Selective SMB firewallin
Last response: in Networking
Archived from groups: comp.security.firewalls (More info?)
I have been struggling with how to protect company laptops while not
in the office, yet allow access to resources when here. The biggest
problem is the whole "file sharing" boondoggle.
Here's the situation:
When in the office, I at least want to be able to allow my users
to access the company file and print servers (which run Samba). They
do not need to share files the other way (the laptop need not be
a server) as they can always put files they want to share on
a server.
When on the road, at home, etc. I definitely do not want to
allow the laptop to act as a server. We already had one worm
attack because a user put his laptop on his Comcast-driven home network
"for just a few minutes so I could print something" and then
brought it back into work the next day infected.
I have been playing around with Symantic Client Security.
This is the product that gets managed as part of the Corporate
Edition of their anti-virus product. We like it because it can
be installed in such a way as to disallow removal, disallow
"disable", etc., but we find we need to allow the users to
disable it when in the office in order to access
resources. They then disable too often.
Does any know how to write a "proper" set of rules that will
allow the laptop to act as a client, but not as a server on
the kitchen-sink services on ports 137-139 and 445? I can't
seem to base it just on direction (in/out), protocol (tcp/udp),
and port (137-139,445) which seems to be all I have to work
with in the Symantic Firewall.
Is there an alternative? We also have Checkpoint's SecureClient
available, but the user's quickly figured out how to disable that.
Besides, correct me if I am wrong: it only works when connected
via the VPN.
Also, is there any way to make these products "context sensitive"?
I.E.: If on the corporate network, disable firewall, otherwise
enable. BTW: IP addresses are not a good test of "on the network"
as we use a private 172.16-31.*.* network internally and anyone
else could do the same.
--
Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033
Nielsen's First Law of Computer Manuals:
People don't read documentation voluntarily.
I have been struggling with how to protect company laptops while not
in the office, yet allow access to resources when here. The biggest
problem is the whole "file sharing" boondoggle.
Here's the situation:
When in the office, I at least want to be able to allow my users
to access the company file and print servers (which run Samba). They
do not need to share files the other way (the laptop need not be
a server) as they can always put files they want to share on
a server.
When on the road, at home, etc. I definitely do not want to
allow the laptop to act as a server. We already had one worm
attack because a user put his laptop on his Comcast-driven home network
"for just a few minutes so I could print something" and then
brought it back into work the next day infected.
I have been playing around with Symantic Client Security.
This is the product that gets managed as part of the Corporate
Edition of their anti-virus product. We like it because it can
be installed in such a way as to disallow removal, disallow
"disable", etc., but we find we need to allow the users to
disable it when in the office in order to access
resources. They then disable too often.
Does any know how to write a "proper" set of rules that will
allow the laptop to act as a client, but not as a server on
the kitchen-sink services on ports 137-139 and 445? I can't
seem to base it just on direction (in/out), protocol (tcp/udp),
and port (137-139,445) which seems to be all I have to work
with in the Symantic Firewall.
Is there an alternative? We also have Checkpoint's SecureClient
available, but the user's quickly figured out how to disable that.
Besides, correct me if I am wrong: it only works when connected
via the VPN.
Also, is there any way to make these products "context sensitive"?
I.E.: If on the corporate network, disable firewall, otherwise
enable. BTW: IP addresses are not a good test of "on the network"
as we use a private 172.16-31.*.* network internally and anyone
else could do the same.
--
Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033
Nielsen's First Law of Computer Manuals:
People don't read documentation voluntarily.
More about : selective smb firewallin
Archived from groups: comp.security.firewalls (More info?)
On 21 Apr 2004 11:00:31 -0400, Gary Algier spoketh
>
>Does any know how to write a "proper" set of rules that will
>allow the laptop to act as a client, but not as a server on
>the kitchen-sink services on ports 137-139 and 445?
Disable the "Server" service on the laptops, and they won't be sharing
anything anywhere.
Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
On 21 Apr 2004 11:00:31 -0400, Gary Algier spoketh
>
>Does any know how to write a "proper" set of rules that will
>allow the laptop to act as a client, but not as a server on
>the kitchen-sink services on ports 137-139 and 445?
Disable the "Server" service on the laptops, and they won't be sharing
anything anywhere.
Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
Archived from groups: comp.security.firewalls (More info?)
Lars M. Hansen <badnews@hansenonline.net> writes:
> On 21 Apr 2004 11:00:31 -0400, Gary Algier spoketh
>
> >
> >Does any know how to write a "proper" set of rules that will
> >allow the laptop to act as a client, but not as a server on
> >the kitchen-sink services on ports 137-139 and 445?
>
> Disable the "Server" service on the laptops, and they won't be sharing
> anything anywhere.
>
>
> Lars M. Hansen
> www.hansenonline.net
> Remove "bad" from my e-mail address to contact me.
> "If you try to fail, and succeed, which have you done?"
