Networking
Peer Security: A Case Study
In order to better understand how security can work in a peer environment, lets look at the ACME Products network.
The network consists of five workstations. Four are Windows 95/98 and one is Windows NT using NTFS.
Bugs is the President of the company, and has a private office.
There are two printers; one is in Bug's office and the other is attached to the Support1 computer. The printers are otherwise equivelent in speed and printing capabilities. Elmer, Sylvester, and RoadRunner all use the Support1 computer.
Other than these facts, this is a basic peer network.
Computer Name |
User Name |
Operating System |
Workgroup Name |
Files Shared |
Share Name |
Access Level |
Sales1 |
Bugs |
Windows95 |
Sales |
C:\Word\word.exe Xerox printer |
Word Printer1 |
Read-Only Full Control |
Sales2 |
Daffy |
Windows95 |
Sales |
C:\Financial |
Spreadsheets |
Full |
Shipping1 |
WileE |
Windows98 |
Shipping |
C:\FedEx\History |
FedEx Notes |
Read-Only |
Accounting1 |
Tweety |
Windows98 |
Accounting |
C:\ CD-ROM drive |
C CDROM |
Full Full |
Support1 |
Administrator |
WindowsNT |
Support |
C:\Website C:\TechNotes |
OurWebsite Customer Helpfiles |
Full Control No Access |
The Problems
Creating a secure network is a hard (some would say impossible) thing to do in a vacuum. But based on the chart above, what we know about the physical setup, and the relationship between the users; the ACME network has some serious problems.
Printers availability.
There is only one printer available to the network users. The description of the network mentioned two printers: one attached to Bug's computer and one attached to the Support1 computer. But the only one being shared is Bug's. And that is in a private room. So how do users print reports, labels, invoices, and all the other things that an office needs?
There are four workgroups for a network of only five computers.
A workgroup exists to provide a logical grouping of resources. Commonly used information and devices are shared among computers in that workgroup.
If every computer in the office uses that same printer, databases, and CD-ROM drive why are they all in different workgroups?
Microsoft Word (the program) is being shared.
This is software piracy. Each machine needs it's own copy of Word. And installing the same copy on each computer doesn't solve the problem either. That's theft, too.
The sales spreadsheets are fully accessible to all users.
Does everyone really need to know this information? Does everyone need to have the right to change this information? Given that we know about the relationship between Elmer (a network user on the Support1 machine) and Daffy, maybe isn't not a good idea that Elmer be able to edit, delete or even see the information about Daffy's sales work.
Tweety is sharing his entire C:\ hard drive.
By placing the share at this level, everything on this drive is available to all other network users. Every other user has Full rights to the entire drive. If Tweety is storing payroll records on this drive, everyone in the network can see and change them. This makes it possible for WileE to enter the payroll database and change RoadRunner's salary.
The Support1 computer is using the Administrator user name.
WindowsNT allows for the creation of multiple user accounts. The default account of Administrator provides full control over every aspect of the machine. But its existence is commonly known. So users attempting to hack into an NT machine will try to use this account first.
The Support1 computer is WindowsNT.
WindowsNT can create the most secure desktop in a peer environment, provided that NTFS is used. But is its security really needed on the support workstation?
The Helpfiles share is off limits to everyone.
Why create a share and then deny access to all users? If you don't want to allow access to network users, don't create the share.
Now on to the solutions for these problems.
|