• Microsoft Vista Home Networking Setup and Options
The most daunting part of upgrading to Windows Vista may be trying to figure out where in the layers of menus the networking and file-sharing options are hidden.
• Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
• Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
• Iomega StorCenter Network Hard Drive
Iomega's fourth generation StorCenter Network Hard Drive brings many of the features found in higher-end storage devices down to an attractive price.
• MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
I was fortunate to learn about the security (or
lack of) of a full time connection shortly after I was connected
to my cable modem service. The folks at my previous cable
modem ISP, MediaOne,
were on the ball and alerted me to the fact that their networks
were being hacked via my proxy server and told me what to do about
it.
If you take the time to read all the pages on this topic, you
should have a nice, secure shared Internet connection. However,
if you're in a hurry, here's a guide to what's here:
You can ignore the information in these pages
that refers to Microsoft Networking related problems. However,
you should get your LAN behind a firewall by either installing
a hardware router or a software router and second Ethernet adapter
in the computer that is running the router. The ThreeMacs
site has more Mac-specific Network
and Internet
security information.
1. What about a dial-up connection?
It doesn't take a full-time connection to be hacked!
The Internet is a big place and there are enough people who regularly
run port scanners and other "doorknob rattling" programs
that look for unsecured computers which can be exploited.
Although dial-up connections are usually not connected as long
as full-time cable modem connections, they can still be
probed and captured by someone with enough patience... or motivation.
Read
this information about how I recently ended up with the
netlog worm on my dialup connected system!
So the precautions in this section apply to you whether you are
connected via a full-time or connect-as-needed dial-up connection. Do
yourself and your ISP a favor and read all the information
on this page to make sure your LAN is secure from intruders!
2. The two most effective actions to take.
There are many things you can do to secure your network, depending
on your level of paranoia, and how much money you have to spend.
But if you do nothing else, do the following two things and
in most cases, you will be 95% of the way to a secure network!
a. Separate your LAN onto its own network.
If you've followed my instructions for sharing your connection,
you either are running a sharing program in a computer that
has two Ethernet adapters (NICs), or your LAN is behind a hardware
router. In either case, you have made your LAN really
LOCAL and the only data that goes out to the Internet
is data that you want to go there.
Very
Important!
Sharing your connection via the
multiple IP method does not provide the protection of
a separate LAN.
All of your computers (and the data that passes
between them if you are sharing files or printers) are directly
connected to the Internet!
If you are using the Multiple IP method to share your
Internet connection, it is very important that you follow the
instructions in the Should I use NetBEUI
section to secure your LAN. You should also share
only what you need to, and have strong
password protection on anything you share.
b. Unbind Microsoft Networks from TCP/IP on any Network
adapter that is connected to the Internet One of the first things that crackers check when they're
looking for unsecured computers is whether they can see shared
resources (files, folders, disk drives). If you're running
any form of Windows, you probably share files and printers via
Client for Microsoft Networks and the File and Printer
sharing for Microsoft Networks service.
If these services are "bound" to (or running on) the
TCP/IP protocol for any adapter that is connected to
the Internet, you are asking for unwanted visitors.
Fortunately, it's easy to fix this situation. Just open
the TCP/IP properties for the copy of TCP/IP that is bound
to the Network adapter that connects you to the Internet.
UncheckClient for Microsoft
Networks and File and Printer sharing for Microsoft Networks
as shown in the screen shot below. Also uncheck Microsoft Family
Logon if it is present. Close the TCP/IP properties,
close the Network Control Panel, and let the machine reboot.
If you need detailed instructions on how to do this, go to this
page of the ShieldsUp
site.
4. Not sharing a connection? You still
need protection!
Chances are that even if you have only one computer, you probably
have unnecessary software running that can make your PC a target
for unwanted visitors. Add a full-time, high speed connection
to the equation, and you may already have been visited!
The most effective action you can take in this case is to remove
Microsoft Networking from your PC entirely. (Don't worry,
it's easy to restore if you need it.) Just open the Network
Control Panel, select Client for Microsoft Networks as
shown below, and click the Remove button on the Network Control
panel. Click on OK to close the Network Control panel
and let your machine reboot. That's all there is to it!
