Tip

Windows peer-to-peer networks: Lock them down in five steps

It seems that most Windows hardening recommendations will help you lock down Windows networks in NT domains or Active Directory. What about security in Windows peer-to-peer networks? These are networks

Requires Free Membership to View

where Windows workstations are in place but no central server exists, usually found in smaller organizations or as niche applications in larger environments. The configuration may be a little different, but that doesn't mean common vulnerabilities don't exist or the data being housed is any less critical than it would be in a larger setting.

Having been a peer-to-peer Windows networking kind of guy for over 10 years now, here's what I've found it takes to keep systems secure in this environment.

1. Local security policies are a must

Hardening each individual system is critical and since group policies don't exist in this setup, you've got to rely on Windows local security policies. You can access your local security policy settings via the Windows Control Panel or by simply running secpol.msc or gpedit.msc.

Remember, the key settings you need to make include enabling audit logging for failed events, requiring Ctrl+Alt+Del for login, creating a password policy, enabling message text for users attempting to log on as a banner to notify users to acceptable usage policy when logging in and enabling do not display last user name.

2. Share permissions may be needed

In a peer-to-peer environment, you may need to advertise all shares to everyone on the network. If not, keep the minimum necessary rule in mind and set up share permissions so users can browse and only see what they're authorized to see.

3. File permissions are critical

Along the same lines as share permissions, file permissions need to be established on each local system in order to make sure only authorized individuals are allowed to open, modify and delete files.

4. Tighten down your Offline Files

It's common to need Windows' Offline Files feature in a peer-to-peer environment, especially for mobile users. If you're using this feature, be sure to encrypt your offline files by following these Microsoft guidelines. Better yet, consider a partial or whole-disk encryption program such as PGP Desktop Professional or SecureStar DriveCrypt to keep your mobile data safe.

5. Assess your network security

Assessing your peer-to-peer network security periodically is critical as well. When you do, be sure to keep the following in mind:

 

  • Check for local security policy consistency on each system. This can be done easily with free and commercial tools such as Foundstone Inc.'s SuperScan and GFI LANguard Network Security Scanner.
  • Check for local user accounts that don't belong on each system.
  • Ensure your share and file permissions are set properly for each system.
  • Look for folders and drives that shouldn't be shared or even exist altogether. This is especially common in a peer-to-peer environment where drive and folder sharing is the norm.
  • When performing your tests – regardless of the tool you're using – be sure to perform both authenticated scans (logged in as a standard user, administrator or ideally both) and unauthenticated scans (not logged in using just a null session connection). This will give you a true picture of what's misconfigured, as well as what a rogue insider or external hacker can see about your systems.

It's usually more difficult to get buy-in and actually enforce security policies in a peer-to-peer environment, but it still needs to be done. Use the Windows controls above as much as possible to keep hackers out and users in line. These tests combined with basic, yet effective, security tests on a periodic basis will help ensure a secure peer-to-peer setup in your organization.

About the author: Kevin Beaver is founder and information security advisor with Atlanta-based Principle Logic, LLC. He has over 17 years of experience in IT and specializes in information security assessments. Kevin has authored several information security books including Hacking For Dummies (Wiley), the upcoming Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver@principlelogic.com.

 


More information from SearchWindowsSecurity.com

This was first published in June 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.