On Mon, 8 Oct 2007 12:49:25 -0400, "Anthony Smith" <anth***@peconet.com> wrote:

>Good Afternoon,
>
>We have a 3Com switch/hub(LAN) and just purchased a 3Com wireless access
>point that connects to the LAN.  I'm using WPA on it and I disabled the
>Broadcast feature.  I'm trying to secure the Windows XP workstations as much
>as possible, along with our server.
>
>1) Is there a way to lock down Workstations/servers so that only
>Workgroup/domain users can access the file and print sharing folders?  The
>reason I ask.  I used a laptop to connect to the Wireless LAN but did NOT
>log into the domain with username/password.  But I was able to see the users
>PCs and copy files and delete without having any domain password/username.
>That's not good, so I took the wireless LAN offline.
>
>2) Is there a way to limit the RANGE on the wireless access point? Maybe
>purchase an additional device to block the signal so it doesn't go with a
>few feet of our office? I want to limit the amount of possible intruders by
>not allowing access outside of the office building.  We have a small office,
>less than 10 users.
>
>I'm adding a wireless LAN to our existing wired LAN because any additional
>machines can be added with a wireless card.  Plus this machine I'm trying to
>put in is not in an ideal location for a wired connection.  So I want to try
>wireless.  But it must be as secure as humanly possible. (smile)
>
>Thanks!
>
>Windows XP SP2 on PCs and Win2003 Server (SBS)
>
>Sincerely,
>Anthony Smith
>In God We Trust!

"Chuck [MVP]" <n***@example.net> wrote in message
news:v7vkg3hb61mb081fks19bpinv21vcitofj@4ax.com...
> On Mon, 8 Oct 2007 12:49:25 -0400, "Anthony Smith" <anth***@peconet.com>
> wrote:
>
>>Good Afternoon,
>>
>>We have a 3Com switch/hub(LAN) and just purchased a 3Com wireless access
>>point that connects to the LAN.  I'm using WPA on it and I disabled the
>>Broadcast feature.  I'm trying to secure the Windows XP workstations as
>>much
>>as possible, along with our server.
>>
>>1) Is there a way to lock down Workstations/servers so that only
>>Workgroup/domain users can access the file and print sharing folders?  The
>>reason I ask.  I used a laptop to connect to the Wireless LAN but did NOT
>>log into the domain with username/password.  But I was able to see the
>>users
>>PCs and copy files and delete without having any domain password/username.
>>That's not good, so I took the wireless LAN offline.
>>
>>2) Is there a way to limit the RANGE on the wireless access point? Maybe
>>purchase an additional device to block the signal so it doesn't go with a
>>few feet of our office? I want to limit the amount of possible intruders
>>by
>>not allowing access outside of the office building.  We have a small
>>office,
>>less than 10 users.
>>
>>I'm adding a wireless LAN to our existing wired LAN because any additional
>>machines can be added with a wireless card.  Plus this machine I'm trying
>>to
>>put in is not in an ideal location for a wired connection.  So I want to
>>try
>>wireless.  But it must be as secure as humanly possible. (smile)
>>
>>Thanks!
>>
>>Windows XP SP2 on PCs and Win2003 Server (SBS)
>>
>>Sincerely,
>>Anthony Smith
>>In God We Trust!
>
> Anthony,
>
> If you are going to provide coverage to your office, unless you use a lot
> of
> very low powered access points, you're going to have signal leakage
> outside your
> office (unless your office is spherical).  The low power signal that might
> be
> just enough to let your portable computers, with their low gain internal
> antennas, work, will be ample for an attacker with a high gain directional
> antenna.  It's best to concentrate on other security strategies.
>
> If you can access domain resources without being logged in to the domain,
> I'd
> bet the Guest account is enabled on the computers in question.  That's the
> first
> thing that you need to do when setting up a secure network - disable
> Guest.
>
> --
> Cheers,
> Chuck, MS-MVP 2005-2007 [Windows - Networking]
> http://nitecruzr.blogspot.com/
> Paranoia is not a problem, when it's a normal response from experience.
> My        email         is          AT         DOT
>   actual       address    pchuck       mvps        org.

On Tue, 9 Oct 2007 10:17:24 -0400, "Anthony Smith" <anth***@peconet.com> wrote:

>"Chuck [MVP]" <n***@example.net> wrote in message
>news:v7vkg3hb61mb081fks19bpinv21vcitofj@4ax.com...
>> On Mon, 8 Oct 2007 12:49:25 -0400, "Anthony Smith" <anth***@peconet.com>
>> wrote:
>>
>>>Good Afternoon,
>>>
>>>We have a 3Com switch/hub(LAN) and just purchased a 3Com wireless access
>>>point that connects to the LAN.  I'm using WPA on it and I disabled the
>>>Broadcast feature.  I'm trying to secure the Windows XP workstations as
>>>much
>>>as possible, along with our server.
>>>
>>>1) Is there a way to lock down Workstations/servers so that only
>>>Workgroup/domain users can access the file and print sharing folders?  The
>>>reason I ask.  I used a laptop to connect to the Wireless LAN but did NOT
>>>log into the domain with username/password.  But I was able to see the
>>>users
>>>PCs and copy files and delete without having any domain password/username.
>>>That's not good, so I took the wireless LAN offline.
>>>
>>>2) Is there a way to limit the RANGE on the wireless access point? Maybe
>>>purchase an additional device to block the signal so it doesn't go with a
>>>few feet of our office? I want to limit the amount of possible intruders
>>>by
>>>not allowing access outside of the office building.  We have a small
>>>office,
>>>less than 10 users.
>>>
>>>I'm adding a wireless LAN to our existing wired LAN because any additional
>>>machines can be added with a wireless card.  Plus this machine I'm trying
>>>to
>>>put in is not in an ideal location for a wired connection.  So I want to
>>>try
>>>wireless.  But it must be as secure as humanly possible. (smile)
>>>
>>>Thanks!
>>>
>>>Windows XP SP2 on PCs and Win2003 Server (SBS)
>>>
>>>Sincerely,
>>>Anthony Smith
>>>In God We Trust!
>>
>> Anthony,
>>
>> If you are going to provide coverage to your office, unless you use a lot
>> of
>> very low powered access points, you're going to have signal leakage
>> outside your
>> office (unless your office is spherical).  The low power signal that might
>> be
>> just enough to let your portable computers, with their low gain internal
>> antennas, work, will be ample for an attacker with a high gain directional
>> antenna.  It's best to concentrate on other security strategies.
>>
>> If you can access domain resources without being logged in to the domain,
>> I'd
>> bet the Guest account is enabled on the computers in question.  That's the
>> first
>> thing that you need to do when setting up a secure network - disable
>> Guest.

>Thanks for the reply Chuck.  I checked my desktop and the guest account is
>turned off.  I just connected someone's PERSONAL laptop to the wireless LAN.
>This personal laptop doesn't have any user names or passwords for our LAN.
>It's connected with the PassKey, WPA.  Now I did a search for my DESKTOP
>and the personal Laptop found it.  I was able to open up the shared drive
>and view the files, BUT I couldn't delete anything.  What else do I need to
>do to lock down the machines?
>Now when I tried to access the Win2003 server(SBS) it asked me for a user
>name and password.
>But the WinXP workstations does NOT ask for a user name and password.
>Please advise.
>
>Thanks again for the help!

