Where and how to password-protect a small home networked system?

Discussion in 'privacy general' started by Matthew Pollock, Feb 22, 2004.

Thread Status:
Not open for further replies.
  1. I have a small home network with four computers using W2K Pro, connected by a Linksys BEFSR41 router giving me NAT protection, each PC protected by Sygate Personal Firewall, Norton Anti-Virus, and using Ad-Watch and Ad-Aware.

    So far, so basic.

    However, I am puzzled by the topic of passwords. Many explanations of passwords wax philosophical about strong and weak passwords etc, but do not say what and where the system should be password protected.

    At the moment I have this situation:
    * No passwords needed to start the computers. This is, after all, my home, and only my family can access these PCs.
    * No passwords are needed to access other computers on the network, mainly because I don't know how to make them a requisite
    * A password IS needed to access the Linksys router.

    That's it. But I have a feeling that I ought to intitiate better password protection. So - how and where do I do it?

    I would add that, if anyone is so kind as to reply to this, it will NOT help me to refer me in general terms to the Microsoft technical help pages. For anyone seeking a general overview of how a particular feature of an operating system works, it seems to me that Microsoft’s help pages are almost useless – they are arranged in a counter-intuitive way, they are difficult to understand, and most of the explanations seem to assume a high level of technical knowledge, without supplying the links to the basic technical explanations. I can’t make head or tail of them.

    I presently use W2K Pro WITHOUT having assigned administrator or other group privileges, because I am without any understanding of how this assigning system works. It seems to me that a major problem with the whole set of Windows suites is that they have been released onto the market without a user’s manual. One of the most obvious problems with using the ‘Help’ files as if they were user’s manuals is that when you search e.g. for ‘passwords’, the Help Files do not indicate, like a traditional index would, what page that particular text refers to in the Help File, so that the user cannot read the surrounded expository material. The upshot is to make it very difficult for a user to understand a new area.

    Anyway, the main issue is not to grumble about Microsoft, but to understand what passwords should be installed, where they should go, and how the surrounding system works. If anyone can help me with these issues?
     
  2. Sorry to bring this up again - but I'm kind of astonished at NO REPLIES. Is it REALLY true that no one takes passwords seriously? What's going on?

    I'm puzzled. Every security site I've every seen, talks about passwords. They're always emphasized as important. Yet the explanations on these sites are usually so bad. And Microsoft's own explanations of how to password protect a system are non-existent.

    Did I not get any replies, perhaps, because explaining would take too long? In that case, can anyone suggest a good, simple text? Does anyone have any idea where I can get a good explanation, of how to protect a small, W2000 4-PC LAN system?

    This is a real problem for me. Help!
     
  3. Shunned

    Shunned Guest

    Matt

    Say, you look alittle lonesome all by yourself here........others may post later
    Hey, great question(s). An the answer(s) could be time consuming. So, will post a link to a program that may give you some ideas...(I AM NOT SUGGESTING YOU BUY THE PROGRAM)..just obtain some ideas.
    Seems alot easier to use ONE password to control many functions instead of Several passwords. I have three programs along the line of the one posted in the link above...the one above I never heard of prior to now....
    The programs I've used do an exceptional job but have not used them on a home network.....am sure it works though......an can tell you that the people in your household may strongly object to such tight restrictions.....it involds getting use to. During the course of time you will need to disable the password protection in order to make changes to the system...in that respect the use of one password is preferred by myself.
    Why bother with such protection...allow your family to understan that its not to restrict them..its to restrict "OTHERS"...such explanation needed even if you don't use a program but do the protecting yourself.......could save alot of bad feelings...don't want a family member thinking you don't trust them.....not good policy..
    If you are not awear...w2k has a build-in firewall of sorts.....YOU can change certain internal settings yourself for greater overall system security....I long forgot the how-to's of this...but its defintely possible on w2k...
    Well, if none of this helps..at least you may get an idea or two....
    As to your M$ comment.....always wondered if the reason M$ didn't issue manuals was because "they" themselfs don't know how the system works.....so patch it...then patch the patch....then patch the patch that patched the patch that patched the first patch..that should never have been needed in the first place.
    Matt, I am not that up on w2k so am nearly useless in answering your specific question...would if I could.....
     
  4. Shunned

    Shunned Guest

    http://www.softstack.com/accmen.html


    might help if I post the link..lol
     
  5. Great, Shunned. I may try the program. Though my first impression is that it was designed in the age when browsers didn't themselves remember passwords. All that stuff is easier these days.

    What I'm really seeking is to UNDERSTAND. How do passwords protect a system? How and where to input them? What specific effects will they have? (e.g., I do not want to input a password on start-up, but I DO want anyone accessing the PC via the network, e.g., a hacker, to be required to input a password before gaining access to my PC). How to assign administrator and other group privileges? How do the W2000 passwords work across a network, given that I am not using a Microsoft program to operate the network? (Mysteriously, one of my computers, for no known reason, has set itself up so that I cannot re-assign the 'shared folders').

