This is Part 12 on Securing Your WHS & Network. Threats and risks can be experienced with the use of Windows Home Server's Remote Access to computers on the local network. Allowing access to computers on the WHS network via the Internet requires more restrictions to the local access security plan. The administrator must identify who is permitted to log on to the WHS and who can remotely access their computer.
Parts 10 and 11 addressed threats and vulnerabilities that can be experienced by allowing users access to your files via the Internet. We focused on methods to protect your Windows Home Server and networked computers from unauthorized use.
There is no doubt that having the convenience to access the files on your computer while you are away from the home or office is priceless. We all have experienced when we needed a file but were too far away to physically retrieve it. The price paid for this convenience is the opening of your computer to additional threats and unauthorized access.
When a user logs on to the Windows Home Server with an Internet browser, it is considered to be a remote access connection. Depending on how the account is configured, the remote access can be restricted to select shared folders on the WHS, remote access to your computer on the local network, or a combination of both.
User that are permitted access to home computers can click on the Computers tab and see a list of computers that are connected to the local network. This does not guarantee that the user can access a computer. For example, remote computer access is not available to the Windows Home versions, computers that are powered off, or in a sleep state. It is possible that while in the sleep state the computer either does not support the wake on LAN (WOL) or WOL is not properly configured. If the computer falls in one of these categories, remote access cannot help to get file that is needed.
Extreme care must be taken when permitting remote access to computers that are connected to your WHS network. Take in to consideration the computer that you will use for remote access. This computer should be one that can be trusted. Trust is a combination of who owns, configures, and uses the computer.
A computer that is your own laptop and is a member of your WHS network has the highest degree of trust. In this case, this may be your laptop so you know who owns it. You might be the person who has configured the software environment including the anti-virus software. You might be the primary user of this laptop or that you personally know the people that use it.
When using a computer that is not a member of your WHS network you must evaluate how well you can trust it. If you know the owner, who configured it, and who uses it, your level of trust can be relatively high. The less you know about the computer the level of trust is reduced.
One should not use computers that are available to the general public for remote computer access. The threats and vulnerabilities that are identified in Parts 9 and 10 are extremely high. There are significant concerns regarding the software programs that are running on the computer. It is possible that a virus or sypbot program may have circumvented the anti-virus system and is collecting URLs, user names, and passwords. This information can be used by a hacker to break in to your WHS.
After determining the level of trust, consider how this computer is connected to the local network. Parts 5 and 6 describe the different topologies and types of networks. A network can be wired using Ethernet connections, wireless, or combinations of both. The network itself can be private or public. The level of security varies depending on topology and type. A private wired network can be significantly more secure that a public wireless network.
After a successful authentication with the WHS, the connection between the computer and WHS is secured with the HTTPS protocol. However, the greatest concern is the security of the connection within the local network. A private wired network is going to be more secure than a public wired network because there is less of a chance that a hacker has access to the private network. All wireless connections should be secured with WPA2 or WPA encryption and use a strong passcode.
Unless there is a high level of trust with the computer used for remote access and knowledge of the security of the local network, we do not recommend permitting remote access to computers on your WHS network.
There is an alternative to remotely accessing a computer for a file. The WHS can be used as a file server to save your files. The WHS is always powered on and authorized users can remotely access their personal folder on the WHS. Properly configured, it may not be necessary to access any computer on the local network.
The administrator should perform an analysis as to what types of programs and files are being used by each user on the local network. The majority of users use an Internet browser, email, word processing, spreadsheet, presentation graphics programs, and games. The files associated with these programs usually are stored in "My Documents" (XP) or "Documents" (Vista) by default.
When it has been determined that a user needs only access to their files, there are several alternative methods that can be used to support the user's needs. They include configuring Windows and programs to change the default file location, use Synchronization or Sync Center, or copy files from the user's hard drive to the WHS. The following describes the different alternatives.
This is an alternative that can be used for all Windows and Mac operating systems. In Part 4 we discussed methods to allow a person who has user accounts on two or more computers to access all their files. The majority of these files are associated with an office suite that includes word processing, spreadsheets, and graphics. The suite can be configured to change the default file location where files are saved. Usually the default file location is "My Documents" (XP) "C:\Documents and Settings\<UserName>\" or "Documents" (Vista) "C:\Users\<UserName>\". To change the default file location using Microsoft Word, click the Office Orb, click on the Word Options button, and click the Save option in the Word Options dialog box.
In this example, the "U:\" drive is mapped to "\\<ServerName>\Users". It is not necessary to map a drive to a letter, rather "\\<ServerName>\Users\<UserName>\" could be typed in the default file location instead.
The advantages of this method are that the WHS is used as a file server for office documents. If there are two or more disk drives in the WHS drive pool, a copy of the file is made on another drive. The user can create and modify files without regard to the computer they use. The user can access their files by remote access to shared folders.