"Chuck [MVP]" <n***@example.net> wrote in message
news:l2dog3hp247u9rcb8v38eao39un8ftvb3u@4ax.com...
> On Tue, 9 Oct 2007 10:17:24 -0400, "Anthony Smith" <anth***@peconet.com>
> wrote:
>
>>"Chuck [MVP]" <n***@example.net> wrote in message
>>news:v7vkg3hb61mb081fks19bpinv21vcitofj@4ax.com...
>>> On Mon, 8 Oct 2007 12:49:25 -0400, "Anthony Smith" <anth***@peconet.com>
>>> wrote:
>>>
>>>>Good Afternoon,
>>>>
>>>>We have a 3Com switch/hub(LAN) and just purchased a 3Com wireless access
>>>>point that connects to the LAN.  I'm using WPA on it and I disabled the
>>>>Broadcast feature.  I'm trying to secure the Windows XP workstations as
>>>>much
>>>>as possible, along with our server.
>>>>
>>>>1) Is there a way to lock down Workstations/servers so that only
>>>>Workgroup/domain users can access the file and print sharing folders?
>>>>The
>>>>reason I ask.  I used a laptop to connect to the Wireless LAN but did
>>>>NOT
>>>>log into the domain with username/password.  But I was able to see the
>>>>users
>>>>PCs and copy files and delete without having any domain
>>>>password/username.
>>>>That's not good, so I took the wireless LAN offline.
>>>>
>>>>2) Is there a way to limit the RANGE on the wireless access point? Maybe
>>>>purchase an additional device to block the signal so it doesn't go with
>>>>a
>>>>few feet of our office? I want to limit the amount of possible intruders
>>>>by
>>>>not allowing access outside of the office building.  We have a small
>>>>office,
>>>>less than 10 users.
>>>>
>>>>I'm adding a wireless LAN to our existing wired LAN because any
>>>>additional
>>>>machines can be added with a wireless card.  Plus this machine I'm
>>>>trying
>>>>to
>>>>put in is not in an ideal location for a wired connection.  So I want to
>>>>try
>>>>wireless.  But it must be as secure as humanly possible. (smile)
>>>>
>>>>Thanks!
>>>>
>>>>Windows XP SP2 on PCs and Win2003 Server (SBS)
>>>>
>>>>Sincerely,
>>>>Anthony Smith
>>>>In God We Trust!
>>>
>>> Anthony,
>>>
>>> If you are going to provide coverage to your office, unless you use a
>>> lot
>>> of
>>> very low powered access points, you're going to have signal leakage
>>> outside your
>>> office (unless your office is spherical).  The low power signal that
>>> might
>>> be
>>> just enough to let your portable computers, with their low gain internal
>>> antennas, work, will be ample for an attacker with a high gain
>>> directional
>>> antenna.  It's best to concentrate on other security strategies.
>>>
>>> If you can access domain resources without being logged in to the
>>> domain,
>>> I'd
>>> bet the Guest account is enabled on the computers in question.  That's
>>> the
>>> first
>>> thing that you need to do when setting up a secure network - disable
>>> Guest.
>
>>Thanks for the reply Chuck.  I checked my desktop and the guest account is
>>turned off.  I just connected someone's PERSONAL laptop to the wireless
>>LAN.
>>This personal laptop doesn't have any user names or passwords for our LAN.
>>It's connected with the PassKey, WPA.  Now I did a search for my DESKTOP
>>and the personal Laptop found it.  I was able to open up the shared drive
>>and view the files, BUT I couldn't delete anything.  What else do I need
>>to
>>do to lock down the machines?
>>Now when I tried to access the Win2003 server(SBS) it asked me for a user
>>name and password.
>>But the WinXP workstations does NOT ask for a user name and password.
>>Please advise.
>>
>>Thanks again for the help!
>
> My pleasure, Anthony.  Here we have a challenge, and that's what most
> helpers
> here enjoy.
>
> Try and give us an idea of the computer population there.  You say that
> you have
> SBS, and a domain?  How many computers there, in total?  How many domain
> members?  Is Guest disabled on all computers?  How many computers have you
> observed to be accessible, even from computers not logged in to the
> domain?  Do
> you maybe have a hidden Guest account, defined on the domain?
>
> Remember that we're not there in front of you, or peering at the LAN, so
> think
> of all of the details that we might ask you otherwise.
> <http://nitecruzr.blogspot.com/2005/06/background-information-useful-in.html>
> http://nitecruzr.blogspot.com/2005/06/background-information-useful-in.html
>
> And think about how to solve problems.
> <http://nitecruzr.blogspot.com/2005/08/solving-network-problems-tutorial.html>
> http://nitecruzr.blogspot.com/2005/08/solving-network-problems-tutorial.html
>
> --
> Cheers,
> Chuck, MS-MVP 2005-2007 [Windows - Networking]
> http://nitecruzr.blogspot.com/
> Paranoia is not a problem, when it's a normal response from experience.
> My        email         is          AT         DOT
>   actual       address    pchuck       mvps        org.

On Wed, 10 Oct 2007 08:39:26 -0400, "Anthony Smith" <anth***@peconet.com> wrote:

>"Chuck [MVP]" <n***@example.net> wrote in message
>news:l2dog3hp247u9rcb8v38eao39un8ftvb3u@4ax.com...
>> On Tue, 9 Oct 2007 10:17:24 -0400, "Anthony Smith" <anth***@peconet.com>
>> wrote:
>>
>>>"Chuck [MVP]" <n***@example.net> wrote in message
>>>news:v7vkg3hb61mb081fks19bpinv21vcitofj@4ax.com...
>>>> On Mon, 8 Oct 2007 12:49:25 -0400, "Anthony Smith" <anth***@peconet.com>
>>>> wrote:
>>>>
>>>>>Good Afternoon,
>>>>>
>>>>>We have a 3Com switch/hub(LAN) and just purchased a 3Com wireless access
>>>>>point that connects to the LAN.  I'm using WPA on it and I disabled the
>>>>>Broadcast feature.  I'm trying to secure the Windows XP workstations as
>>>>>much
>>>>>as possible, along with our server.
>>>>>
>>>>>1) Is there a way to lock down Workstations/servers so that only
>>>>>Workgroup/domain users can access the file and print sharing folders?
>>>>>The
>>>>>reason I ask.  I used a laptop to connect to the Wireless LAN but did
>>>>>NOT
>>>>>log into the domain with username/password.  But I was able to see the
>>>>>users
>>>>>PCs and copy files and delete without having any domain
>>>>>password/username.
>>>>>That's not good, so I took the wireless LAN offline.
>>>>>
>>>>>2) Is there a way to limit the RANGE on the wireless access point? Maybe
>>>>>purchase an additional device to block the signal so it doesn't go with
>>>>>a
>>>>>few feet of our office? I want to limit the amount of possible intruders
>>>>>by
>>>>>not allowing access outside of the office building.  We have a small
>>>>>office,
>>>>>less than 10 users.
>>>>>
>>>>>I'm adding a wireless LAN to our existing wired LAN because any
>>>>>additional
>>>>>machines can be added with a wireless card.  Plus this machine I'm
>>>>>trying
>>>>>to
>>>>>put in is not in an ideal location for a wired connection.  So I want to
>>>>>try
>>>>>wireless.  But it must be as secure as humanly possible. (smile)
>>>>>
>>>>>Thanks!
>>>>>
>>>>>Windows XP SP2 on PCs and Win2003 Server (SBS)
>>>>>
>>>>>Sincerely,
>>>>>Anthony Smith
>>>>>In God We Trust!
>>>>
>>>> Anthony,
>>>>
>>>> If you are going to provide coverage to your office, unless you use a
>>>> lot
>>>> of
>>>> very low powered access points, you're going to have signal leakage
>>>> outside your
>>>> office (unless your office is spherical).  The low power signal that
>>>> might
>>>> be
>>>> just enough to let your portable computers, with their low gain internal
>>>> antennas, work, will be ample for an attacker with a high gain
>>>> directional
>>>> antenna.  It's best to concentrate on other security strategies.
>>>>
>>>> If you can access domain resources without being logged in to the
>>>> domain,
>>>> I'd
>>>> bet the Guest account is enabled on the computers in question.  That's
>>>> the
>>>> first
>>>> thing that you need to do when setting up a secure network - disable
>>>> Guest.
>>
>>>Thanks for the reply Chuck.  I checked my desktop and the guest account is
>>>turned off.  I just connected someone's PERSONAL laptop to the wireless
>>>LAN.
>>>This personal laptop doesn't have any user names or passwords for our LAN.
>>>It's connected with the PassKey, WPA.  Now I did a search for my DESKTOP
>>>and the personal Laptop found it.  I was able to open up the shared drive
>>>and view the files, BUT I couldn't delete anything.  What else do I need
>>>to
>>>do to lock down the machines?
>>>Now when I tried to access the Win2003 server(SBS) it asked me for a user
>>>name and password.
>>>But the WinXP workstations does NOT ask for a user name and password.
>>>Please advise.
>>>
>>>Thanks again for the help!
>>
>> My pleasure, Anthony.  Here we have a challenge, and that's what most
>> helpers
>> here enjoy.
>>
>> Try and give us an idea of the computer population there.  You say that
>> you have
>> SBS, and a domain?  How many computers there, in total?  How many domain
>> members?  Is Guest disabled on all computers?  How many computers have you
>> observed to be accessible, even from computers not logged in to the
>> domain?  Do
>> you maybe have a hidden Guest account, defined on the domain?
>>
>> Remember that we're not there in front of you, or peering at the LAN, so
>> think
>> of all of the details that we might ask you otherwise.
>> <http://nitecruzr.blogspot.com/2005/06/background-information-useful-in.html>
>> http://nitecruzr.blogspot.com/2005/06/background-information-useful-in.html
>>
>> And think about how to solve problems.
>> <http://nitecruzr.blogspot.com/2005/08/solving-network-problems-tutorial.html>
>> http://nitecruzr.blogspot.com/2005/08/solving-network-problems-tutorial.html

>Good Morning,
>
>Ok I found out more information on the problem.  Most of the workstations
>were members of a workgroup and not domain.  However there were two WS that
>were a member of the DOMAIN.  Those are two of the newest machines added to
>the network and I configured them differently. I used the
>http://servername/connectcomputer feature that comes with SBS and it
>configured it automatically to be a member of the domain.  And guess what?
>These two machines cannot be accessed from the wireless lan unless you
>supply a password.  When I search for any of these two machines and it finds
>it, when I double click on it, it asks for a password.  (It does this for
>the actual server too)
>
>So I changed the other PCs to be members of the domain instead of workgroup.
>I checked the Windows firewall settings also on XP and it states it is using
>the domain settings. (before I switched it was saying non-domain settings)
>So it IS using a the group policy for the domain like the (2) other
>machines.  BUT I can still access these other XP machines on the wireless
>without supplying a username/password.
>
>Desktops Not Secured properly: 4
>Desktops Secured Properly: 2 (wireless users MUST supply password to access
>resources)
>
>We have the 2 configured network card topology for the lan. 1 Nic on server
>(Internet access, WAN, also behind a SOHO firewall), 1 Nic to the 3com
>hub/switch for the lan.
>All the PCs are connected to this 3com hub/switch, it's about 16 ports.
>Now I plugged the 3com Wireless access Point into one of the 16 ports to
>gain access to the LAN.
>
>The (4) machines that have now be switched to be member of the domain are
>not secured properly.
>A username/password is not prompted when trying to gain access to resources.
>You can open up the shared drives and folders on these machines with no
>problem.  I'd like to lock them down like the other two where a username and
>password is prompted.

