security in a peer to peer lan

I do some work at a medium sized school where they have a peer to peer
network. All machines are connected to a common router for DHCP. We have a
mix of 98se, 2k and XP machines with three distinct workgroups: the computer
lab (wkgpA), the school office (wkgpB) and the classrooms (wkgpC). We
thought that having distinct workgroups would be all that was needed to
keep, for example, computers in the classrooms from seeing and accessing
files on the office computers. But on the 98se machines, users can go into
Network Neighborhood, then click on Entire Network, and are able to see all
three workgroups, and can actually go in and open files on other workgroup's
computers. I know I can set a policy to remove Entire Network from each of
the 98 machines but what is the best answer to keep the three workgroups
entirely separate while still using the school's central router for DHCP?
File sharing is not enabled on the office computers, the machines of
greatest concern since they have financial and personnel files on them. The
office machines are all XP, and I believe they are all XP Pro.

Thanks.
Michael

You can't. Period. As long as all the workgroups and machines are in the
same address range and on the same router you cannot prevent one computer
from seeing or being able to access another.

--
Richard G. Harper [MVP Shell/User] (E-Mail Removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


"mdb" <(E-Mail Removed)> wrote in message
news:94Ifg.45382$As2.12482@trnddc02...
>I do some work at a medium sized school where they have a peer to peer
>network. All machines are connected to a common router for DHCP. We have a
>mix of 98se, 2k and XP machines with three distinct workgroups: the
>computer lab (wkgpA), the school office (wkgpB) and the classrooms (wkgpC).
>We thought that having distinct workgroups would be all that was needed to
>keep, for example, computers in the classrooms from seeing and accessing
>files on the office computers. But on the 98se machines, users can go into
>Network Neighborhood, then click on Entire Network, and are able to see all
>three workgroups, and can actually go in and open files on other
>workgroup's computers. I know I can set a policy to remove Entire Network
>from each of the 98 machines but what is the best answer to keep the three
>workgroups entirely separate while still using the school's central router
>for DHCP? File sharing is not enabled on the office computers, the machines
>of greatest concern since they have financial and personnel files on them.
>The office machines are all XP, and I believe they are all XP Pro.
>
> Thanks.
> Michael
>

mdb wrote:

> I do some work at a medium sized school where they have a peer to peer
> network. All machines are connected to a common router for DHCP. We
> have a mix of 98se, 2k and XP machines with three distinct workgroups:
> the computer lab (wkgpA), the school office (wkgpB) and the classrooms
> (wkgpC). We thought that having distinct workgroups would be all that
> was needed to keep, for example, computers in the classrooms from
> seeing and accessing files on the office computers. But on the 98se
> machines, users can go into Network Neighborhood, then click on Entire
> Network, and are able to see all three workgroups, and can actually go
> in and open files on other workgroup's computers. I know I can set a
> policy to remove Entire Network from each of the 98 machines but what
> is the best answer to keep the three workgroups entirely separate
> while still using the school's central router for DHCP? File sharing
> is not enabled on the office computers, the machines of greatest
> concern since they have financial and personnel files on them. The
> office machines are all XP, and I believe they are all XP Pro.
>
> Thanks.
> Michael

There is no security in using Workgroups. Workgroups are only an
organizational/cosmetic device. Computers running Microsoft operating
systems do not need to be in the same Workgroup to share resources.

You should be using a domain, at least for the Win2k/XP machines. For
that, you'll need to have a server.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

mdb wrote:
> I do some work at a medium sized school where they have a peer to
> peer network. All machines are connected to a common router for
> DHCP. We have a mix of 98se, 2k and XP machines with three distinct
> workgroups: the computer lab (wkgpA), the school office (wkgpB) and
> the classrooms (wkgpC). We thought that having distinct workgroups
> would be all that was needed to keep, for example, computers in the
> classrooms from seeing and accessing files on the office computers.
> But on the 98se machines, users can go into Network Neighborhood,
> then click on Entire Network, and are able to see all three
> workgroups, and can actually go in and open files on other
> workgroup's computers. I know I can set a policy to remove Entire
> Network from each of the 98 machines but what is the best answer to
> keep the three workgroups entirely separate while still using the
> school's central router for DHCP? File sharing is not enabled on
> the office computers, the machines of greatest concern since they
> have financial and personnel files on them. The office machines are
> all XP, and I believe they are all XP Pro.

For the XP machines - get them in a Windows Domain and get their internal
firewalls on and controll that through group policies - as to who can see
what.

Windows 98 is the same (pretty much) as having no security - get rid of
these machines or upgrade them ASAP.

