Re: Host Computer with ICS cannot be accessed
From: Kass (Kass_at_discussions.microsoft.com)
Date: 10/29/04
- Next message: WJ: "Re: Can't share files after install SP2"
- Previous message: Chuck: "Re: Password for sharing files/folders?"
- In reply to: Chuck: "Re: Host Computer with ICS cannot be accessed"
- Next in thread: Chuck: "Re: Host Computer with ICS cannot be accessed"
- Reply: Chuck: "Re: Host Computer with ICS cannot be accessed"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 29 Oct 2004 11:59:02 -0700
Hi Chuck,
Okay, I've been getting educated. If figure if I even understand 1/2 of
what I'm reading, I'll be doing pretty good! Anyway, I just want to thank
you again for your time and help on this stuff. I have some things I'm going
to try and I've bookmarked a couple of the sites you gave me so I can keep
learning and reading. Right now I'm trying to learn more off of the
homenethelp.com site. So this may take a while! If I really digested all of
this, I could probably get a better job! :-) Thanks again!
Kass
"Chuck" wrote:
> On Mon, 25 Oct 2004 12:41:02 -0700, "Kass" <Kass@discussions.microsoft.com>
> wrote:
>
> >Chuck,
> >
> >Well, on to security issues! I'll have two types of set ups to address.
> >1. Work: We have a dial up connection (at least until I can talk my boss
> >into DSL ;-)
> >It shows on the dial up connection that there is a little firewall lock...
> >is that enough? Can I put a password lock on a folder or just files? I've
> >only done files up to now. Didn't know if you can password a folder or
> >drive, etc.
> >
> >2. Home: I have 2 computers networked plus a laptop. The computers are on
> >an ethernet connection, and the laptop is on a wireless. I have a DSL
> >modem... Linksys router with each computer hooked to a hub connection and the
> >laptop uses a PC card for wireless connection to the router. My concerns on
> >my home set up are:
> >A. Is the router protection enough from outside intrusion? I have the XP
> >SP2 firewall on, but do have Exceptions set for file sharing. Is there a way
> >I can keep people outside my home network out, but allow full sharing on the
> >computers inside my home network?
> >
> >Those are the big concerns for now.
> >
> >Thanks, Chuck!
>
> Kass,
>
> Interesting questions. Not easy to explain, but I'll keep this as brief (not
> very) as possible. ;-} Please see the part at the end about wireless security!
>
> 1) I have experimented with encrypting files, but haven't done anything with
> folders. I would imagine that, if your encryption program will do folders, then
> do one. I would guess you could zip a folder up, then encrypt the zip file.
> Can you encrypt in place? I think I'll leave you to see, and let us know what
> happens.
>
> 2) A NAT router will protect you from unsolicited incoming traffic. An SPI
> firewall (which not all NAT routers have) will additionally protect you against
> maliciously crafted incoming traffic. But, where NAT routers fail (and don't
> talk about NAT routers and firewalls in the same breath in
> comp.security.firewalls) is:
> a) Hostile solicited incoming traffic.
> b) Hostile outgoing traffic.
>
> http://www.firewall-software.com/firewall_faqs/what_is_a_firewall.html
> http://www.microsoft.com/athome/security/protect/firewall.mspx
> http://www.homenethelp.com/router-guide/features-firewall.asp
>
> With a NAT router, the only incoming traffic that gets to your computer is
> traffic that you've asked for. So no problem with unsolicited worms like
> Blaster, Sasser, etc. But if you setup a Kazaa server, surf over to
> www.warezrus.com, or open Usenet articles with titles like "Use this critical
> package", you may get traffic with unexpected content.
>
> Read the SANS article "Follow the Bouncing Malware" (in 2 parts).
> http://isc.sans.org/diary.php?date=2004-07-23
> http://isc.sans.org/diary.php?date=2004-08-23
>
> Or read an Eric Howes article about spyware analysis:
> http://spywarewarrior.com/asw-test-guide.htm
>
> NAT routers are not application aware, that is, a NAT router will simply pass
> outgoing traffic to the internet. Which is not bad if you're surfing the web,
> and just asking for web pages. But, if your newly installed copy of Kazaa
> includes a trojan that installs a spam distribution server on your computer,
> you'll know nothing about your new capability until your ISP cuts your service
> off (if they ever do).
>
> The bottom line is that a NAT router is a good outer layer in your defense
> strategy. One NAT router protects your entire LAN. Just the outer layer
> though.
>
> The second layer is a software firewall, or a port monitor like Port Explorer
> (free) from <http://www.diamondcs.com.au/portexplorer/index.php?page=home>. See
> various discussions in comp.security.firewall for good advice on choosing a
> firewall. A software firewall can selectively block incoming or outgoing
> traffic, and a port monitor can at least let you know what's going on.
>
> You need a software firewall on each computer in your LAN; in case one computer
> gets infected, a software firewall on the others could save you a lot of
> trouble.