"Chuck [MVP]" <n***@example.net> wrote in message
news:74spg35m32jhrd9vn3a06kalh9em1vnsr3@4ax.com...
> On Wed, 10 Oct 2007 08:39:26 -0400, "Anthony Smith" <anth***@peconet.com>
> wrote:
>
>>"Chuck [MVP]" <n***@example.net> wrote in message
>>news:l2dog3hp247u9rcb8v38eao39un8ftvb3u@4ax.com...
>>> On Tue, 9 Oct 2007 10:17:24 -0400, "Anthony Smith" <anth***@peconet.com>
>>> wrote:
>>>
>>>>"Chuck [MVP]" <n***@example.net> wrote in message
>>>>news:v7vkg3hb61mb081fks19bpinv21vcitofj@4ax.com...
>>>>> On Mon, 8 Oct 2007 12:49:25 -0400, "Anthony Smith"
>>>>> <anth***@peconet.com>
>>>>> wrote:
>>>>>
>>>>>>Good Afternoon,
>>>>>>
>>>>>>We have a 3Com switch/hub(LAN) and just purchased a 3Com wireless
>>>>>>access
>>>>>>point that connects to the LAN.  I'm using WPA on it and I disabled
>>>>>>the
>>>>>>Broadcast feature.  I'm trying to secure the Windows XP workstations
>>>>>>as
>>>>>>much
>>>>>>as possible, along with our server.
>>>>>>
>>>>>>1) Is there a way to lock down Workstations/servers so that only
>>>>>>Workgroup/domain users can access the file and print sharing folders?
>>>>>>The
>>>>>>reason I ask.  I used a laptop to connect to the Wireless LAN but did
>>>>>>NOT
>>>>>>log into the domain with username/password.  But I was able to see the
>>>>>>users
>>>>>>PCs and copy files and delete without having any domain
>>>>>>password/username.
>>>>>>That's not good, so I took the wireless LAN offline.
>>>>>>
>>>>>>2) Is there a way to limit the RANGE on the wireless access point?
>>>>>>Maybe
>>>>>>purchase an additional device to block the signal so it doesn't go
>>>>>>with
>>>>>>a
>>>>>>few feet of our office? I want to limit the amount of possible
>>>>>>intruders
>>>>>>by
>>>>>>not allowing access outside of the office building.  We have a small
>>>>>>office,
>>>>>>less than 10 users.
>>>>>>
>>>>>>I'm adding a wireless LAN to our existing wired LAN because any
>>>>>>additional
>>>>>>machines can be added with a wireless card.  Plus this machine I'm
>>>>>>trying
>>>>>>to
>>>>>>put in is not in an ideal location for a wired connection.  So I want
>>>>>>to
>>>>>>try
>>>>>>wireless.  But it must be as secure as humanly possible. (smile)
>>>>>>
>>>>>>Thanks!
>>>>>>
>>>>>>Windows XP SP2 on PCs and Win2003 Server (SBS)
>>>>>>
>>>>>>Sincerely,
>>>>>>Anthony Smith
>>>>>>In God We Trust!
>>>>>
>>>>> Anthony,
>>>>>
>>>>> If you are going to provide coverage to your office, unless you use a
>>>>> lot
>>>>> of
>>>>> very low powered access points, you're going to have signal leakage
>>>>> outside your
>>>>> office (unless your office is spherical).  The low power signal that
>>>>> might
>>>>> be
>>>>> just enough to let your portable computers, with their low gain
>>>>> internal
>>>>> antennas, work, will be ample for an attacker with a high gain
>>>>> directional
>>>>> antenna.  It's best to concentrate on other security strategies.
>>>>>
>>>>> If you can access domain resources without being logged in to the
>>>>> domain,
>>>>> I'd
>>>>> bet the Guest account is enabled on the computers in question.  That's
>>>>> the
>>>>> first
>>>>> thing that you need to do when setting up a secure network - disable
>>>>> Guest.
>>>
>>>>Thanks for the reply Chuck.  I checked my desktop and the guest account
>>>>is
>>>>turned off.  I just connected someone's PERSONAL laptop to the wireless
>>>>LAN.
>>>>This personal laptop doesn't have any user names or passwords for our
>>>>LAN.
>>>>It's connected with the PassKey, WPA.  Now I did a search for my DESKTOP
>>>>and the personal Laptop found it.  I was able to open up the shared
>>>>drive
>>>>and view the files, BUT I couldn't delete anything.  What else do I need
>>>>to
>>>>do to lock down the machines?
>>>>Now when I tried to access the Win2003 server(SBS) it asked me for a
>>>>user
>>>>name and password.
>>>>But the WinXP workstations does NOT ask for a user name and password.
>>>>Please advise.
>>>>
>>>>Thanks again for the help!
>>>
>>> My pleasure, Anthony.  Here we have a challenge, and that's what most
>>> helpers
>>> here enjoy.
>>>
>>> Try and give us an idea of the computer population there.  You say that
>>> you have
>>> SBS, and a domain?  How many computers there, in total?  How many domain
>>> members?  Is Guest disabled on all computers?  How many computers have
>>> you
>>> observed to be accessible, even from computers not logged in to the
>>> domain?  Do
>>> you maybe have a hidden Guest account, defined on the domain?
>>>
>>> Remember that we're not there in front of you, or peering at the LAN, so
>>> think
>>> of all of the details that we might ask you otherwise.
>>> <http://nitecruzr.blogspot.com/2005/06/background-information-useful-in.html>
>>> http://nitecruzr.blogspot.com/2005/06/background-information-useful-in.html
>>>
>>> And think about how to solve problems.
>>> <http://nitecruzr.blogspot.com/2005/08/solving-network-problems-tutorial.html>
>>> http://nitecruzr.blogspot.com/2005/08/solving-network-problems-tutorial.html
>
>>Good Morning,
>>
>>Ok I found out more information on the problem.  Most of the workstations
>>were members of a workgroup and not domain.  However there were two WS
>>that
>>were a member of the DOMAIN.  Those are two of the newest machines added
>>to
>>the network and I configured them differently. I used the
>>http://servername/connectcomputer feature that comes with SBS and it
>>configured it automatically to be a member of the domain.  And guess what?
>>These two machines cannot be accessed from the wireless lan unless you
>>supply a password.  When I search for any of these two machines and it
>>finds
>>it, when I double click on it, it asks for a password.  (It does this for
>>the actual server too)
>>
>>So I changed the other PCs to be members of the domain instead of
>>workgroup.
>>I checked the Windows firewall settings also on XP and it states it is
>>using
>>the domain settings. (before I switched it was saying non-domain settings)
>>So it IS using a the group policy for the domain like the (2) other
>>machines.  BUT I can still access these other XP machines on the wireless
>>without supplying a username/password.
>>
>>Desktops Not Secured properly: 4
>>Desktops Secured Properly: 2 (wireless users MUST supply password to
>>access
>>resources)
>>
>>We have the 2 configured network card topology for the lan. 1 Nic on
>>server
>>(Internet access, WAN, also behind a SOHO firewall), 1 Nic to the 3com
>>hub/switch for the lan.
>>All the PCs are connected to this 3com hub/switch, it's about 16 ports.
>>Now I plugged the 3com Wireless access Point into one of the 16 ports to
>>gain access to the LAN.
>>
>>The (4) machines that have now be switched to be member of the domain are
>>not secured properly.
>>A username/password is not prompted when trying to gain access to
>>resources.
>>You can open up the shared drives and folders on these machines with no
>>problem.  I'd like to lock them down like the other two where a username
>>and
>>password is prompted.
>
> When you join a computer to a domain, you have to go back and look at
> local
> accounts, and remove all local accounts that don't belong.  Domain
> membership
> makes it easier to control access, only when you remove all local accounts
> and
> only use domain accounts.  Removing local accounts is up to you.
>
> If you have portable computers, you absolutely don't want to remove all
> local
> accounts.  Portable computers are a challenge, for many reasons.
> <http://nitecruzr.blogspot.com/2005/05/have-laptop-will-travel.html>
> http://nitecruzr.blogspot.com/2005/05/have-laptop-will-travel.html
>
> Controlling file sharing with a firewall, as primary protection, needs to
> be
> discussed.  If your firewall blocks all but your one subnet, and you
> absolutely
> control use of that subnet, this can work.  If the subnet involves WiFi,
> and an
> attacker can hijack an IP address on the subnet, he is past your firewall.
> You
> need solid authentication / authorisation setup too.
>
> WiFi bridged onto an office LAN is a security hole.  Are you using PSK, or
> RADIUS?
>
> --
> Cheers,
> Chuck, MS-MVP 2005-2007 [Windows - Networking]
> http://nitecruzr.blogspot.com/
> Paranoia is not a problem, when it's a normal response from experience.
> My        email         is          AT         DOT
>   actual       address    pchuck       mvps        org.

