It seems that most Windows hardening recommendations will help you lock down Windows networks in NT domains or Active Directory. What about security in Windows peer-to-peer networks? These are networks where Windows workstations are in place but no central server exists, usually found in smaller organizations or as niche applications in larger environments. The configuration may be a little different, but that doesn't mean common vulnerabilities...
don't exist or the data being housed is any less critical than it would be in a larger setting.
Having been a peer-to-peer Windows networking kind of guy for over 10 years now, here's what I've found it takes to keep systems secure in this environment.
1. Local security policies are a must
Hardening each individual system is critical and since group policies don't exist in this setup, you've got to rely on Windows local security policies. You can access your local security policy settings via the Windows Control Panel or by simply running secpol.msc or gpedit.msc.
Remember, the key settings you need to make include enabling audit logging for failed events, requiring Ctrl+Alt+Del for login, creating a password policy, enabling message text for users attempting to log on as a banner to notify users to acceptable usage policy when logging in and enabling do not display last user name.
2. Share permissions may be needed
In a peer-to-peer environment, you may need to advertise all shares to everyone on the network. If not, keep the minimum necessary rule in mind and set up share permissions so users can browse and only see what they're authorized to see.
3. File permissions are critical
Along the same lines as share permissions, file permissions need to be established on each local system in order to make sure only authorized individuals are allowed to open, modify and delete files.
4. Tighten down your Offline Files
It's common to need Windows' Offline Files feature in a peer-to-peer environment, especially for mobile users. If you're using this feature, be sure to encrypt your offline files by following these Microsoft guidelines. Better yet, consider a partial or whole-disk encryption program such as PGP Desktop Professional or SecureStar DriveCrypt to keep your mobile data safe.
5. Assess your network security
Assessing your peer-to-peer network security periodically is critical as well. When you do, be sure to keep the following in mind:
- Check for local security policy consistency on each system. This can be done easily with free and commercial tools such as Foundstone Inc.'s SuperScan and GFI LANguard Network Security Scanner.
- Check for local user accounts that don't belong on each system.
- Ensure your share and file permissions are set properly for each system.
- Look for folders and drives that shouldn't be shared or even exist altogether. This is especially common in a peer-to-peer environment where drive and folder sharing is the norm.
- When performing your tests – regardless of the tool you're using – be sure to perform both authenticated scans (logged in as a standard user, administrator or ideally both) and unauthenticated scans (not logged in using just a null session connection). This will give you a true picture of what's misconfigured, as well as what a rogue insider or external hacker can see about your systems.
It's usually more difficult to get buy-in and actually enforce security policies in a peer-to-peer environment, but it still needs to be done. Use the Windows controls above as much as possible to keep hackers out and users in line. These tests combined with basic, yet effective, security tests on a periodic basis will help ensure a secure peer-to-peer setup in your organization.
About the author: Kevin Beaver is founder and information security advisor with Atlanta-based Principle Logic, LLC. He has over 17 years of experience in IT and specializes in information security assessments. Kevin has authored several information security books including Hacking For Dummies (Wiley), the upcoming Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at firstname.lastname@example.org.
More information from SearchWindowsSecurity.com
- ITKnowledge Exchange: Get help blocking P2P in an SBS 2003 network
- White Paper: Read about spyware, adware and peer-to-peer networks
- Hardening Windows School: Sign up for a lesson or print up a checklist from hardening Windows school