I tried that, with no firewall and I can print. I modified
the firewall to allow inbound to ports 137-139 & 445 but
without that service and I can still print. This is
just what I need (assuming no bugs in M$Windows...).
One little problem:
How do I keep them from reenabling it? Perhaps we can
remove some files associated with the service? I checked
and the "services.exe" file is used by 16 different services.
Now if they had just separated out the server code from the
client code, I could remove the server code.
The Symantic Firewall has the ability to block to given
executable files, but not to given services. I created
a rule to block to the services.exe file and that broke
it.
Thanks for the help, we are getting a bit closer...
--
Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033
Nielsen's First Law of Computer Manuals:
People don't read documentation voluntarily.
Lars M. Hansen <badnews@hansenonline.net> writes:
> On 21 Apr 2004 11:00:31 -0400, Gary Algier spoketh
>
> >
> >Does any know how to write a "proper" set of rules that will
> >allow the laptop to act as a client, but not as a server on
> >the kitchen-sink services on ports 137-139 and 445?
>
> Disable the "Server" service on the laptops, and they won't be sharing
> anything anywhere.
>
>
> Lars M. Hansen
> www.hansenonline.net
> Remove "bad" from my e-mail address to contact me.
> "If you try to fail, and succeed, which have you done?"
I tried that, with no firewall and I can print. I modified
the firewall to allow inbound to ports 137-139 & 445 but
without that service and I can still print. This is
just what I need (assuming no bugs in M$Windows...).
One little problem:
How do I keep them from reenabling it? Perhaps we can
remove some files associated with the service? I checked
and the "services.exe" file is used by 16 different services.
Now if they had just separated out the server code from the
client code, I could remove the server code.
The Symantic Firewall has the ability to block to given
executable files, but not to given services. I created
a rule to block to the services.exe file and that broke
it.
Thanks for the help, we are getting a bit closer...
--
Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033
Nielsen's First Law of Computer Manuals:
People don't read documentation voluntarily.
Archived from groups: comp.security.firewalls (More info?)
On 21 Apr 2004 13:44:37 -0400, Gary Algier spoketh
>
>I tried that, with no firewall and I can print. I modified
>the firewall to allow inbound to ports 137-139 & 445 but
>without that service and I can still print. This is
>just what I need (assuming no bugs in M$Windows...).
>
>One little problem:
>How do I keep them from reenabling it? Perhaps we can
>remove some files associated with the service? I checked
>and the "services.exe" file is used by 16 different services.
>Now if they had just separated out the server code from the
>client code, I could remove the server code.
>
>The Symantic Firewall has the ability to block to given
>executable files, but not to given services. I created
>a rule to block to the services.exe file and that broke
>it.
>
>Thanks for the help, we are getting a bit closer...
Non-administrators should not have local admin rights on their
computers. Only admins can re-enable a disabled service.
Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
On 21 Apr 2004 13:44:37 -0400, Gary Algier spoketh
>
>I tried that, with no firewall and I can print. I modified
>the firewall to allow inbound to ports 137-139 & 445 but
>without that service and I can still print. This is
>just what I need (assuming no bugs in M$Windows...).
>
>One little problem:
>How do I keep them from reenabling it? Perhaps we can
>remove some files associated with the service? I checked
>and the "services.exe" file is used by 16 different services.
>Now if they had just separated out the server code from the
>client code, I could remove the server code.
>
>The Symantic Firewall has the ability to block to given
>executable files, but not to given services. I created
>a rule to block to the services.exe file and that broke
>it.
>
>Thanks for the help, we are getting a bit closer...
Non-administrators should not have local admin rights on their
computers. Only admins can re-enable a disabled service.
Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
Archived from groups: comp.security.firewalls (More info?)
Gary Algier wrote:
> I have been struggling with how to protect company laptops while not
> in the office, yet allow access to resources when here. The biggest
> problem is the whole "file sharing" boondoggle.
>
> Here's the situation:
>
> When in the office, I at least want to be able to allow my users
> to access the company file and print servers (which run Samba). They
> do not need to share files the other way (the laptop need not be
> a server) as they can always put files they want to share on
> a server.
>
<BIG SNIP>
It sounds like you are trying to control behavior of intelligent
users with dumb machines and software. It might work with some
users, some of the time, but it will never work with all the
users, all the time.
A half-way smart, half-way computer savvy user will be able to
break whatever you come up with, on any computer he physically
controls. Removing the CD and floppy drives, and protecting the
BIOS with a password would add some barriers . . . but it still
won't stop anyone who's determined.
And, if they've got a knowledgeable computer-savvy friend,
forget about it! I don't know of a way you can protect a Windows
system from someone with physical access, a Knoppix CD, and
another CD of DOS & Windows tools readily available on the
Internet. (For that matter, Linux systems can't be protected
in that situation, either: Linux was not designed to be secure
against someone with physical access.)