"Chuck [MVP]" <n***@example.net> wrote in message
news:74spg35m32jhrd9vn3a06kalh9em1vnsr3@4ax.com...
> On Wed, 10 Oct 2007 08:39:26 -0400, "Anthony Smith" <anth***@peconet.com>
> wrote:
>
>>"Chuck [MVP]" <n***@example.net> wrote in message
>>news:l2dog3hp247u9rcb8v38eao39un8ftvb3u@4ax.com...
>>> On Tue, 9 Oct 2007 10:17:24 -0400, "Anthony Smith" <anth***@peconet.com>
>>> wrote:
>>>
>>>>"Chuck [MVP]" <n***@example.net> wrote in message
>>>>news:v7vkg3hb61mb081fks19bpinv21vcitofj@4ax.com...
>>>>> On Mon, 8 Oct 2007 12:49:25 -0400, "Anthony Smith"
>>>>> <anth***@peconet.com>
>>>>> wrote:
>>>>>
>>>>>>Good Afternoon,
>>>>>>
>>>>>>We have a 3Com switch/hub(LAN) and just purchased a 3Com wireless
>>>>>>access
>>>>>>point that connects to the LAN.  I'm using WPA on it and I disabled
>>>>>>the
>>>>>>Broadcast feature.  I'm trying to secure the Windows XP workstations
>>>>>>as
>>>>>>much
>>>>>>as possible, along with our server.
>>>>>>
>>>>>>1) Is there a way to lock down Workstations/servers so that only
>>>>>>Workgroup/domain users can access the file and print sharing folders?
>>>>>>The
>>>>>>reason I ask.  I used a laptop to connect to the Wireless LAN but did
>>>>>>NOT
>>>>>>log into the domain with username/password.  But I was able to see the
>>>>>>users
>>>>>>PCs and copy files and delete without having any domain
>>>>>>password/username.
>>>>>>That's not good, so I took the wireless LAN offline.
>>>>>>
>>>>>>2) Is there a way to limit the RANGE on the wireless access point?
>>>>>>Maybe
>>>>>>purchase an additional device to block the signal so it doesn't go
>>>>>>with
>>>>>>a
>>>>>>few feet of our office? I want to limit the amount of possible
>>>>>>intruders
>>>>>>by
>>>>>>not allowing access outside of the office building.  We have a small
>>>>>>office,
>>>>>>less than 10 users.
>>>>>>
>>>>>>I'm adding a wireless LAN to our existing wired LAN because any
>>>>>>additional
>>>>>>machines can be added with a wireless card.  Plus this machine I'm
>>>>>>trying
>>>>>>to
>>>>>>put in is not in an ideal location for a wired connection.  So I want
>>>>>>to
>>>>>>try
>>>>>>wireless.  But it must be as secure as humanly possible. (smile)
>>>>>>
>>>>>>Thanks!
>>>>>>
>>>>>>Windows XP SP2 on PCs and Win2003 Server (SBS)
>>>>>>
>>>>>>Sincerely,
>>>>>>Anthony Smith
>>>>>>In God We Trust!
>>>>>
>>>>> Anthony,
>>>>>
>>>>> If you are going to provide coverage to your office, unless you use a
>>>>> lot
>>>>> of
>>>>> very low powered access points, you're going to have signal leakage
>>>>> outside your
>>>>> office (unless your office is spherical).  The low power signal that
>>>>> might
>>>>> be
>>>>> just enough to let your portable computers, with their low gain
>>>>> internal
>>>>> antennas, work, will be ample for an attacker with a high gain
>>>>> directional
>>>>> antenna.  It's best to concentrate on other security strategies.
>>>>>
>>>>> If you can access domain resources without being logged in to the
>>>>> domain,
>>>>> I'd
>>>>> bet the Guest account is enabled on the computers in question.  That's
>>>>> the
>>>>> first
>>>>> thing that you need to do when setting up a secure network - disable
>>>>> Guest.
>>>
>>>>Thanks for the reply Chuck.  I checked my desktop and the guest account
>>>>is
>>>>turned off.  I just connected someone's PERSONAL laptop to the wireless
>>>>LAN.
>>>>This personal laptop doesn't have any user names or passwords for our
>>>>LAN.
>>>>It's connected with the PassKey, WPA.  Now I did a search for my DESKTOP
>>>>and the personal Laptop found it.  I was able to open up the shared
>>>>drive
>>>>and view the files, BUT I couldn't delete anything.  What else do I need
>>>>to
>>>>do to lock down the machines?
>>>>Now when I tried to access the Win2003 server(SBS) it asked me for a
>>>>user
>>>>name and password.
>>>>But the WinXP workstations does NOT ask for a user name and password.
>>>>Please advise.
>>>>
>>>>Thanks again for the help!
>>>
>>> My pleasure, Anthony.  Here we have a challenge, and that's what most
>>> helpers
>>> here enjoy.
>>>
>>> Try and give us an idea of the computer population there.  You say that
>>> you have
>>> SBS, and a domain?  How many computers there, in total?  How many domain
>>> members?  Is Guest disabled on all computers?  How many computers have
>>> you
>>> observed to be accessible, even from computers not logged in to the
>>> domain?  Do
>>> you maybe have a hidden Guest account, defined on the domain?
>>>
>>> Remember that we're not there in front of you, or peering at the LAN, so
>>> think
>>> of all of the details that we might ask you otherwise.
>>> <http://nitecruzr.blogspot.com/2005/06/background-information-useful-in.html>
>>> http://nitecruzr.blogspot.com/2005/06/background-information-useful-in.html
>>>
>>> And think about how to solve problems.
>>> <http://nitecruzr.blogspot.com/2005/08/solving-network-problems-tutorial.html>
>>> http://nitecruzr.blogspot.com/2005/08/solving-network-problems-tutorial.html
>
>>Good Morning,
>>
>>Ok I found out more information on the problem.  Most of the workstations
>>were members of a workgroup and not domain.  However there were two WS
>>that
>>were a member of the DOMAIN.  Those are two of the newest machines added
>>to
>>the network and I configured them differently. I used the
>>http://servername/connectcomputer feature that comes with SBS and it
>>configured it automatically to be a member of the domain.  And guess what?
>>These two machines cannot be accessed from the wireless lan unless you
>>supply a password.  When I search for any of these two machines and it
>>finds
>>it, when I double click on it, it asks for a password.  (It does this for
>>the actual server too)
>>
>>So I changed the other PCs to be members of the domain instead of
>>workgroup.
>>I checked the Windows firewall settings also on XP and it states it is
>>using
>>the domain settings. (before I switched it was saying non-domain settings)
>>So it IS using a the group policy for the domain like the (2) other
>>machines.  BUT I can still access these other XP machines on the wireless
>>without supplying a username/password.
>>
>>Desktops Not Secured properly: 4
>>Desktops Secured Properly: 2 (wireless users MUST supply password to
>>access
>>resources)
>>
>>We have the 2 configured network card topology for the lan. 1 Nic on
>>server
>>(Internet access, WAN, also behind a SOHO firewall), 1 Nic to the 3com
>>hub/switch for the lan.
>>All the PCs are connected to this 3com hub/switch, it's about 16 ports.
>>Now I plugged the 3com Wireless access Point into one of the 16 ports to
>>gain access to the LAN.
>>
>>The (4) machines that have now be switched to be member of the domain are
>>not secured properly.
>>A username/password is not prompted when trying to gain access to
>>resources.
>>You can open up the shared drives and folders on these machines with no
>>problem.  I'd like to lock them down like the other two where a username
>>and
>>password is prompted.
>
> When you join a computer to a domain, you have to go back and look at
> local
> accounts, and remove all local accounts that don't belong.  Domain
> membership
> makes it easier to control access, only when you remove all local accounts
> and
> only use domain accounts.  Removing local accounts is up to you.
>
> If you have portable computers, you absolutely don't want to remove all
> local
> accounts.  Portable computers are a challenge, for many reasons.
> <http://nitecruzr.blogspot.com/2005/05/have-laptop-will-travel.html>
> http://nitecruzr.blogspot.com/2005/05/have-laptop-will-travel.html
>
> Controlling file sharing with a firewall, as primary protection, needs to
> be
> discussed.  If your firewall blocks all but your one subnet, and you
> absolutely
> control use of that subnet, this can work.  If the subnet involves WiFi,
> and an
> attacker can hijack an IP address on the subnet, he is past your firewall.
> You
> need solid authentication / authorisation setup too.
>
> WiFi bridged onto an office LAN is a security hole.  Are you using PSK, or
> RADIUS?
>
> --
> Cheers,
> Chuck, MS-MVP 2005-2007 [Windows - Networking]
> http://nitecruzr.blogspot.com/
> Paranoia is not a problem, when it's a normal response from experience.
> My        email         is          AT         DOT
>   actual       address    pchuck       mvps        org.