>
> A software firewall, with filters setup to allow file sharing only between
> computers on your LAN, will complement the protection from your NAT router, and
> allow you to share files between your computers safely. See below (end of this
> article) for additional notes re wireless protection!
>
> The third layer is good software, also on each computer. This layer has
> multiple components.
>
> AntiVirus protection. Realtime, plus a regularly scheduled virus scan.
> Regularly updated. AV protection is not all that's needed today.
>
> Adware / spyware protection. Realtime, plus a regularly run adware / spyware
> scan. Regularly updated.
> Complete instructions, using Spybot S&D and HijackThis (both free) are here:
> <http://forums.spywareinfo.com/index.php?showtopic=227>.
>
> Harden your browser. There are various websites which will check for
> vulnerabilities, here are three which I use.
> http://www.jasons-toolbox.com/BrowserSecurity/
> http://bcheck.scanit.be/bcheck/
> https://testzone.secunia.com/browser_checker/
>
> Block Internet Explorer ActiveX scripting from hostile websites (Restricted
> Zone).
> <https://netfiles.uiuc.edu/ehowes/www/main.htm> (IE-SpyAd)
>
> Block known dangerous scripts from installing.
> <http://www.javacoolsoftware.com/spywareblaster.html>
>
> Block known spyware from installing.
> <http://www.javacoolsoftware.com/spywareguard.html>
>
> Make sure that the spyware detection / protection products that you use are
> reliable:
> http://www.spywarewarrior.com/rogue_anti-spyware.htm
>
> Harden your operating system. Check at least monthly for security updates.
> http://windowsupdate.microsoft.com/
>
> Block possibly dangerous websites with a Hosts file. Three Hosts file sources I
> use:
> http://www.accs-net.com/hosts/get_hosts.html
> http://www.mvps.org/winhelp2002/hosts.htm
> (The third is included, and updated, with Spybot (see above)).
>
> Maintain your Hosts file (merge / eliminate duplicate entries) with:
> eDexter <http://www.accs-net.com/hosts/get_hosts.html>
> Hostess <http://accs-net.com/hostess/>
>
> Secure your operating system, and applications. Don't use, or leave activated,
> any accounts with names or passwords with trivial (guessable) values. Don't use
> an account with administrative authority, except when you're intentionally doing
> administrative tasks.
>
> The fourth layer is common sense. Yours. Don't install software based upon
> advice from unknown sources. Don't install free software, without researching
> it carefully. Don't open email unless you know who it's from, and how and why
> it was sent.
>
> The fifth layer is education. Know what the risks are. Stay informed. Read
> Usenet, and various web pages that discuss security problems. Check the logs
> from the other layers regularly, look for things that don't belong, and take
> action when necessary.
>
> #######
>
> Please use special protection for a wireless LAN - this includes each computer
> connected to the wireless LAN, too!
>
> Here's a story about somebody's very stupid wireless neighbor. Don't expect all
> wireless neighbors to be this stupid.
> <http://www.canoe.ca/NewsStand/LondonFreePress/News/2003/11/22/264890.html>.
>
> The point is, you need to protect a wireless LAN with more precautions than just
> the NAT router / firewall.
>
> Change the router management password, and disable remote (WAN) management.
>
> Enable WEP / WPA. Use non-trivial (non-guessable) values for each. (No "My dog
> has fleas").
>
> Enable MAC filtering.
>
> Change the subnet of your LAN - don't use the default.
>
> Disable DHCP, and assign an address to each computer manually. Please do this.
>
> Install a software firewall on every computer connected to a wireless LAN. Put
> manually assigned ip addresses in the Local (highly trusted) Zone. Open the
> following ports for file sharing, only in the Local Zone: TCP 139, 445; UDP 137,
> 138, 445.
>
> Don't disable SSID broadcast - some configurations require the SSID broadcast.
> But change the SSID itself - to something that doesn't identify you, or the
> equipment.
>
> Enable the router activity log. Examine it regularly. Know what each
> connection listed represents - you? a neighbor?.
>
> Use non-trivial accounts and passwords on every computer connected to a wireless
> LAN. Disable or delete Guest, if possible (XP Home is a bad choice here).
> Rename Administrator, to a non-trivial value, and give it a non-trivial
> password. Never use the Administrator renamed account for day to day
> activities, only when intentionally doing administrative tasks.
>
> Stay educated - know what the threats are. Newsgroups alt.internet.wireless and
> microsoft.public.windows.networking,wireless are good places to start.
>
> Cheers,
> Chuck
> Paranoia comes from experience - and is not necessarily a bad thing.
>
- Next message: WJ: "Re: Can't share files after install SP2"
- Previous message: Chuck: "Re: Password for sharing files/folders?"
- In reply to: Chuck: "Re: Host Computer with ICS cannot be accessed"
- Next in thread: Chuck: "Re: Host Computer with ICS cannot be accessed"
- Reply: Chuck: "Re: Host Computer with ICS cannot be accessed"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