It's amazing how many posts you can find on Google from corp
laptop users trying to figure out how to break the controls or
limits on their systems, so they can browse porn at home, or
do personal work, and so on. You'd probably be dismayed to see
how much useful aid they get, toward those ends.
To make matters worse, you are chained (as are most of us) to a
Windows OS that has always been designed to make it easier and
easier for computer novices to 'do stuff', and that doesn't
make it very easy to setup users as "Power Users" with no other
privileges.
I'm guessing that your closest approach to what you want would
be achieved with a combination of a clear use policy; a punitive,
but reasonable, violation policy; a fair, but effective return
scan policy (scans before re-entry to the network, for both
policy violations and for malware); AND effective,
well-presented training explaining it all.
That's a pain, of course.
Gary Algier wrote:
> I have been struggling with how to protect company laptops while not
> in the office, yet allow access to resources when here. The biggest
> problem is the whole "file sharing" boondoggle.
>
> Here's the situation:
>
> When in the office, I at least want to be able to allow my users
> to access the company file and print servers (which run Samba). They
> do not need to share files the other way (the laptop need not be
> a server) as they can always put files they want to share on
> a server.
>
<BIG SNIP>
It sounds like you are trying to control behavior of intelligent
users with dumb machines and software. It might work with some
users, some of the time, but it will never work with all the
users, all the time.
A half-way smart, half-way computer savvy user will be able to
break whatever you come up with, on any computer he physically
controls. Removing the CD and floppy drives, and protecting the
BIOS with a password would add some barriers . . . but it still
won't stop anyone who's determined.
And, if they've got a knowledgeable computer-savvy friend,
forget about it! I don't know of a way you can protect a Windows
system from someone with physical access, a Knoppix CD, and
another CD of DOS & Windows tools readily available on the
Internet. (For that matter, Linux systems can't be protected
in that situation, either: Linux was not designed to be secure
against someone with physical access.)
It's amazing how many posts you can find on Google from corp
laptop users trying to figure out how to break the controls or
limits on their systems, so they can browse porn at home, or
do personal work, and so on. You'd probably be dismayed to see
how much useful aid they get, toward those ends.
To make matters worse, you are chained (as are most of us) to a
Windows OS that has always been designed to make it easier and
easier for computer novices to 'do stuff', and that doesn't
make it very easy to setup users as "Power Users" with no other
privileges.
I'm guessing that your closest approach to what you want would
be achieved with a combination of a clear use policy; a punitive,
but reasonable, violation policy; a fair, but effective return
scan policy (scans before re-entry to the network, for both
policy violations and for malware); AND effective,
well-presented training explaining it all.
That's a pain, of course.
Archived from groups: comp.security.firewalls (More info?)
Lars M. Hansen <badnews@hansenonline.net> writes:
> On 21 Apr 2004 13:44:37 -0400, Gary Algier spoketh
[...]
>
> Non-administrators should not have local admin rights on their
> computers. Only admins can re-enable a disabled service.
>
Oh, did I forget to mention: everyone seems to think they
need admin rights... to install s/w, to change networking
params so they can use it at home,... Management gives in
so we need a technical solution. I came up with one:
I deleted the registry entries associated with the services
in question so they don't even show.
--
Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033
Nielsen's First Law of Computer Manuals:
People don't read documentation voluntarily.
Lars M. Hansen <badnews@hansenonline.net> writes:
> On 21 Apr 2004 13:44:37 -0400, Gary Algier spoketh
[...]
>
> Non-administrators should not have local admin rights on their
> computers. Only admins can re-enable a disabled service.
>
Oh, did I forget to mention: everyone seems to think they
need admin rights... to install s/w, to change networking
params so they can use it at home,... Management gives in
so we need a technical solution. I came up with one:
I deleted the registry entries associated with the services
in question so they don't even show.
--
Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033
Nielsen's First Law of Computer Manuals:
People don't read documentation voluntarily.
Related ressources:
- ForumIPSec to encrypt SMB traffic?
- ForumOSX Macbooks keep disconnecting from SMB Share
- ForumBackup Disk Image over SMB
- ForumConfused about NFS & SMB
- ForumPCI Express SATA RAID Controllers For SMB Servers
- Forumdisable passing local credentials to SMB servers
- ForumCant connect to SMB share with different user names!
- ForumTesting complete
- Forum40Tb Server performance issue
- ForumWireless router before or after unmanaged switch?
- ForumGPU overheating ? need solution
- ForumWill my motherboard take one of these 2 processors?(complete overview)
- Forum1 SSD, 2 SSD, or 4 SSD
- ForumWho likes Windows 8
- ForumHow does this look for a cheap NAS Build?
- ForumWhy can't I transfer large photos across my wireless network?
- ForumInstalling snow leapard or lion or mountain lion on my windows 7 PC
- ForumPulling DHCP from Cable Modem instead of wireless router
- More resources
Read discussions in other Networking categories
!
