Protecting Home/Small office Network

[Peder]

I had a small scare when someone who is not supposed to be logged onto the network got the network key off of one of the Windows Machines which wasn't locked.

I now want to be able to control who can access the network (mostly wirelessly, but also if possible via cable)

What is the best option for that?

I can stop wireless access by only allowing certain clients to connect to the Access Point but i also gather (from you guys) that blocking by Mac address isn't always the best way.

What are my option possibly? or what other info do i need to give?

Thanks

 

[xrapidx]

1.) Set machines to auto-lock

 

[Crowley]

Which router are you using?

 

[durbandave]

MAC address filtering

I had a small scare when someone who is not supposed to be logged onto the network got the network key off of one of the Windows Machines which wasn't locked.

I now want to be able to control who can access the network (mostly wirelessly, but also if possible via cable)

What is the best option for that?

I can stop wireless access by only allowing certain clients to connect to the Access Point but i also gather (from you guys) that blocking by Mac address isn't always the best way.

What are my option possibly? or what other info do i need to give?

Thanks

For the wireless access you can implement a good WPA2 PSK password to control access by wireless devices. For the cabled devices I would implement mac address restrictions, only allowing the devices you want connected

 

[Ramcat]

As per above: MAC restrictions, WPA2 security, auto-lock on machines and a long wifi password that cannot be remembered by just glancing at it.

 

[grim]

Do you have any Windows Servers running on the network?

If so you can implement NPAS

http://technet.microsoft.com/en-us/network/bb545879.aspx

 

[HavocXphere]

Needs more detailed info on what exactly went sideways. Got the network key - as in grabbed the LM key from the reg?

Most suggestions in this thread seem geared to home use (grim aside - can't place that one) & I must admit I'm not familiar with the "correct" solution. I do know its somehow related to the domain & firewall rules though. For a small businesses keeping the bad guys away from physical access is half the battle. Out of my depth here though.

In *this* particular case it seems to be mostly a case of physical access though. It takes big bucks to protect a laptop against physical access by a bad guy. Easiest way though is:
A) Auto-lock
B) Teach everyone Windows-key-L
C) Serious fckin HR grief for any PC found unlocked. At my employer people just send an I love you email to the everyone address from unlocked PCs...goes to a couple thousand people...people don't make that mistake twice.
D) Password for VPN...meaning either you're in the office (which hopefully has some serious physical security) or you entered the pass
E) Full disk encryption

Helps if whatever specialized software you're working on has some built in authorization too.

 

[Tinuva]

If a guy gets physical access to the machine, there is no way you can stop him if he knows what he is doing. He will rock up there, try his luck 1st at the easy access, but if all machines are locked, its as easy as inserting your own usb disk, boot your own OS, reset some accounts, on the AD controller if you have to, and you still get your access.

If physical access is the problem, you need to address that the old school way, with proper access control into the building, and even then, if the guy really wants to get in, he will, but is it worth the trouble? That is what you have to look at, make it too much trouble for not gaining enough, and that should be a good start.

 

[Peder]

At least it wasn't being cracked by a hacker it was just a kid who thought seeing as though our network has uncapped why can't he use the uncapped aswell? (It is uncapped after all) So I had more of a scare than actually someone cracking our network.

I don't have AD so this is really a small business network

1.) Set machines to auto-lock

This is half the problem. In short what happened was that everyone was in a meeting and the kids know the password to one of the pc's and then one of the older kids figured out how to get the wireless password from the pc itself, what i basically want is if someone has the network key they still can't access the network because of other settings, is blocking mac addresses the best?

Which router are you using?

1.)I have a Mac Time Capsule which i see can be set to only allow certain users based on their mac addresses
2.)and I Have a D-Link DSL-2750U which i am considering turning off that wifi and only allowing access with the time capsule with a hidden SSID which is not easily remembered too.

As per above: MAC restrictions, WPA2 security, auto-lock on machines and a long wifi password that cannot be remembered by just glancing at it.

I Have WPA2 Security and its a long password, nobody except me remembers it, i only remember it because i have inputted it so many times.

 

[Tim the Techxpert]

Hi There,
Change the password on the wireless to start with. That keeps the previous one from using wireless without getting physical access.
Lock the PC when you are away from it and if possible force the users to change the password regularly.

Do not allow access to employees offspring/friends at anytime.

DO the MAC restrictions as well. Do it for all devices either physical or WiFi attached.

Above all keep being paranoid about your security.

Regards

Tim