Workgroups are not meant as any sort of security. To be truthful - neither
are badly managed domains. It is pretty much true that any workgroup/domain
resource can be access whether or not the machine in question is in said
workgroup/domain as long as the user knows how to use the correct
credentials. With Windows 9x <- even that may not be needed. heh

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

As Malke advised workgroups are not security boundaries as they are strictly
for network browsing convenience. Having said that any sensitive files
should only be on computers running XP Pro with simple file sharing
disabled, the guest account disabled, and with folder/NTFS permissions to
allow only the users/groups that should have access to the file in the
permission list or XP Home computers with file and print sharing disabled if
it is not possible to use XP Pro. XP Pro computers can also have the user
right for access this computer from the network to be configured to allow
only authorized users/groups access from the network for computers that have
file and print sharing enabled. To manage user rights use Local Security
Policy. The Windows Firewall should also be enabled on the "office"
computers as an extra step to prevent access from unauthorized users or any
other computer needing such protection. Any computer with a share and using
XP Pro should have share permissions configured to only allow authorized
users to the share though that is not possible with XP Home because XP Home
authenticates all network users as guest. If you are using XP Home computers
where you need to limit user access to shares you need to upgrade those
computers to XP Pro or move the data in the shares to XP Pro computers with
simple file sharing disabled, with the guest account disabled, and
share/NTFS permissions configured appropriately. The links below will help
if you need further info on share and folder/NTFS permissions.--- Steve

http://support.microsoft.com/default...b;en-us;308418
http://www.mcmcse.com/microsoft/guid...missions.shtml

"mdb" <(E-Mail Removed)> wrote in message
news:94Ifg.45382$As2.12482@trnddc02...
>I do some work at a medium sized school where they have a peer to peer
>network. All machines are connected to a common router for DHCP. We have a
>mix of 98se, 2k and XP machines with three distinct workgroups: the
>computer lab (wkgpA), the school office (wkgpB) and the classrooms (wkgpC).
>We thought that having distinct workgroups would be all that was needed to
>keep, for example, computers in the classrooms from seeing and accessing
>files on the office computers. But on the 98se machines, users can go into
>Network Neighborhood, then click on Entire Network, and are able to see all
>three workgroups, and can actually go in and open files on other
>workgroup's computers. I know I can set a policy to remove Entire Network
>from each of the 98 machines but what is the best answer to keep the three
>workgroups entirely separate while still using the school's central router
>for DHCP? File sharing is not enabled on the office computers, the machines
>of greatest concern since they have financial and personnel files on them.
>The office machines are all XP, and I believe they are all XP Pro.
>
> Thanks.
> Michael
>

Thanks for the quick and clear replies to my question about peer to peer lan
security, or the lack thereof. I understand that I can have some control
over the access to the XP Pro machines. But is there a workaround that will
take care of all machines, regardless of OS? Any such thing as a single
folder that can be either hidden or locked? Any third party software that
would provide the security needed?

Thanks.

Michael

"Steven L Umbach" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed). ..
> As Malke advised workgroups are not security boundaries as they are
> strictly for network browsing convenience. Having said that any sensitive
> files should only be on computers running XP Pro with simple file sharing
> disabled, the guest account disabled, and with folder/NTFS permissions to
> allow only the users/groups that should have access to the file in the
> permission list or XP Home computers with file and print sharing disabled
> if it is not possible to use XP Pro. XP Pro computers can also have the
> user right for access this computer from the network to be configured to
> allow only authorized users/groups access from the network for computers
> that have file and print sharing enabled. To manage user rights use Local
> Security Policy. The Windows Firewall should also be enabled on the
> "office" computers as an extra step to prevent access from unauthorized
> users or any other computer needing such protection. Any computer with a
> share and using XP Pro should have share permissions configured to only
> allow authorized users to the share though that is not possible with XP
> Home because XP Home authenticates all network users as guest. If you are
> using XP Home computers where you need to limit user access to shares you
> need to upgrade those computers to XP Pro or move the data in the shares
> to XP Pro computers with simple file sharing disabled, with the guest
> account disabled, and share/NTFS permissions configured appropriately.
> The links below will help if you need further info on share and
> folder/NTFS permissions.--- Steve
>
> http://support.microsoft.com/default...b;en-us;308418
> http://www.mcmcse.com/microsoft/guid...missions.shtml
>
> "mdb" <(E-Mail Removed)> wrote in message
> news:94Ifg.45382$As2.12482@trnddc02...
>>I do some work at a medium sized school where they have a peer to peer
>>network. All machines are connected to a common router for DHCP. We have a
>>mix of 98se, 2k and XP machines with three distinct workgroups: the
>>computer lab (wkgpA), the school office (wkgpB) and the classrooms
>>(wkgpC). We thought that having distinct workgroups would be all that was
>>needed to keep, for example, computers in the classrooms from seeing and
>>accessing files on the office computers. But on the 98se machines, users
>>can go into Network Neighborhood, then click on Entire Network, and are
>>able to see all three workgroups, and can actually go in and open files on
>>other workgroup's computers. I know I can set a policy to remove Entire
>>Network from each of the 98 machines but what is the best answer to keep
>>the three workgroups entirely separate while still using the school's
>>central router for DHCP? File sharing is not enabled on the office
>>computers, the machines of greatest concern since they have financial and
>>personnel files on them. The office machines are all XP, and I believe
>>they are all XP Pro.
>>
>> Thanks.
>> Michael
>>
>
>