On Thu, 11 Oct 2007 12:43:37 -0400, "Anthony Smith" <anth***@peconet.com> wrote:

>"Chuck [MVP]" <n***@example.net> wrote in message
>news:74spg35m32jhrd9vn3a06kalh9em1vnsr3@4ax.com...
>> On Wed, 10 Oct 2007 08:39:26 -0400, "Anthony Smith" <anth***@peconet.com>
>> wrote:
>>
>>>"Chuck [MVP]" <n***@example.net> wrote in message
>>>news:l2dog3hp247u9rcb8v38eao39un8ftvb3u@4ax.com...
>>>> On Tue, 9 Oct 2007 10:17:24 -0400, "Anthony Smith" <anth***@peconet.com>
>>>> wrote:
>>>>
>>>>>"Chuck [MVP]" <n***@example.net> wrote in message
>>>>>news:v7vkg3hb61mb081fks19bpinv21vcitofj@4ax.com...
>>>>>> On Mon, 8 Oct 2007 12:49:25 -0400, "Anthony Smith"
>>>>>> <anth***@peconet.com>
>>>>>> wrote:
>>>>>>
>>>>>>>Good Afternoon,
>>>>>>>
>>>>>>>We have a 3Com switch/hub(LAN) and just purchased a 3Com wireless
>>>>>>>access
>>>>>>>point that connects to the LAN.  I'm using WPA on it and I disabled
>>>>>>>the
>>>>>>>Broadcast feature.  I'm trying to secure the Windows XP workstations
>>>>>>>as
>>>>>>>much
>>>>>>>as possible, along with our server.
>>>>>>>
>>>>>>>1) Is there a way to lock down Workstations/servers so that only
>>>>>>>Workgroup/domain users can access the file and print sharing folders?
>>>>>>>The
>>>>>>>reason I ask.  I used a laptop to connect to the Wireless LAN but did
>>>>>>>NOT
>>>>>>>log into the domain with username/password.  But I was able to see the
>>>>>>>users
>>>>>>>PCs and copy files and delete without having any domain
>>>>>>>password/username.
>>>>>>>That's not good, so I took the wireless LAN offline.
>>>>>>>
>>>>>>>2) Is there a way to limit the RANGE on the wireless access point?
>>>>>>>Maybe
>>>>>>>purchase an additional device to block the signal so it doesn't go
>>>>>>>with
>>>>>>>a
>>>>>>>few feet of our office? I want to limit the amount of possible
>>>>>>>intruders
>>>>>>>by
>>>>>>>not allowing access outside of the office building.  We have a small
>>>>>>>office,
>>>>>>>less than 10 users.
>>>>>>>
>>>>>>>I'm adding a wireless LAN to our existing wired LAN because any
>>>>>>>additional
>>>>>>>machines can be added with a wireless card.  Plus this machine I'm
>>>>>>>trying
>>>>>>>to
>>>>>>>put in is not in an ideal location for a wired connection.  So I want
>>>>>>>to
>>>>>>>try
>>>>>>>wireless.  But it must be as secure as humanly possible. (smile)
>>>>>>>
>>>>>>>Thanks!
>>>>>>>
>>>>>>>Windows XP SP2 on PCs and Win2003 Server (SBS)
>>>>>>>
>>>>>>>Sincerely,
>>>>>>>Anthony Smith
>>>>>>>In God We Trust!
>>>>>>
>>>>>> Anthony,
>>>>>>
>>>>>> If you are going to provide coverage to your office, unless you use a
>>>>>> lot
>>>>>> of
>>>>>> very low powered access points, you're going to have signal leakage
>>>>>> outside your
>>>>>> office (unless your office is spherical).  The low power signal that
>>>>>> might
>>>>>> be
>>>>>> just enough to let your portable computers, with their low gain
>>>>>> internal
>>>>>> antennas, work, will be ample for an attacker with a high gain
>>>>>> directional
>>>>>> antenna.  It's best to concentrate on other security strategies.
>>>>>>
>>>>>> If you can access domain resources without being logged in to the
>>>>>> domain,
>>>>>> I'd
>>>>>> bet the Guest account is enabled on the computers in question.  That's
>>>>>> the
>>>>>> first
>>>>>> thing that you need to do when setting up a secure network - disable
>>>>>> Guest.
>>>>
>>>>>Thanks for the reply Chuck.  I checked my desktop and the guest account
>>>>>is
>>>>>turned off.  I just connected someone's PERSONAL laptop to the wireless
>>>>>LAN.
>>>>>This personal laptop doesn't have any user names or passwords for our
>>>>>LAN.
>>>>>It's connected with the PassKey, WPA.  Now I did a search for my DESKTOP
>>>>>and the personal Laptop found it.  I was able to open up the shared
>>>>>drive
>>>>>and view the files, BUT I couldn't delete anything.  What else do I need
>>>>>to
>>>>>do to lock down the machines?
>>>>>Now when I tried to access the Win2003 server(SBS) it asked me for a
>>>>>user
>>>>>name and password.
>>>>>But the WinXP workstations does NOT ask for a user name and password.
>>>>>Please advise.
>>>>>
>>>>>Thanks again for the help!
>>>>
>>>> My pleasure, Anthony.  Here we have a challenge, and that's what most
>>>> helpers
>>>> here enjoy.
>>>>
>>>> Try and give us an idea of the computer population there.  You say that
>>>> you have
>>>> SBS, and a domain?  How many computers there, in total?  How many domain
>>>> members?  Is Guest disabled on all computers?  How many computers have
>>>> you
>>>> observed to be accessible, even from computers not logged in to the
>>>> domain?  Do
>>>> you maybe have a hidden Guest account, defined on the domain?
>>>>
>>>> Remember that we're not there in front of you, or peering at the LAN, so
>>>> think
>>>> of all of the details that we might ask you otherwise.
>>>> <http://nitecruzr.blogspot.com/2005/06/background-information-useful-in.html>
>>>> http://nitecruzr.blogspot.com/2005/06/background-information-useful-in.html
>>>>
>>>> And think about how to solve problems.
>>>> <http://nitecruzr.blogspot.com/2005/08/solving-network-problems-tutorial.html>
>>>> http://nitecruzr.blogspot.com/2005/08/solving-network-problems-tutorial.html
>>
>>>Good Morning,
>>>
>>>Ok I found out more information on the problem.  Most of the workstations
>>>were members of a workgroup and not domain.  However there were two WS
>>>that
>>>were a member of the DOMAIN.  Those are two of the newest machines added
>>>to
>>>the network and I configured them differently. I used the
>>>http://servername/connectcomputer feature that comes with SBS and it
>>>configured it automatically to be a member of the domain.  And guess what?
>>>These two machines cannot be accessed from the wireless lan unless you
>>>supply a password.  When I search for any of these two machines and it
>>>finds
>>>it, when I double click on it, it asks for a password.  (It does this for
>>>the actual server too)
>>>
>>>So I changed the other PCs to be members of the domain instead of
>>>workgroup.
>>>I checked the Windows firewall settings also on XP and it states it is
>>>using
>>>the domain settings. (before I switched it was saying non-domain settings)
>>>So it IS using a the group policy for the domain like the (2) other
>>>machines.  BUT I can still access these other XP machines on the wireless
>>>without supplying a username/password.
>>>
>>>Desktops Not Secured properly: 4
>>>Desktops Secured Properly: 2 (wireless users MUST supply password to
>>>access
>>>resources)
>>>
>>>We have the 2 configured network card topology for the lan. 1 Nic on
>>>server
>>>(Internet access, WAN, also behind a SOHO firewall), 1 Nic to the 3com
>>>hub/switch for the lan.
>>>All the PCs are connected to this 3com hub/switch, it's about 16 ports.
>>>Now I plugged the 3com Wireless access Point into one of the 16 ports to
>>>gain access to the LAN.
>>>
>>>The (4) machines that have now be switched to be member of the domain are
>>>not secured properly.
>>>A username/password is not prompted when trying to gain access to
>>>resources.
>>>You can open up the shared drives and folders on these machines with no
>>>problem.  I'd like to lock them down like the other two where a username
>>>and
>>>password is prompted.
>>
>> When you join a computer to a domain, you have to go back and look at
>> local
>> accounts, and remove all local accounts that don't belong.  Domain
>> membership
>> makes it easier to control access, only when you remove all local accounts
>> and
>> only use domain accounts.  Removing local accounts is up to you.
>>
>> If you have portable computers, you absolutely don't want to remove all
>> local
>> accounts.  Portable computers are a challenge, for many reasons.
>> <http://nitecruzr.blogspot.com/2005/05/have-laptop-will-travel.html>
>> http://nitecruzr.blogspot.com/2005/05/have-laptop-will-travel.html
>>
>> Controlling file sharing with a firewall, as primary protection, needs to
>> be
>> discussed.  If your firewall blocks all but your one subnet, and you
>> absolutely
>> control use of that subnet, this can work.  If the subnet involves WiFi,
>> and an
>> attacker can hijack an IP address on the subnet, he is past your firewall.
>> You
>> need solid authentication / authorisation setup too.
>>
>> WiFi bridged onto an office LAN is a security hole.  Are you using PSK, or
>> RADIUS?

