Help locking down access to client data from "outside" hacking.

My situation is this:

I have a small business with 5 users. Each user can access our clients data from our internal file server. All users are running XP Professional, as is the server machine.

All of us require daily internet access, which is broadband cable behind a router. Each system is running a Security Suite with personal firewall.
What I need to do is be as certain as is "practically" possible that our clients data is not "compromised" from the outside ( via our broadband connection ).

What - if anything - should I add to this setup to be more secure from "outside" hacking?

All comments are certainly appreciated.

 

If I were you I would think of the security like this - start with the perimeter of your network. Where the link to the outside world is - put a firewall router there- something cheap will do for now - perhaps a netgear FVS 328 / FVL 328 you can always get something better later. Then you should get rid of using XP as a server and do it properly - get windows 2000 server edition or 2003 and create a domain within your private network. Join the clients to the domain. If I were you I would also put on a load of rootkit hunters and other malware searching tools and of a Friday night - have them run automatically - audit your systems once a week. Keep the security you already have but the things I mention will improve security immensely - at the moment I garauntee if what you have told us about is all you have then - hell youre wide open to the world

 

First of all, thank you very much for your reply and recommendations. However, your last sentence troubles me. You said: "I garauntee if what you have told us about is all you have then - hell youre wide open to the world"
I have the router and personal 2-way firewalls. How am I "wide open to the world"?

 

Hello,
Make sure your server runs a good firewalls and is patched.
Don't run anything unneeded on the server.
Router is good.
If you really want good security, maybe you could try SmoothWall Linux firewall - boot off CD, install on a dedicated machine - becomes an OS that runs firewall and nothing else. Easy to use web-based GUI. Simple, effective, strong.
Really worth trying. And free. All you need is an old P2 or P3 to setup the firewall.
Anyhow, your setup sounds ok. The emphasis is on the server. Keep it simple. Don't run apps on it like p2p, chat etc.
Mrk

 

Your initial post says that you have firewalls on the desktops. I didnt realise you stated there was a router I didnt see that first time around.
Yeah well thats good then ! I thought you meant you were running a simple peer-to-peer network with no router-firewall between the network and the outside world. I would definitely change your server from XP to 2003 or 2000 server and make it a client-server network. Theres a lot more security for the data. One other thing I can suggest is using firefox as your browser and using customizegoogle and adblock plus (both firefox extensions) I have reduced
spyware - viruses - other malware by about 75 - 90% by doing that alone.
They cut out loads of popups and other stuff and that seems to have a drastic effect for the better on the networks I administrate

 

How about using limited user accounts so nothing new gets installed that you don't approve.
Harden IE settings.
Block executables at the firewall.
Use an alternate browser as suggested.
Firefox with NoScript will take care of most of the web active content problems.
Create a good security policy that includes basic security education.

Consider encryption for the client data on the file server to protect from physical theft.

 

Actually when I thought about the thread this morning theres a ton of stuff you could do - to be honest I think if the user data is as important as it appears to be, simply asking the question what you should do implies that it would be best to contact someone near you that can assess the situation and advise you in person. Theres a whole industry of some magnitude built around computer security and what you can do is only limited by your budget for security.

One note of advice though, I forget who said it but I like the quote that goes

"If you spend more on coffee than you spend on security - youre gonna get hacked"

 

great quote IMO