Re: Domain security and dial-up
From: Steven L Umbach (sumbach_at_ameritech.net)
Date: 05/01/03
- Next message: Frank Pappajohn: "Re: Dialup users can't access SOME resources"
- Previous message: Brad Pears: "Problem with group security"
- In reply to: Linda: "Re: Domain security and dial-up"
- Next in thread: Linda: "Re: Domain security and dial-up"
- Reply: Linda: "Re: Domain security and dial-up"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 01 May 2003 15:02:17 GMT
They probably would not have a direct route to the server, since the
users dialing into the internet would be assigned a public ip address for
that connection and AFAIK W98 computers will not route between networks. But
there still are risks, especially if you have file and print sharing enabled
on those dial up computers. A hacker may be able to guess user
name/passwords and access/modify share on that computer, and then know a
user name password for the domain. W98 uses weak lm authentication which can
easily be cracked. It would be wise to put personal firewalls on those
computers to block all inbound access (except connections initiated by lan
computer). I use Kerio, and the configuration for it can be password
protected so user can not change it to run their chat program, etc. Of
course on a W98 computer it can be very difficult to keep a knowledgeable
user from uninstalling/disabling a personal firewall. W98 is basically very
unsecure. Also look into installing Active Directory Client on W98 computers
and modifying the registry to force them not to use lm authentication, and
possibly use smb signing on your network. I would suggest enabling log
on/off auditing on your W2K server. See FAQ about securing your W2K
erver. --- Steve
http://securityadmin.info/faq.htm#harden
http://securityadmin.info/faq.htm#firewalls
http://www.petri.co.il/ad_client_for_win98_nt.htm
http://www.ntfaq.com/Articles/Index.cfm?ArticleID=15219
"Linda" <0203@comcast.net> wrote in message
news:yp2sa.753$Mj1.186919@news.uswest.net...
>
> Thanks Stephen,
>
> I am not as concerned about a virus on a client even though I know they
can
> be spread throughout the network and cause havoc that way, and I know that
a
> dial-up receives a new IP address each time it connects. There will be a
> virus scan product in use on the clients.
>
> My concern is more with .. If someone stumbles upon (yeah . a hacker) the
> dial-up connection is there an ' open door' to the server? So say one of
> the client computers is on the Internet and they forget to close their
email
> when done. The connection could last several hours. So say they also have
a
> mapped drive to the server and no firewall. Is the server venerable to
> attack? Could someone copy, delete or corrupt data?
>
> Sorry, I did not mention that NTFS is not a possibility on the client
> machines as they are Win 98 and are not due to be upgraded at this time.
> NTFS would make it much more secure.
>
>
> Linda
>
> "Steven L Umbach" <n9rou@attbi.com> wrote in message
> news:4C0sa.684062$L1.198430@sccrnsc02...
> > Access to the internet is always a concern. Dial up is a bit
> less,
> > because of not being the 24/7 high speed link that hackers love. That
said
> > the usual precautions are in order. The internet computers should have a
> > personal firewalls on them that are configured to control access to
> inbound
> > and outbound traffic. All computers need to have virus protection that
is
> > kept up to date as far as virus definitions are concerned, with regular
> > virus scans scheduled. The virus protection needs to scan inbound and
> > outbound emails. Emails attachments are probably going to be one of your
> > greates risks for virus attacks. Be sure to set up shares to have
minimum
> > ntfs permissions needed by the users to do their job. --- Steve
> >
> > "Linda" <0203@comcast.net> wrote in message
> > news:X3Zra.729$Mj1.120444@news.uswest.net...
> > > I am getting ready to install a Win 2000 server and move the existing
> > > workgroup clients to domain clients. Several, 3 of the 6, existing
> > clients
> > > have Internet access through their modems to the Internet for email
and
> > > surfing. Is this modem access a security concern?
> > > The clients will have a mapped drive to the server for a shared data
> > > application.
> > > The server will not have Internet access at this time.
> > > I am not sure at this point if the clients will have their drives
shared
> > to
> > > the network although I know that the printers on the clients are
shared
> > and
> > > will be when they are moved to the domain.
> > > I plan to use only the TCP protocol and remove all others.
> > > Will the clients dialing-in to the Internet through their ISP create a
> > > security hole where someone could access or destroy information on the
> > > server?
> > > Thank you for any information you can supply,
> > > Linda
> > >
> > >
> >
> >
>
>
- Next message: Frank Pappajohn: "Re: Dialup users can't access SOME resources"
- Previous message: Brad Pears: "Problem with group security"
- In reply to: Linda: "Re: Domain security and dial-up"
- Next in thread: Linda: "Re: Domain security and dial-up"
- Reply: Linda: "Re: Domain security and dial-up"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
