are networked, their in your local intranet so that would be hard to do. Actually, I don't think pinging can be prevented at all, whether their in your local intranet or not.

johnwill · 05-13-2008, 03:22 PM

You can install a firewall on the computer in question and disable ICMP (ping) requests. Also, if you disable file/print sharing, other computers will not be able to access the files on that machine.

lensman3 · 05-17-2008, 11:44 AM

You can also break the networks into 3 network ranges: say 192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24. Each of the subnets would use the exactly the same wire and computers on the same network IP number could and would only see others on their network. This filtering takes place in the network card diver or if you have a really smart network card in the hardware. Other network packets just aren't passed up the TCP/IP stack.

The problem comes with the server. You will have to configure the server to have multiple subnets on the same card. I know that Linux can do this and I'm sure the M$ can do it is well. I have not done this with M$, but have done it with Linux. The cards get a network ID of eth0:1, eth0:2 and so on. You could have the server forward packets from one network to another (and you would have to do something like this to get computers to get to the Internet). I call the multi-homed network cards, but I don't know if this is the correct term.

You could also do this by putting 3 network cards (more expensive) in your server and give each card its own subnet number 192.162.1.x, 192.168.3.x, etc. Any switch or hub will work because they just forward NIC numbers and not IP numbers.

Tekmazter · 05-22-2008, 05:37 PM

I would definitely take a look at johnwill's solution here.

Also today you can find so many decent appliance firewalls for very short money that it makes it a no brainer to spend a few hundred dollars and drop something inline. Does your router have any sort of ability to do ACL's? You could limit ICMP there too. Think control points. You could even nail up a Linux box with IP tables for a firewall and then do routing across that.

05-13-2008, 06:06 AM	#1 (permalink)
0725424183 Registered User Join Date: May 2008 Posts: 1 OS: WIN XP SP2	Security Issues In a network there are about 65 users.All with ip addresses ranging from 192.168.0.2 and upwards. dsl router ( 192.168.0.2) and win2003 server (192.168.0.100). there are 3 diffferent workgroups. I need to share files and folders on the server and from other p.c.'s . QUESTION: HOW CAN I PREVENT THE OTHER USERS ON THE NETWORK FROM ACCESSING THESE FILES AND FROM PINGING THESE COMPUTERS ALTHOUGH THE RIGHTS HAVE BEEN SET ON THE SERVER?

05-13-2008, 01:18 PM	#2 (permalink)
Slapshot Registered User Join Date: Feb 2008 Posts: 185 OS: Vista	Re: Security Issues Encrypt the files? As for the pinging, if the computers are networked, their in your local intranet so that would be hard to do. Actually, I don't think pinging can be prevented at all, whether their in your local intranet or not.

05-13-2008, 03:22 PM	#3 (permalink)
johnwill Manager, Networking Forums Join Date: Sep 2002 Location: S.E. Pennsylvania, US Posts: 30,050 OS: XP-Pro, Vista, Linux Blog Entries: 1	Re: Security Issues You can install a firewall on the computer in question and disable ICMP (ping) requests. Also, if you disable file/print sharing, other computers will not be able to access the files on that machine. __________________ If TSF has helped you, Tell us about it! or Donate to help keep the site up! Microsoft MVP - Windows Desktop Experience

05-17-2008, 11:44 AM	#4 (permalink)
lensman3 Registered User Join Date: Oct 2007 Location: Littleton, Colorado USA Posts: 389 OS: xp 64 sp2 Fedora Core 8 (vmware xp core 8 x32) Minix	Re: Security Issues You can also break the networks into 3 network ranges: say 192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24. Each of the subnets would use the exactly the same wire and computers on the same network IP number could and would only see others on their network. This filtering takes place in the network card diver or if you have a really smart network card in the hardware. Other network packets just aren't passed up the TCP/IP stack. The problem comes with the server. You will have to configure the server to have multiple subnets on the same card. I know that Linux can do this and I'm sure the M$ can do it is well. I have not done this with M$, but have done it with Linux. The cards get a network ID of eth0:1, eth0:2 and so on. You could have the server forward packets from one network to another (and you would have to do something like this to get computers to get to the Internet). I call the multi-homed network cards, but I don't know if this is the correct term. You could also do this by putting 3 network cards (more expensive) in your server and give each card its own subnet number 192.162.1.x, 192.168.3.x, etc. Any switch or hub will work because they just forward NIC numbers and not IP numbers.

05-22-2008, 05:37 PM	#5 (permalink)
Tekmazter Registered User Join Date: May 2008 Posts: 95 OS: XP / 2K3 / RHE / HP-UX	Re: Security Issues I would definitely take a look at johnwill's solution here. Also today you can find so many decent appliance firewalls for very short money that it makes it a no brainer to spend a few hundred dollars and drop something inline. Does your router have any sort of ability to do ACL's? You could limit ICMP there too. Think control points. You could even nail up a Linux box with IP tables for a firewall and then do routing across that.