>Good Afternoon Chuck,
>
>I saw an article somewhere but I can't find it about shutting off your
>wireless network at a certain time.
>Can you tell me of any good software programs that do that?  That is another
>way we can help protect it, have it online only during certain hours.

"Chuck [MVP]" <n***@example.net> wrote in message
news:c58tg3poa37qt6i2ld6hnu2d3m102kesla@4ax.com...
> On Thu, 11 Oct 2007 12:43:37 -0400, "Anthony Smith" <anth***@peconet.com>
> wrote:
>
>>"Chuck [MVP]" <n***@example.net> wrote in message
>>news:74spg35m32jhrd9vn3a06kalh9em1vnsr3@4ax.com...
>>> On Wed, 10 Oct 2007 08:39:26 -0400, "Anthony Smith"
>>> <anth***@peconet.com>
>>> wrote:
>>>
>>>>"Chuck [MVP]" <n***@example.net> wrote in message
>>>>news:l2dog3hp247u9rcb8v38eao39un8ftvb3u@4ax.com...
>>>>> On Tue, 9 Oct 2007 10:17:24 -0400, "Anthony Smith"
>>>>> <anth***@peconet.com>
>>>>> wrote:
>>>>>
>>>>>>"Chuck [MVP]" <n***@example.net> wrote in message
>>>>>>news:v7vkg3hb61mb081fks19bpinv21vcitofj@4ax.com...
>>>>>>> On Mon, 8 Oct 2007 12:49:25 -0400, "Anthony Smith"
>>>>>>> <anth***@peconet.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>>Good Afternoon,
>>>>>>>>
>>>>>>>>We have a 3Com switch/hub(LAN) and just purchased a 3Com wireless
>>>>>>>>access
>>>>>>>>point that connects to the LAN.  I'm using WPA on it and I disabled
>>>>>>>>the
>>>>>>>>Broadcast feature.  I'm trying to secure the Windows XP workstations
>>>>>>>>as
>>>>>>>>much
>>>>>>>>as possible, along with our server.
>>>>>>>>
>>>>>>>>1) Is there a way to lock down Workstations/servers so that only
>>>>>>>>Workgroup/domain users can access the file and print sharing
>>>>>>>>folders?
>>>>>>>>The
>>>>>>>>reason I ask.  I used a laptop to connect to the Wireless LAN but
>>>>>>>>did
>>>>>>>>NOT
>>>>>>>>log into the domain with username/password.  But I was able to see
>>>>>>>>the
>>>>>>>>users
>>>>>>>>PCs and copy files and delete without having any domain
>>>>>>>>password/username.
>>>>>>>>That's not good, so I took the wireless LAN offline.
>>>>>>>>
>>>>>>>>2) Is there a way to limit the RANGE on the wireless access point?
>>>>>>>>Maybe
>>>>>>>>purchase an additional device to block the signal so it doesn't go
>>>>>>>>with
>>>>>>>>a
>>>>>>>>few feet of our office? I want to limit the amount of possible
>>>>>>>>intruders
>>>>>>>>by
>>>>>>>>not allowing access outside of the office building.  We have a small
>>>>>>>>office,
>>>>>>>>less than 10 users.
>>>>>>>>
>>>>>>>>I'm adding a wireless LAN to our existing wired LAN because any
>>>>>>>>additional
>>>>>>>>machines can be added with a wireless card.  Plus this machine I'm
>>>>>>>>trying
>>>>>>>>to
>>>>>>>>put in is not in an ideal location for a wired connection.  So I
>>>>>>>>want
>>>>>>>>to
>>>>>>>>try
>>>>>>>>wireless.  But it must be as secure as humanly possible. (smile)
>>>>>>>>
>>>>>>>>Thanks!
>>>>>>>>
>>>>>>>>Windows XP SP2 on PCs and Win2003 Server (SBS)
>>>>>>>>
>>>>>>>>Sincerely,
>>>>>>>>Anthony Smith
>>>>>>>>In God We Trust!
>>>>>>>
>>>>>>> Anthony,
>>>>>>>
>>>>>>> If you are going to provide coverage to your office, unless you use
>>>>>>> a
>>>>>>> lot
>>>>>>> of
>>>>>>> very low powered access points, you're going to have signal leakage
>>>>>>> outside your
>>>>>>> office (unless your office is spherical).  The low power signal that
>>>>>>> might
>>>>>>> be
>>>>>>> just enough to let your portable computers, with their low gain
>>>>>>> internal
>>>>>>> antennas, work, will be ample for an attacker with a high gain
>>>>>>> directional
>>>>>>> antenna.  It's best to concentrate on other security strategies.
>>>>>>>
>>>>>>> If you can access domain resources without being logged in to the
>>>>>>> domain,
>>>>>>> I'd
>>>>>>> bet the Guest account is enabled on the computers in question.
>>>>>>> That's
>>>>>>> the
>>>>>>> first
>>>>>>> thing that you need to do when setting up a secure network - disable
>>>>>>> Guest.
>>>>>
>>>>>>Thanks for the reply Chuck.  I checked my desktop and the guest
>>>>>>account
>>>>>>is
>>>>>>turned off.  I just connected someone's PERSONAL laptop to the
>>>>>>wireless
>>>>>>LAN.
>>>>>>This personal laptop doesn't have any user names or passwords for our
>>>>>>LAN.
>>>>>>It's connected with the PassKey, WPA.  Now I did a search for my
>>>>>>DESKTOP
>>>>>>and the personal Laptop found it.  I was able to open up the shared
>>>>>>drive
>>>>>>and view the files, BUT I couldn't delete anything.  What else do I
>>>>>>need
>>>>>>to
>>>>>>do to lock down the machines?
>>>>>>Now when I tried to access the Win2003 server(SBS) it asked me for a
>>>>>>user
>>>>>>name and password.
>>>>>>But the WinXP workstations does NOT ask for a user name and password.
>>>>>>Please advise.
>>>>>>
>>>>>>Thanks again for the help!
>>>>>
>>>>> My pleasure, Anthony.  Here we have a challenge, and that's what most
>>>>> helpers
>>>>> here enjoy.
>>>>>
>>>>> Try and give us an idea of the computer population there.  You say
>>>>> that
>>>>> you have
>>>>> SBS, and a domain?  How many computers there, in total?  How many
>>>>> domain
>>>>> members?  Is Guest disabled on all computers?  How many computers have
>>>>> you
>>>>> observed to be accessible, even from computers not logged in to the
>>>>> domain?  Do
>>>>> you maybe have a hidden Guest account, defined on the domain?
>>>>>
>>>>> Remember that we're not there in front of you, or peering at the LAN,
>>>>> so
>>>>> think
>>>>> of all of the details that we might ask you otherwise.