Yes, install a server. It can be Linux, Windows, Solaris, anything, as long
as it is a server OS. Only share files and folders on the server. You will
never have a secure network using P2P and win9x or XP Home. XP Pro only
allows 10 connections and it sounds like you have more than 10 computers so
Pro is most likely out. You need a server. Linux is probably your cheapest
alternative but the learning curve can be steep.

--
Kerry
MS-MVP Windows - Shell/User

mdb wrote:
> Thanks for the quick and clear replies to my question about peer to
> peer lan security, or the lack thereof. I understand that I can have
> some control over the access to the XP Pro machines. But is there a
> workaround that will take care of all machines, regardless of OS? Any
> such thing as a single folder that can be either hidden or locked?
> Any third party software that would provide the security needed?
>
> Thanks.
>
> Michael
>
> "Steven L Umbach" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed). ..
>> As Malke advised workgroups are not security boundaries as they are
>> strictly for network browsing convenience. Having said that any
>> sensitive files should only be on computers running XP Pro with
>> simple file sharing disabled, the guest account disabled, and with
>> folder/NTFS permissions to allow only the users/groups that should
>> have access to the file in the permission list or XP Home computers
>> with file and print sharing disabled if it is not possible to use XP
>> Pro. XP Pro computers can also have the user right for access this
>> computer from the network to be configured to allow only authorized
>> users/groups access from the network for computers that have file
>> and print sharing enabled. To manage user rights use Local Security
>> Policy. The Windows Firewall should also be enabled on the "office"
>> computers as an extra step to prevent access from unauthorized users
>> or any other computer needing such protection. Any computer with a
>> share and using XP Pro should have share permissions configured to
>> only allow authorized users to the share though that is not possible
>> with XP Home because XP Home authenticates all network users as
>> guest. If you are using XP Home computers where you need to limit
>> user access to shares you need to upgrade those computers to XP Pro
>> or move the data in the shares to XP Pro computers with simple file
>> sharing disabled, with the guest account disabled, and share/NTFS
>> permissions configured appropriately. The links below will help if
>> you need further info on share and folder/NTFS permissions.--- Steve
>> http://support.microsoft.com/default...b;en-us;308418
>> http://www.mcmcse.com/microsoft/guid...missions.shtml
>>
>> "mdb" <(E-Mail Removed)> wrote in message
>> news:94Ifg.45382$As2.12482@trnddc02...
>>> I do some work at a medium sized school where they have a peer to
>>> peer network. All machines are connected to a common router for
>>> DHCP. We have a mix of 98se, 2k and XP machines with three distinct
>>> workgroups: the computer lab (wkgpA), the school office (wkgpB) and
>>> the classrooms (wkgpC). We thought that having distinct workgroups
>>> would be all that was needed to keep, for example, computers in the
>>> classrooms from seeing and accessing files on the office computers.
>>> But on the 98se machines, users can go into Network Neighborhood,
>>> then click on Entire Network, and are able to see all three
>>> workgroups, and can actually go in and open files on other
>>> workgroup's computers. I know I can set a policy to remove Entire
>>> Network from each of the 98 machines but what is the best answer to
>>> keep the three workgroups entirely separate while still using the
>>> school's central router for DHCP? File sharing is not enabled on
>>> the office computers, the machines of greatest concern since they
>>> have financial and personnel files on them. The office machines are
>>> all XP, and I believe they are all XP Pro. Thanks.
>>> Michael

