Restrict Users/Computers on XP Pro Network

[blakemiller]

I've got a small office with 5 workstations, all running XP Pro. All networked toghether on a WorkGroup, hardwired, but do have a secure wireless connection as well for when i bring my laptop in and when clients come over. One workstaiton is dedicated as the "server" as it has a bunch of shared drives and folders within, and most of the peripherals haning off it (a few printers, etc.)

I also have interns and temps coming over on occassion who do NOT need regular file/printer/resource access on the network, but do need to offer them internet access - those are my concern. It would be great to offer them "restricted" file/resource access, however.

Question is, can I secure certain (or all) of the shared folders/drives from others?

Is there a way to password protect any of the shared drives/directories? That would be ideal, as i could set pw's for certain areas, but still allow resource access, and let them into certain areas if warranted (that sounds more like true server config, huh?)

Or, can i lock certain workstations out of the "network" but keep them on the internet? Firewall? I was toying around with Norton Internet Security - Personal Firewall, and restricting access, etc. but i couldn't seem to get all the config right - it either blocked all traffic, or none, regardless of "Trusts" and other config items.)

Is there a hardware solution that could simply allow internet access, but keep out of the rest of the network? Or maybe a network config solution on the users end (manually setting up IP/DNS etc when they connect to the netowrk -maybe to a specific blocked section on the router?) This would allow internet access, but NO access to the LAN. That's least ideal as i would NOT have any option for them to access, but if that's the minimum, tha would have to do for now?

 

[kimsland]

Yes this is real easy

You state you have Shared drives/folders
These are the only drives /folders that you must be concerned about

Either unshare them (right click on the shared folder and remove the share)
Or password protect them (right click on the shared folder and put a password in sharing)

This is done from the shared folders computer

Also if you have temp come in you might want them to use the guest account only (a lot safer) The guest account cannot change or edit any user settings

To do this - go to User Accounts (in Control Panel) and enable the guest Account
You can also password protect all accounts in there as well (this is will also affect sharing)

Log off the computers with the new Guest account, and log into the new guest account.

And write down every password you use. I always just use ONE, it's easier to remember - but never give it out!

 

[Samstoned]

first thing is security
make a bios boot password with admin and user rights
then set bios to boot only from hard drive
then use one strong pass for admin and everyone else are setup as users
then using group policy allow or disallow where they go and what they can control on the network
as admin you can now setup each station to share only what you want the users to share they can't see or go anywhere else
with optical drive boot disabled they can't hack system
look up USB security need that or block usb / firewire ports

 

[blakemiller]

Or password protect them (right click on the shared folder and put a password in sharing)

This is done from the shared folders computer

Thanks kimsland. I found in another site, that the only way to do this is to first DISABLE "simple file sharing" from Exporer -> Tools -> View (Advanced Settings, all the way at the bottom). I noticed alot of people, including myself, absent of any password areas. By clearing the simple file sharing (which is ON by default) enabled all of these things so now i can assign passwords and permissions.

Onto the next hurdle in this process... next post.

 

[blakemiller]

then use one strong pass for admin and everyone else are setup as users
then using group policy allow or disallow where they go and what they can control on the network
as admin you can now setup each station to share only what you want the users to share they can't see or go anywhere else

Thanks samstoned, good advice on the boot/bios stuff too!

After disabling "simple file sharing" (See earlier post) for a test, I have setup one of my users and trying to add them to some new (or existing groups) From Computer Management -> Local Users & Groups, i am trying to add users to groups, or add groups to existing users. For instance, i created a "Finance" group. I can't add anyone to it, even myself. From the "Select Users", no one or nothing will appear. The only one that does work is "everyone" I can't even pull myself into the mix. Other odd ones work like "ANONYMOUS USER" "BATCH" "CREATOR GROUP", "DIALUP" etc... (Those aren't even listed in my "users", but i just started at A, B, C, . . . D

What's all that mean? Thanks again for the help, and looking foreward to the next step.

 

[kimsland]

This is starting to sound like you need (or you're using) Windows Server software. Like Server 2003 or Server 2007. Which you can set permissions and add users and so forth.

For the best network you should look into Server software and hardware (ie large harddrives and backing up capabilities, raid, domains and you can even make all user software and data locations (including My Documents) point directly to the Server computer. To cover ALL these things, would be nearly impossible here, so you may need some external support, ie discuss this with your local computer technician.

In regards to Windows Xp and Vista, they can use any user name except Administrator and Guest, as they are alread taken. When selecting new users you will only have the option of:
New user name (whatever you like)
Computer Administrator or Limited user
And that's basically it. I suppose all your users are using Administrator privlidges, which means they can change settings from their own computer (instead of from the Server.

With these larger question: Users how to setup on a network, sharing with privlidges. You may need external help. Or you could do a lot of research yourself.

 

[tipstir]

Active Directory on shares and users can do a better job here. When the user logins into your network he or she will have access to what shares or resources you dean fit they should have.

Example: Sally009

Active Directory (groups would have to be created for each function area)
Members of {Shared Folder] \ Docs
Members of {wireless group}

This is one way you could do it...

But if you don't want to use server you can do it on any PC XP Pro and share users to group management. Not hard to do.. As for the wireless that can be managed with router. or Through a freeware linux box where the users come to the business and try to login to wireless through web page that sets the up with limited permission is one way you could do it. The software is free and a lot of hotels and building owners do it that way.

 

[DelJo63]

Here's my solution: control access via the router ip addresses & the firewall on each system.

1-use mac filtering at the router to associate known systems to a compact range of IP addresses,
xxx.xxx.xxx.2 -> xxx.xxx.xxx.10 (just add a dummy MAC to fill out the table).
2-DHCP will now assign your guests addresses xxx.11 and above
3-Allow ports 138,139,445 ONLY on source/dest ip addresses xxx.2->xxx.10

Your permissions on shares can now be made trivially simple without fussing with ACLs.

 

[Samstoned]

Just did a quicky test
added a user S ally no rights except logon view
added group test then added s ally to test
have not tried to log on with the credentials
will try later
more powerful app to administer your security required as tipstir suggests
try to reboot and do it again

 

[blakemiller]

Just as a follow-up. I have been able to successfully configure my network. Fortunately, i have not needed full blown servers, raids, etc. A few points that have not been recommended so far, that are crucial to the operations:

Disable Simple File Sharing - taken from KB - "If you turn off Simple File Sharing, you have more control over the permissions to individual users. " http://support.microsoft.com/kb/304040

The biggest hurdle: Create user accounts on your local (Server) machine to MATCH IDENTICALLY by username and password of the accounts on the client machines. Without this, you will get access denied. {I have yet to find this in any MS knowledgebase, etc. and this took me the longest to figure out... i called an IT friend of mine and he answered it in 30 seconds.)

Remove the Default "Everyone" Share. Add individual users or groups to the Permissions. You can even create Groups, and assign Group(s) to Permissions in addition to users. I intend to use Groups for most of the stuff i do (Employees, Sub-Contractors, Guests) Beyond that, i can do individual user access.


Thanks again to those who offered.
Blake