Home network challenge

[edgargad83]

Hello everyone,

I have recently installed windows server 2003 standard on my PC1 and I wanted to create a domain controller (active directory) for all the other PCs in my network. The only thing is I wanted to keep my server behind my d-link router with all my others PC. Here is a list of all my PCs and there configuration:

D-Link Router

IP = 192.168.0.1

DHCP: PC1 = 192.168.0.100 (static)

PC2 = 192.168.0.101 (static)

PC3 = 192.168.0.102 (static)

PC4 = 192.168.0.103 (static)

MAC Control on all static IPs in the DHCP

PC1 Windows Server 2003

IP = 192.168.0.100

DG = 192.168.0.1

DNS = 192.168.0.1

PC2 Windows XP Pro SP2

Default setting

PC3 Windows XP Pro SP2

Default setting

PC4 Windows XP Pro SP2

Default setting

At this point, I have successfully created domain controller with active directory on the server (PC1) and by default a DNS was also created on the server. Furthermore, I have also created a user\password on the server and I have logged that user on PC2.

At this point, I’ve tried to share a folder in PC2 but couldn’t see the domain or any user in the active directory in the security tab for sharing. So I have tried modifying the TCP\IP settings in PC2 to PC4 :

PC2 Windows XP Pro SP2

IP = 192.168.0.101

DG = 192.168.0.1

DNS = 192.168.0.100

Windows Firewall = OFF

PC3 Windows XP Pro SP2

IP = 192.168.0.102

DG = 192.168.0.1

DNS = 192.168.0.100

Windows Firewall = OFF

PC4 Windows XP Pro SP2

IP = 192.168.0.103

DG = 192.168.0.1

DNS = 192.168.0.100

Windows Firewall = OFF

This has resolved my problem of sharing a folder on the network but it seems extreme.

Can someone tell me if this secure?

Or is there a better way of doing this?

Also what is your opinion of the settings that works (DG? DNS?)?

[Tripredacus]

As far as security goes, your weakness points are only the Internet modem and your router, from the outside world. Otherwise, you have no real security between the clients on the private side of the router. Do you really need to protect the computers from each other?

It may be overkill but at least it is a learning experience for you.

[edgargad83]

Hello Tripredacus,

First, thank you for answering me.

Secondly, what kind of weekness does my internet modem and router possess?

Lastly, what do you mean I'm protecting the computers from each other? Are you talking about the windows firewall?

My sinceres salutations,

Edgar

[Tripredacus]

I'll try to explain this the best I can.

Basically, you are using a private network that has your 3 clients and 1 server. This network only has 1 point of entry, your modem. Then it goes to your router. Some modems have firewalls inside, or block certain ports (ISP perogative) but some are straight up pass through devices. We are not really going to get a good answer on what your modem is doing inside, so we will presume that it is a pass-through and doesn't block anything, and we will pretend that it doesn't exist.

Now your point of entry into your LAN is your router. All security concerns are directed to that device ONLY. The reason for this is because your clients have a direct connection to the router AND the server, as opposed to your standard enterprise layouts. There are many different things you can do with your router to make it more or less secure. Another factor in the security of the router is, unfortunately, the price. A D-Link may well be fine for home use, but you wouldn't put one in a business.

Using Windows ICF (Internet Connection Firewall) is fine for the clients (and the server if possible) on the LAN, but its use is only to protect the clients from each other. In almost all cases (configured properly) the router will block more ports than the ICF does, but it only blocks it on the outside edge, or the port that connects to the internet.

Say for example your router is blocking port 21 (FTP), but ICF was set to allow port 21 on your clients. The following would then be true:

1. If you were on the road you could NOT connect to your server (at home) via FTP

2. If you were at home you COULD connect to your server via FTP

So your standard setup will allow computers to talk freely on your private LAN, but restrict data coming in, and (sometimes) will restrict data going out.

[Nolo]

Hi,

1) regarding the decision for your three clients to point their DNS requests to the router dns service in your case (home environment) it is normal easier and fast.

2) if you want to use your server as DNS server too then you need to proper configure the service.

3) For your win firewall, well with a bit of work you should configure any firewall without the need to switch it off.

4) the router protect already your lan from external intrusion (thanks to the NAT service and a firewall if is provided) but there are common technique to bypass those protections. The most common issue can be a Trojan horse that can silently open many ports from the inside of your lan.... so in this case a simple soft firewall better then the Ms win one, can detect those types of attempts. But at home level it really depend how do you use the PC especially surfing on the internet and how much experience do you have with IT stuffs.

I say as less experience do you have with computer as much better is to raise common home defenses. Especially against viruses then hackers.

regards,

nolo

Edited September 24, 2009 by Nolo

[edgargad83]

I just want to say thank you both (Tripredacus and Nolo).

This is what I was looking : two great answers/explanations.

have a great day guys!