There are third party programs that are able to password protect a folder
but I believe they are mostly for local logon users and not for shared
folders. In the long run IMHO the lowest total cost of ownership solution
would be to use XP Pro computers wherever security is a concern and evaluate
implementing an Active Directory domain that is using at least two Windows
2003 domain controllers. Windows 9X computers are inherently insecure and
were designed that way [ease of use being most important] and should not be
used to store any sensitive files in an environment where another
unauthorized user could easily access the computer. XP Home can provide a
measure of security for sensitive files if the NTFS file system is used and
folders that contain sensitive files are not shared or better yet the
computer does not have file and print sharing enabled. Keep in mind that the
data on any computer for any operating system can be obtained by a malicious
user if that user has full physical access to the computer unless the data
files are encrypted properly which is why servers in many organizations are
locked in rooms and/or cages or even in a bank type vault for servers such
as a Certificate Authority. The link below may be of help as a general guide
to securing a network and it's data.. --- Steve

http://www.microsoft.com/smallbusine...t/default.mspx

"mdb" <(E-Mail Removed)> wrote in message news:iPWfg.1$9f2.0@trnddc04...
> Thanks for the quick and clear replies to my question about peer to peer
> lan security, or the lack thereof. I understand that I can have some
> control over the access to the XP Pro machines. But is there a workaround
> that will take care of all machines, regardless of OS? Any such thing as a
> single folder that can be either hidden or locked? Any third party
> software that would provide the security needed?
>
> Thanks.
>
> Michael
>
> "Steven L Umbach" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed). ..
>> As Malke advised workgroups are not security boundaries as they are
>> strictly for network browsing convenience. Having said that any sensitive
>> files should only be on computers running XP Pro with simple file sharing
>> disabled, the guest account disabled, and with folder/NTFS permissions to
>> allow only the users/groups that should have access to the file in the
>> permission list or XP Home computers with file and print sharing disabled
>> if it is not possible to use XP Pro. XP Pro computers can also have the
>> user right for access this computer from the network to be configured to
>> allow only authorized users/groups access from the network for computers
>> that have file and print sharing enabled. To manage user rights use Local
>> Security Policy. The Windows Firewall should also be enabled on the
>> "office" computers as an extra step to prevent access from unauthorized
>> users or any other computer needing such protection. Any computer with a
>> share and using XP Pro should have share permissions configured to only
>> allow authorized users to the share though that is not possible with XP
>> Home because XP Home authenticates all network users as guest. If you are
>> using XP Home computers where you need to limit user access to shares you
>> need to upgrade those computers to XP Pro or move the data in the shares
>> to XP Pro computers with simple file sharing disabled, with the guest
>> account disabled, and share/NTFS permissions configured appropriately.
>> The links below will help if you need further info on share and
>> folder/NTFS permissions.--- Steve
>>
>> http://support.microsoft.com/default...b;en-us;308418
>> http://www.mcmcse.com/microsoft/guid...missions.shtml
>>
>> "mdb" <(E-Mail Removed)> wrote in message
>> news:94Ifg.45382$As2.12482@trnddc02...
>>>I do some work at a medium sized school where they have a peer to peer
>>>network. All machines are connected to a common router for DHCP. We have
>>>a mix of 98se, 2k and XP machines with three distinct workgroups: the
>>>computer lab (wkgpA), the school office (wkgpB) and the classrooms
>>>(wkgpC). We thought that having distinct workgroups would be all that was
>>>needed to keep, for example, computers in the classrooms from seeing and
>>>accessing files on the office computers. But on the 98se machines, users
>>>can go into Network Neighborhood, then click on Entire Network, and are
>>>able to see all three workgroups, and can actually go in and open files
>>>on other workgroup's computers. I know I can set a policy to remove
>>>Entire Network from each of the 98 machines but what is the best answer
>>>to keep the three workgroups entirely separate while still using the
>>>school's central router for DHCP? File sharing is not enabled on the
>>>office computers, the machines of greatest concern since they have
>>>financial and personnel files on them. The office machines are all XP,
>>>and I believe they are all XP Pro.
>>>
>>> Thanks.
>>> Michael
>>>
>>
>>
>
>