    It seems to me I need a book. But what book? Anyone got any ideas?

    o_O
     
  6. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    Hi,

    Maybe a shot in the air, but an interesting book is:

    Maximum security, A Hacker's Guide to Protecting Your Computer Systems and Network, Fourth Edition

    Indianapolis, Sams Publishing 2003

    (about 1000 pages, :D)

    Gerard
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    The main reason for log in passwords are to stop someone with physical access to the computer using it

    This obviously doesn't apply in a home situation. It would in a public access environment

    Most of the advice was originally written when computers were a work tool and needed specialists to use themm and hasn't been updated very much.

    Where you do use a password for sensitive information like your email server log ins or online banking or forums or whatever , then pick passwords with random characters taht are harder to guess, especially bank ones etc.

    Don't do what a lot of people do and have one password for everything, that way if someone finds or guesses the password, they can steal all your information or your identity on the net.
     
  8. So the scenario where a hacker enters the SOHO network, and then attacks the different computers on the network (unprotected by passwords), is essentially unlikely?

    'Hackers Guide' sounds interesting, but the area of ignorance now maximally irritating me, is this zone where Microsoft Group Permissions (on the one hand) and passwords (on the other) live and interact.

    This is what I want to know more about. More suggestions about reading materials please!
     
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK

    Whether likely or unlikely is immaterial. if he has physical access to the computer then he can do waht he wants.

    Any password isn't going to stop a hacker getting access from the net to your network because there is no way to password that access.

    it's possible to password the accces from your computer to the net but not vice versa.

    If you were running a server then yes certain aspects of the remote access can be passworded. to prevent access to certain server functions but in a home set up with no server all access inbound is blocked by default by your router or firewall.

    Why would I want to have a password that allows remote access to my computer. I don't. I block all remote access by using a firewall/router.
     
  10. No, of course I use a NAT firewall router to protect my LAN, plus Sygate Personal Firewall on each PC. But my understanding was that given that hackers can theoreticaly still enter the LAN (despite these precautions) it is wise to password-protect the individual PCs on the network, to provide an extra layer of difficulty for the hacker. So that in the remote eventuality that the network is penetrated, albeit hopefully with extreme difficulty, the hacker will then have yet further difficulties in moving from one computer to another within the LAN.

    Or is this not true? Am I in some way misunderstanding how LANs work?
     
  11. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Of course this applies to wireless.
    If you are running wireless routers you can password protect access from the web to your network. Plus you have a wep code that stops connection to your network connection Plus you have an ssid number. It has to get passed those three safeguards to allow it access to the router if that did happen they would still have to get passed the admin passwords on each individual computer.

    more info at link. http://www.wilderssecurity.com/showthread.php?t=25888
     
  12. OK. That's wireless. But I'm talking about a wired LAN.

    So, let me say that again, in capitals. Is everyone agreed? If I'm hearing the members of this forum right, what you're saying is that THERE'S NO NEED TO PASSWORD-PROTECT EACH INDIVIDUAL PC ON A SMALL HOME LAN, WHERE THE COMPUTERS ARE PHYSICALLY LINKED, EXCEPT if worried about security risks emanating from users with physical access to the PCs, which I am not.

    So is that agreed? No objections? Really, 100% unanimity by all readers of Wilders Security Forums as to this conclusion? Speak now, or for evermore hold your peace! Throw the individual PC passwords out, then! :)
     
  13. Well, I didn't believe the previous conclusion, so I asked a friend, and he advised the following. My system is now set up thus:

    (All these changes are easy to implement in W2000 through Start | Control Panel | Users and Passwords. :) )

    Each PC on my 4-PC network has the following logins:

    User 1 + password: Power User
    User 2 + password: Administrator          
    User 3             Guest (but renamed for security)

    So on each PC, the user normally logs in as a Power User, using a password. This Power User account contains the Profile, i.e., when the user is logged in like this, the appearance of his desktop is as he originally configured it. Configuring the PC so that the user is logged on merely as a Power User most of the time, means that a hacker invading the PC cannot do too much damage, because he is on a system being run without administrative privileges.

    There is also the capacity to log on to the PC as Administrator, to effect major changes.

    Finally, there is a password-less Guest login, though the Guest account has been renamed, just to give some difficulty to the hacker attempting to log in as 'Guest'. This Guest login has few privileges.

    On my own computer, I have added an extra password-protected administrator account, in case the premier administrator account malfunctions. Weirder things have happened!

    The way to implement this is:
    a) Go to Start | Control Panel | Users and Passwords. Create a new account and give it administrator privileges and login name and password.
    b) Create a login name and password for the original user account.
    c) Check the box saying 'Users must enter a username and password to use this computer'. Power the computer down and up, testing that you can access the computer both through the new account, and through the original user's account, using the login names and passwords which you have just set up.
    d) Demote the user's original account (i.e., the one which controls the Profile), from Administrator to Power User
    e) Change name of the Guest, but do not implement a password for the Guest account.

    Repeat this process for each PC.

    The 'Users must enter a username and password to use this computer' box can then be unchecked., if users who enjoy physical access to the sytem do not pose a security threat. But when the house is empty, or when you travel with your laptop, this box should always be checked.

    Personally, I don't trust my memory, so I DO keep a copy of these passwords - but in an unmarked notebook in my safe.

    I have to say that I am a little surprised that none of my Wilders Security Forums co-users came up with anything like this solution, which I am assured is pretty standard for a small network.
     
Loading...
Thread Status:
Not open for further replies.