The disadvantages to this method are that the default file location must be changed for each office suite component and the user must be instructed to look for their files on their share on the WHS. This is both time consuming and prone to user errors. The user is accustomed to find their files in "My Documents" and has to be retrained to look on the WHS for their files.
This is a method that is not available to Windows Home Editions. Synchronization (XP) or Sync Center (Vista) can be used to automatically make a copy of files to the user's folder on the WHS. Sync Center can be opened with the Start | All Programs | Accessories or the Control Panel. The following shows the Sync Center (Vista) in the Control Panel.
If this is the first time you have entered Sync Center, click the icon for "Offline Files". In the bar above, a Set up button appears. Click it and a message appears for the Offline Files Setup. Click the Close button.
Next, open Windows Explorer and navigate to the WHS folder that you want as a destination for the files that are to be synchronized. Right click on the folder and click the Always Available Offline option. In the example below the files contained in the user's "Documents" folder is selected.
When synchronization is enabled, the contents of the user's "Documents" folder on the computer's hard disk drive are copied to the user's "Documents" folder on the WHS. All files in the "Documents" folder are stored on the user's hard drive and on the WHS.
The synchronization can be scheduled to run at selected days and times. The major advantage to setting a schedule is that Sync Center automatically performs the synchronization as a background task and the files on the WHS are up-to-date. The major disadvantage is that Sync Center is not available for non-Windows operating systems and Windows Home versions.
This is an option that can be done only in Vista except for the Home versions. A slight alternative to the synchronization method is move the folder to the WHS. To move a folder open Windows Explorer and navigate to your folder you want to move. Next open the properties for a folder you want to move and click on the Location tab.
Replace the path to \\<ServerName>\Users\<UserName>\<FolderName>\. In our example we would enter \\Earth\Users\Chuck\Links. It is more straightforward to type the path rather than use the Find Target... button. Click the OK button.
If the folder does not exist, a "Create Folder" window will ask to confirm the creation of the folder. Click the Yes button.
The "Move Folder" window asks to confirm moving all files to the new location. Click the Yes button.
All files in the folder are then moved to the new location. The folder's icon is changed to include the Sync Center icon. When this folder is opened, the files in the new location are displayed.
There are several environmental variables that are set by the Windows OS after a successful log on to the computer. They are "USERNAME", "USERPROFILE", "HOMEDRIVE", and "HOMEPATH". The "HOMEDRIVE" variable is set to the drive letter where the Windows OS is installed. Usually the value is "C:\".
These variables are what the Windows OS uses to display "My Documents" (XP) or "Documents" (Vista). "My Documents" or "Documents" does not exist as a folder on the hard disk drive. It is a virtual folder that is based on the user log on. For example if "Chuck" is entered as the user name, the log on routine sets the "USERNAME" variable to "Chuck". The "HOMEPATH" variable is set to the constant value of "C:\Documents and Settings\<UserName>\" (XP) or "C:\Users\<UserName>\" (Vista), where <UserName> is the value of the "USERNAME" variable. The "USERPROFILE" variable value is set by combining the value of "HOMEDRIVE" plus the value of "HOMEPATH"; or "C:\Documents and Settings\Chuck\" (XP) or "C:\Users\Chuck" (Vista).
The following is an example of displaying the environmental variables in Vista. Click the Start Orb, select the "Run" option, and type "cmd" to open a DOS window. Type "set" and press the Enter key. The following identifies the four environment variables.
Another alternative is to use the DOS "xcopy" command to copy all of the user's files including all the sub-folders. The DOS command is:
xcopy %USERPROFILE% \\<ServerName>%HOMEPATH% /m/s/e/i/y/q
This command is read as follows.
Open Notepad and type the DOS command. The following is an example where the WHS server name is "Earth". Enter the name of your WHS. The first line is a remark, thus it starts with "REM". In XP, save the file to the root directory or "C:\" and name it "Backup Personal Files.bat". Vista will not permit a program to save a file to the "C:\" drive. Save the file to your local folder and by using Administrator authority, copy the file to the "C:\" drive.
The reason to save the "Backup Personal Files.bat" file in the "C:\" or root directory is so that the batch file is available to any user that logs on to the computer. Using the environmental variables means that this is a generic batch program that requires no alteration to match the user path with the user name.
The next step is to schedule this file to run at selected days and times. The major advantage to setting a schedule is that the computer automatically executes the command and the files on the WHS are up-to-date. The disadvantage is that the user must be logged in to the computer for the schedule to run.
To access the task scheduler, administrative authority is required. Open the "Computer Management" program from the "Administrative Tools" menu. Click on "Task Scheduler" then "Create Basic Task...". Complete the wizard. After completing the wizard, the task can be modified using the advanced options. The following is an example of creating a basic task.
