Securing Your WHS and Network – Part 4

By: Chuck Shumar|No Comments

Securing the Network – Chapter 1

This is Part 4 on Securing Your WHS & Network. We hope that we are providing a comprehensive explanation of computer security as it relates to your Windows Home Server and network.

We introduced many terms and technologies in Parts 1 through 3 and there are many references made to those parts.  We strongly recommend that you read our previous posts before continuing with Part 4.

We have classified network threats into three major categories:

  1. computer user threats
  2. general network threats
  3. network topology threats.

Part 4 addresses the computer user threat areas and the functions that the administrator needs to perform to mitigate them.  General network threats are addressed in Part 5 and network topology threats in Part 6.

The Network Administrator

People pose the greatest threats to the network, computers, and the files stored on the computers.  These threats can come from legitimate users or unauthorized people.  Managing these threats is a delicate balance of restricting improper use while permitting authorized users to use the computer.

Each network needs a person whose responsibility is to administer and manage threats.  The administrator must permit legitimate use of computers and the network in a way that is proper and safe.  The administrator allows the user to access files, programs, and resources according to their needs.  Most importantly, the administrator must have a way to deal with accidents caused by users and environmental threats.  The administrator should be involved with the risk assessment and physical security threats identified in Parts 1 through 3.

The specific tasks of the administrator are explained throughout the rest of this series.  As we identify threats, we will describe the role that the administrator plays in the management and mitigation.

Computer User Threats

Access to the computer and other resources connected to the network must be limited to authorized users.  Each person that is authorized to access a computer and network resource should have a user account and a password.  The user account is used to identify the user and manage their access to files, programs, printers, and the Internet.  Both home and small businesses have a need to place restrictions based on the user.  For example, each employee is permitted to access only those files that are necessary to support their job function.  Children must be restricted from accessing websites that contain adult content.   Each network user needs to have limitations of what files they can read, change, or delete.  Additionally, as the number of users increases, more control is needed to limit what they can access and to manage the accidental deletion of files or disclosure of information.

When a person needs to access a computer, the administrator creates an account on the computer, sets a password, and sets parental controls.  If the person needs to use more than one computer, the administrator must create an account on each computer that they are permitted to use.  People who use more than one computer are called roamers.

The User Accounts and Family Safety group in Control Panel is used to add a user account.  The administrator clicks on the Add or remove user accounts option.

Next the administrator clicks the Create a new account option.  Note that in this example the Guest account is turned off.  We recommend that the Guest account on all computers be turned off.

The administrator creates a name for the user.  This is the same name that is used by Windows Home Server.  We recommend that the account be identified as a standard user.

The account name must be unique on the computer.  For example, if the first name of the person is used as the account name and there are two people with the same name, there is a problem because a computer cannot have more than one account with the same name.  Usually for home networks, first names are used; or “Mom”, “Dad”, and the first name of the children.  For small businesses the initial of the first name plus the last name is often used.  Spaces are not permitted for the account name.

The password for the user account should be one that can be remembered by the user and include numbers, randomly capitalized letters, and characters such as !@#$%^&.  Passwords should not be ones that can be easily guessed like pet or children’s names, address, social security number, hobby, license plate, etc. because it decreases the overall security to the computer and network.  We recommend that the administrator assign the password after creating the account.

The user can change the password if desired.  The user can write the password on a piece of paper.  Instruct the user to properly hide it in a secure area.  Written passwords should not be “hidden” under the keyboard or placed in obvious areas like the top desk drawer.  Managing password security is important for homes and becomes more important for small businesses.

Small businesses have a fiduciary responsibility to protect the computers and network from unauthorized use.  Even though employees may be trusted as being like family, there are many cases where the trust was misused.  Without actively supporting password security the network is left vulnerable to attacks by disgruntled employees or unauthorized snooping by employees.

The administrator uses parental controls to restrict what the user is permitted to do on the computer.  Vista can restrict certain web activity, enforce time limits, control access to games, and allow or block specific programs.  We recommend using these settings to protect children or to restrict employee access.  We will discuss in greater detail in future blogs how to use WHS to enhance security using parental controls.

The user account is necessary regardless of the network topology.  When a user wants to use a computer, they click on their account name and enter their password.  If the password matches, the user is authenticated as an authorized user and is permitted to use the computer as defined by the administrator.  This user name and password combination uniquely identifies a user.