If you need more detailed instructions, I'll again let the ShieldsUp
folks give you the how-to!
5. Accessing your LAN from the Internet
For most people, following the two steps
in Section 2 above will take care of securing their network.
This is because most sharing methods (with the exception of using
Multiple IP addresses) have some sort of mechanism (usually referred
to as a firewall) that rejects any requests for data that come
from the Internet. This keeps the "bad guys"
out.
However, some people need to allow requests for data originating
from the Internet reach computers on their LAN. Examples
of this are:
Running a webserver
Receiving a NetMeeting or Dialpad
call
Grabbing a file from your home computer with
pcAnywhere while you're at the office
Remotely administrating your LAN's router or
sharing computer
In this case, you need to selectively open holes or ports
in the firewall, so that the desired requests can reach the appropriate
computers on your LAN. How you do this depends on the product
your are using to share your connection, and is beyond the scope
of this page, but is covered over in the Special
Applications page. The important thing about opening
ports through your firewall is that each one is a potential way
for unwanted users to access your computers.
If you must open holes in your firewall, then it's important
to move up to the next level of protection. This would include:
Binding Microsoft File and Print sharing to
the NetBEUI protocol. (See the Should
I Use NetBEUI section.)
Sharing only the files that need to be shared.
Password protecting anything that is
shared with a strong
password. Note that this includes password protecting
your router or sharing software's administration features.
Opening only the ports that you need. (You'll
need to consult the proxy or firewall section
of the documentation for the program that you're using to
find out.)
Running some sort of personal firewall or port
monitoring program. (See the LAN
Security Tools section.)
Running good, current-version anti-Virus software
and keeping the virus files updated at least monthly.
McAfee Virus Scan, Norton AntiVirus, and other good programs
now also detect many Trojans and worms in addition to viruses.
(See the LAN Security Threats
page for more info.)
Enabling logging on any services that you run
and regularly reviewing the logs
Another alternative is to put all services that need to be accessed
from the Internet on one computer and put only that computer on
the Internet side of the firewall. The safest way to do
this is via direct physical connection to the Internet access
point.
If you're unfamiliar with servers and ports, then proceed with
caution or don't run them on your network. You also
should read the information in the Proxy server section below.
Visitors to the ShieldsUpsite often run the Shield Test and Port Probe and get a "closed"
status vs. a more desirable "stealth" status.
What does this mean and why does it matter?
What a "stealth" report means is that when the particular
port is probed, no response is returned from your computer
to the computer doing the probe. A "closed" report
means that your computer responds to the probe by replying
that the port is closed.
In either case, the computer doing the probe (or any other computer
that attempts to gain access to your computer) cannot access
your computer via the probed port. So why is "stealth"
more desirable?
It all depends on how determined someone is to gain access to
your computer. When your computer responds that a port is
closed, it is verifying that it exists. Port scanners keep
track of the IP addresses and ports that they get responses from
and discard the ones that they don't receive a reply from.
(This is similar to email "spam" techniques, which is
why you should never respond to a "spam", even
if the email is telling you that they'll remove you from their
list if you respond or click on a web link.) Theoretically,
the scanner could return to your IP address again and again, "rattling
the doorknob" and waiting for the one time that you leave
the door open.
In reality, many of the port scans or probes are done by people
who download the programs and don't really know what they're doing
with them. It's also a very big network out there
with plenty of IP addresses to scan, many of them probably much
more interesting than yours. And remember, your ports are
closed and there are plenty of open ports out there!
In addition, let's say you go to all the trouble of achieving
"stealth" mode for your LAN, but then open ports in
your firewall or place a computer outside the firewall via a router's
"DMZ" mode or its equivalent. As soon as you do
that, you'll be visible to scanners and potential attacks, and
you actually have open ports!
So if you get a "closed" status from one of the port
probe programs and you don't open holes in your firewall, there's
no need to jump through hoops to achieve "stealth" mode.
You'll be just fine. If you do open holes in your
firewall, better read the Accessing your
LAN from the Internet section, because you're the kind
of computer that the port scanners are looking for!
Mac
Users:
Very
Important!