mdb wrote:
> Thanks for the quick and clear replies to my question about peer to peer lan
> security, or the lack thereof. I understand that I can have some control
> over the access to the XP Pro machines. But is there a workaround that will
> take care of all machines, regardless of OS? Any such thing as a single
> folder that can be either hidden or locked? Any third party software that
> would provide the security needed?
>
> Thanks.
>
> Michael
>
> "Steven L Umbach" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed). ..
>> As Malke advised workgroups are not security boundaries as they are
>> strictly for network browsing convenience. Having said that any sensitive
>> files should only be on computers running XP Pro with simple file sharing
>> disabled, the guest account disabled, and with folder/NTFS permissions to
>> allow only the users/groups that should have access to the file in the
>> permission list or XP Home computers with file and print sharing disabled
>> if it is not possible to use XP Pro. XP Pro computers can also have the
>> user right for access this computer from the network to be configured to
>> allow only authorized users/groups access from the network for computers
>> that have file and print sharing enabled. To manage user rights use Local
>> Security Policy. The Windows Firewall should also be enabled on the
>> "office" computers as an extra step to prevent access from unauthorized
>> users or any other computer needing such protection. Any computer with a
>> share and using XP Pro should have share permissions configured to only
>> allow authorized users to the share though that is not possible with XP
>> Home because XP Home authenticates all network users as guest. If you are
>> using XP Home computers where you need to limit user access to shares you
>> need to upgrade those computers to XP Pro or move the data in the shares
>> to XP Pro computers with simple file sharing disabled, with the guest
>> account disabled, and share/NTFS permissions configured appropriately.
>> The links below will help if you need further info on share and
>> folder/NTFS permissions.--- Steve
>>
>> http://support.microsoft.com/default...b;en-us;308418
>> http://www.mcmcse.com/microsoft/guid...missions.shtml
>>
>> "mdb" <(E-Mail Removed)> wrote in message
>> news:94Ifg.45382$As2.12482@trnddc02...
>>> I do some work at a medium sized school where they have a peer to peer
>>> network. All machines are connected to a common router for DHCP. We have a
>>> mix of 98se, 2k and XP machines with three distinct workgroups: the
>>> computer lab (wkgpA), the school office (wkgpB) and the classrooms
>>> (wkgpC). We thought that having distinct workgroups would be all that was
>>> needed to keep, for example, computers in the classrooms from seeing and
>>> accessing files on the office computers. But on the 98se machines, users
>>> can go into Network Neighborhood, then click on Entire Network, and are
>>> able to see all three workgroups, and can actually go in and open files on
>>> other workgroup's computers. I know I can set a policy to remove Entire
>>> Network from each of the 98 machines but what is the best answer to keep
>>> the three workgroups entirely separate while still using the school's
>>> central router for DHCP? File sharing is not enabled on the office
>>> computers, the machines of greatest concern since they have financial and
>>> personnel files on them. The office machines are all XP, and I believe
>>> they are all XP Pro.
>>>
>>> Thanks.
>>> Michael
>>>
>>
>
>
If you assign each of the three workgroups a different subnet and mask
wouldn't that solve your problems? Wouldn't that stop each group's
ability to share or browse other groups?

While that could help that alone would not be a very secure solution as a
malicious user could sniff network traffic and reconfigure his computer with
the subnet mask of the computers he wants to access or change his routing
table to do the same. There are switches such as some HP Procurve that have
a feature called port isolation [different from Vlans] that could prevent
groups of ports on the switch from accessing other groups of ports on the
switch while allowing common access to the port that goes to the default
gateway. --- Steve


"local" <(E-Mail Removed)> wrote in message
news:u2Kjg.13790$(E-Mail Removed).. .
> mdb wrote:
>>
>>>
>>> "mdb" <(E-Mail Removed)> wrote in message
>>> news:94Ifg.45382$As2.12482@trnddc02...
>>>> I do some work at a medium sized school where they have a peer to peer
>>>> network. All machines are connected to a common router for DHCP. We
>>>> have a mix of 98se, 2k and XP machines with three distinct workgroups:
>>>> the computer lab (wkgpA), the school office (wkgpB) and the classrooms
>>>> (wkgpC). We thought that having distinct workgroups would be all that
>>>> was needed to keep, for example, computers in the classrooms from
>>>> seeing and accessing files on the office computers. But on the 98se
>>>> machines, users can go into Network Neighborhood, then click on Entire
>>>> Network, and are able to see all three workgroups, and can actually go
>>>> in and open files on other workgroup's computers. I know I can set a
>>>> policy to remove Entire Network from each of the 98 machines but what
>>>> is the best answer to keep the three workgroups entirely separate while
>>>> still using the school's central router for DHCP? File sharing is not
>>>> enabled on the office computers, the machines of greatest concern since
>>>> they have financial and personnel files on them. The office machines
>>>> are all XP, and I believe they are all XP Pro.
>>>>
>>>> Thanks.
>>>> Michael
>>>>
>>>
>>
>>
> If you assign each of the three workgroups a different subnet and mask
> wouldn't that solve your problems? Wouldn't that stop each group's
> ability to share or browse other groups?