>>>>> <http://nitecruzr.blogspot.com/2005/06/background-information-useful-in.html>
>>>>> http://nitecruzr.blogspot.com/2005/06/background-information-useful-in.html
>>>>>
>>>>> And think about how to solve problems.
>>>>> <http://nitecruzr.blogspot.com/2005/08/solving-network-problems-tutorial.html>
>>>>> http://nitecruzr.blogspot.com/2005/08/solving-network-problems-tutorial.html
>>>
>>>>Good Morning,
>>>>
>>>>Ok I found out more information on the problem.  Most of the
>>>>workstations
>>>>were members of a workgroup and not domain.  However there were two WS
>>>>that
>>>>were a member of the DOMAIN.  Those are two of the newest machines added
>>>>to
>>>>the network and I configured them differently. I used the
>>>>http://servername/connectcomputer feature that comes with SBS and it
>>>>configured it automatically to be a member of the domain.  And guess
>>>>what?
>>>>These two machines cannot be accessed from the wireless lan unless you
>>>>supply a password.  When I search for any of these two machines and it
>>>>finds
>>>>it, when I double click on it, it asks for a password.  (It does this
>>>>for
>>>>the actual server too)
>>>>
>>>>So I changed the other PCs to be members of the domain instead of
>>>>workgroup.
>>>>I checked the Windows firewall settings also on XP and it states it is
>>>>using
>>>>the domain settings. (before I switched it was saying non-domain
>>>>settings)
>>>>So it IS using a the group policy for the domain like the (2) other
>>>>machines.  BUT I can still access these other XP machines on the
>>>>wireless
>>>>without supplying a username/password.
>>>>
>>>>Desktops Not Secured properly: 4
>>>>Desktops Secured Properly: 2 (wireless users MUST supply password to
>>>>access
>>>>resources)
>>>>
>>>>We have the 2 configured network card topology for the lan. 1 Nic on
>>>>server
>>>>(Internet access, WAN, also behind a SOHO firewall), 1 Nic to the 3com
>>>>hub/switch for the lan.
>>>>All the PCs are connected to this 3com hub/switch, it's about 16 ports.
>>>>Now I plugged the 3com Wireless access Point into one of the 16 ports to
>>>>gain access to the LAN.
>>>>
>>>>The (4) machines that have now be switched to be member of the domain
>>>>are
>>>>not secured properly.
>>>>A username/password is not prompted when trying to gain access to
>>>>resources.
>>>>You can open up the shared drives and folders on these machines with no
>>>>problem.  I'd like to lock them down like the other two where a username
>>>>and
>>>>password is prompted.
>>>
>>> When you join a computer to a domain, you have to go back and look at
>>> local
>>> accounts, and remove all local accounts that don't belong.  Domain
>>> membership
>>> makes it easier to control access, only when you remove all local
>>> accounts
>>> and
>>> only use domain accounts.  Removing local accounts is up to you.
>>>
>>> If you have portable computers, you absolutely don't want to remove all
>>> local
>>> accounts.  Portable computers are a challenge, for many reasons.
>>> <http://nitecruzr.blogspot.com/2005/05/have-laptop-will-travel.html>
>>> http://nitecruzr.blogspot.com/2005/05/have-laptop-will-travel.html
>>>
>>> Controlling file sharing with a firewall, as primary protection, needs
>>> to
>>> be
>>> discussed.  If your firewall blocks all but your one subnet, and you
>>> absolutely
>>> control use of that subnet, this can work.  If the subnet involves WiFi,
>>> and an
>>> attacker can hijack an IP address on the subnet, he is past your
>>> firewall.
>>> You
>>> need solid authentication / authorisation setup too.
>>>
>>> WiFi bridged onto an office LAN is a security hole.  Are you using PSK,
>>> or
>>> RADIUS?
>
>>Good Afternoon Chuck,
>>
>>I saw an article somewhere but I can't find it about shutting off your
>>wireless network at a certain time.
>>Can you tell me of any good software programs that do that?  That is
>>another
>>way we can help protect it, have it online only during certain hours.
>
> Anthony,
>
> I've never been a fan of shutting down / shutting off / reducing signal
> strength
> / what have you, to protect yourself.  You'll only inconvenience yourself,
> and a
> hacker may just need a few minutes while you are online, or be able to
> compensate otherwise and use your facilities no matter what you do.
> <http://nitecruzr.blogspot.com/2005/05/security-by-obscurity.html>
> http://nitecruzr.blogspot.com/2005/05/security-by-obscurity.html
>
> Compare the signal power and sensitivity of your typical laptop based WiFi
> device, to a high gain / high power WiFi unit used by an attacker, in a
> van
> parked outside your building.  An attacker doesn't even care about high
> bandwidth, which your legit network user would require when viewing a web
> page,
> from his laptop.  He'll just want a signal, and with a high gain
> directional
> antenna won't need all that much signal either.
>
> If your WiFi is based on a WiFi access point, you need the access point to
> have
> a timer, or the access point has to be controllable by software that
> contains a
> timer.  I don't know of software to do that offhand, but in this case
> Googling
> for it shouldn't be difficult.  But note my objections above.
>
> --
> Cheers,
> Chuck, MS-MVP 2005-2007 [Windows - Networking]
> http://nitecruzr.blogspot.com/
> Paranoia is not a problem, when it's a normal response from experience.
> My        email         is          AT         DOT
>   actual       address    pchuck       mvps        org.