The administrator needs to inventory each computer and identify devices or files that need to be shared.  Sharing should be minimized as much as possible.  Usually devices like printers are shared with other users on the network.  Files may need to be shared; however, we do not recommend creating drive or directory shares on the computer.  Rather, we recommend that shared folders be created on the Windows Home Server and access to those folders be controlled by the WHS.  Because the WHS is usually always available we recommend that, where practicable, all printers be connected to and shared by the WHS.

People who use more than one computer pose a problem.  They have files scattered on each computer they use.  This is usually a reason why shares are created on the computers so that the roamer can access their files.  To address this issue we recommend that the user’s personal shared folder on the WHS be used to store user files.   Programs such as Microsoft Office can be configured to save all files to the personal shared folder.   Change the “default file location” to the personal shared folder on the WHS.  In the following example, the drive letter “U:” for “User” is mapped to \\<ServerName>\Users, where <ServerName> is the name of the WHS computer.  We recommend doing this for each Office product and roaming user.  We will discuss in later blogs how to use functions such as Sync Center to provide additional backup.

After it has been determined that a user is permitted access to restricted information, it must be determined what can that person do with the information.  Think of the acronym CRUD which stands for create, read, update, and delete.  Each of these actions must be associated for every computer user for every file.  It is easy to realize that protecting your files can quickly become an impossible task.  Many of us lack the resources available to larger businesses to add a level of security to address this task.  Large businesses use network operating systems to manage user access to files, servers, other computers, printers and other network resources.

Microsoft has recognized that many homes and small businesses have networks but that they lack the resources, both economically and manpower, to purchase a network operating system and backup solutions that provides a greater level of security.  Windows Home Server is based on software used by many large corporations but is customized to address the specific needs of homes and small businesses.

The advantage of using Windows Home Server is that it ensures the password on the computer is consistent on all computers that the user is authorized to use.  If, for example, a roaming type of user changes their password on one computer, it is also changed on the WHS.  Then when the user accesses another computer, WHS will remind the user that the password on that computer does not match and gives the user an opportunity to change the password on the computer.

Small businesses may need to control access to information based on job function.  We recommend that shared folders be created on the WHS to address this requirement.   In this way, each user can be given full, read, or no access to the folder.

The greatest benefit WHS provides is centralized backup of all computers that are connected to it.  This service alone makes it worthwhile to purchase the server software.  It also provides for a user access management and is a central repository for media and personal files.  It does; however, require the use of an x86 based computer for the exclusive use on the server.

In later parts of this series we will discuss in greater detail how WHS functions can be used to enhance security.

Home Server Land’s Recommendation:

We at Home Server Land make the following recommendations to enhance the security of your computers and local area network against computer user threats.

  • Use the WHS to perform backups of all computers;
  • Make sure that every computer has anti-virus software installed and that Windows Firewall or other personal firewall software is installed;
  • Assign an account to each person on each computer they are permitted to use;
  • Passwords should be complex enough so that they cannot be easily guessed by others but can be easily remembered.  Passwords that are written should be properly secured;
  • Use the personal shared folder on the WHS for each person that uses more than one computer;
  • Additional shared folders can be created on the WHS to address the sharing needs of the home or small business; and
  • Each person’s account should be “limited” or below.  The Administrator account should be only used to install and update software and never be used in the day-to-day use of the computer.

Now that the threats that are associated by a user on the network are identified, it is time to update the security plan and implement measures to mitigate each threat.  We have developed the Computer User Threats Guide to assist with the identification and methods that can reduce threats discussed in this section.  The Threat and Risk Assessment Worksheet can be used to document the threats that have been identified and used as a basis to manage them.  Both documents are attached at the end of this blog.

Summary

Now that we have identified the risks associated by computer users, Part 4 of Securing Your WHS & Network is concluded.  We identified the tasks that the administrator needs to take to control access to a computer and network.  Password management is a necessary part of the security plan and provides the day-to-day defense of computers and the network.

In Part 5, we will continue with the next chapter in securing your network.  We will analyze the general network and identify the associated threats and vulnerabilities.

In the meantime, we invite your ideas, questions, and discussion in response to this blog.

Attachments

Continue to Part 5 – General Network Threats

Leave a Reply

Post Comment

Powered by Sweet Captcha
Verify your real existence,
Drag to bring Victor his favorite color
  • captcha
  • captcha
  • captcha
  • captcha