If this computer is used by more than one person, create another task using the "Create Task" method and use the Trigger of "At log on" to run the batch file. This will ensure that the user's files are synchronized when they log in.
A VPN is a virtual private network that is based on a trust relationship between the firewall router and a computer. Usually VPN client software is purchased from the same manufacturer of the router and is installed on the computer. The router acts as a server and creates a secure connection when the client computer successfully logs on to the router. The traffic between the client computer and the router is encrypted.
Using a VPN authenticates the user at the router. Unless user authentication is successful, no traffic is permitted on the local network. This method is the most secure alternative when local network users require remote access to the network. The cost of the client software ranges between $20 to $50 depending on the manufacturer and the number of client licenses purchased. A VPN is practical when one or two users absolutely require remote access to their computer.
A VPN is not practical when hosting a public website or when a large number of "Family" and "Friends" are permitted access to the WHS. In this case, the WHS remote file access method is both cost effective and provides an adequate level of security.
We recommend that the only reason to grant a user remote access to computers is when the user must run a software program while away from the WHS network and there is no alternative method to run the program. There are also other reasons to permit this type of access.
There are some households where an adult child is the administrator of their parent's WHS and network. If your parents are like mine, remote access to their WHS and computers is a necessity. In this case we highly recommend purchasing a firewall router like the SonicWALL TZ-180 and institute strong password security.
Part 2 introduced the network router and explained its general functionality. Part 5 explained how to configure the WAN, LAN and DHCP settings of the router. Parts 9 and 10 explained how to configure HTTP and HTTPS rules.
To allow computers to establish a secure remote access connection to the WHS and local computers via the Internet, an inbound rule must be created in the router for the Remote Access protocol. Port 4125 is the Internet port that is used by the WHS. This rule permits Remote Access traffic to reach the WHS. The five major components to the rule are as follows.
This is an example of defining a Remote Access rule using a SonicWALL TZ-180 router. Defining a rule in this router requires associating a service with the rule. Port 4125 is not defined as a service; therefore, a service to identify the protocol and port must first be defined for the WHS Remote Access. Click Firewall then click the Services option. Scroll to the bottom of the "Services" table and click the Add... button.
Enter a name for the service. In our example we enter WHS Remote Access. Select TCP(6) for the protocol and enter 4125 for the port range. Click the OK button to add the service.
Next an access rule must be defined. Click the Access Rules option in the Firewall section then click on the configuration icon at the intersection of WAN and LAN.
Next, click the Add... button and select the choices for service, source, destination, users, and schedule as follows. Enter a comment and click the OK button to save the remote access rule.
In this example, the rule forwards any request received from the Internet port 4125 to the assigned private IP address of the WHS using the private port 4125. The purpose of this rule is to permit the router to forward Remote Access requests on port 4125 to the WHS for it to respond.
If a VPN is used, follow the manufacturer's instructions as to the information needed to create a rule, identify client users, VPN policies, and tunneling configurations.
We at Home Server Land make the following recommendations to enhance the security of computer and your privacy as it applies to remote computer access threats.
This blog identifies threats that are associated with remote computer access. The security plan should be updated to identify threats specific to your WHS and network and address methods to resolve the threats. We have developed the Remote Access Threats Risk Assessment to assist with the identification and methods that can reduce threats we identified. The Threat and Risk Assessment Worksheet can be used to document the threats that have been identified and used as a basis to manage them. Both documents are attached at the end of this blog.
This concludes Part 12 of Securing Your WHS & Network. We identified the risks and vulnerabilities that are associated with remote computer access. We suggested several alternatives that can be used to discourage the need for remote computer access. A VPN should be used as the most secure method to access computers remotely.
In Part 13, we will identify threats associated with the FTP or file transfer protocol. We identify the role of the administrator and how the WHS secures access to the files.
In the meantime, we invite your discussion in response to this blog.
Great series of posts!
You said that moving location can be done only in Vista. In fact it can also do it with my XP Pro but only for "My documents".
To move the folder open Windows Explorer and navigate to "My document" folder. Next open the properties for the folder and click on the first tab (named "cible" in French, maybe it is named "target").
Do you recommend moving "My document" to WHS \\<ServerName>\\users\<username>?
Doing that, the Xcopy method seems not necessary.
@Brice you can move your My Documents directly to the WHS but be careful with Outlook PST files I would save *PST files first on a local HDD and not directly to a network share. I have learned this the hard way.
@Liptonic, I'm using WHS outlook add-in and my PST files are already on my user folder on the WHS.
My aim is more about how my laptop will perform when I'll be outside of my home if I move "My document" to the WHS?
I think the better I can do is to try!