What is the extent of a malware threat on a small network?

[[L.]]

Hi Folks

I'm thinking of setting up a small network with my work PCs and the PC
my kids use.

However I'm a bit apprehensive about the possibility that the kids PC
would get infected by some malware (let's say that they are a little
more promiscuous in their SW practices than I am) and damage my work
PCs.

On the other hand, the kids need access to my printers.

What I was thinking to do was to set up a network where their PC could
only access the printers on my work PCs, but not any of the folders or
drives.

Would you think that a virus or other malware could still travel and
infect my PC?

All PCs are protected by either KAV (the work PCs) or mcafee (the
kids).

TIA for all your advice

Lorenz

 

[Conor]

Hi Folks

I'm thinking of setting up a small network with my work PCs and the PC
my kids use.

However I'm a bit apprehensive about the possibility that the kids PC
would get infected by some malware (let's say that they are a little
more promiscuous in their SW practices than I am) and damage my work
PCs.

On the other hand, the kids need access to my printers.

What I was thinking to do was to set up a network where their PC could
only access the printers on my work PCs, but not any of the folders or
drives.

Would you think that a virus or other malware could still travel and
infect my PC?

All PCs are protected by either KAV (the work PCs) or mcafee (the
kids).

Most of the big exploits released in the past 18 months such as Sasser
etc have all had the capability to spread throughout a LAN even though
File and Printer sharing is not enabled.

 

[GSV Three Minds in a Can]

Hi Folks

I'm thinking of setting up a small network with my work PCs and the PC
my kids use.

However I'm a bit apprehensive about the possibility that the kids PC
would get infected by some malware (let's say that they are a little
more promiscuous in their SW practices than I am) and damage my work
PCs.

On the other hand, the kids need access to my printers.

What I was thinking to do was to set up a network where their PC could
only access the printers on my work PCs, but not any of the folders or
drives.

Would you think that a virus or other malware could still travel and
infect my PC?

Yes, it's possible (although not likely). Presumably the kids run as
administrators on their own PCs? If so they can probably get at the
hidden admin shares (C$ etc.) for your PC. You can disable those shares,
but only until you reboot. I'm not sure if you are more protected if the
kids don't actually have an account on your PC at all (and it may depend
on whether you are running XP Pro or something else).

If you are seriously worried buy the kids their own printer (what's
that, $100 or something?), or start teaching them safe hex. Personally
if your kids have infected PCs, I'd much rather =you= =were= suffering,
rather than just having the rest of the universe getting spammed.

 

[Tim McDaniel]

If you are seriously worried buy the kids their own printer (what's
that, $100 or something?)

I recently read of someone who, with effort in looking, was able to
buy printers (thereby including ink) on sale for less that the cost of
replacement ink, so he had about eight inkless printers in his garage.
In recent printer browsing, I saw a printer at a local discount
computer store for $20 with rebate -- though I strongly suspect it had
Windows-only drivers.

Given the cost of just one infection, I agree that getting the kids
their own printer and breaking the network link would be a good thing.

 

[[L.]]

If you are seriously worried buy the kids their own printer (what's
that, $100 or something?), or start teaching them safe hex. Personally
if your kids have infected PCs, I'd much rather =you= =were= suffering,
rather than just having the rest of the universe getting spammed.

Thanks all for the advice.

I do teach the kids safe hex. I also regularly check their pc for
"funny" stuff. But kids are kids, and which kid can resist the
temptation of loading a cd with this fantastic game that their best
mate just copied for them?

If yours can, they are better than mine.

Lorenz

 

[[L.]]

Given the cost of just one infection, I agree that getting the kids
their own printer and breaking the network link would be a good thing.

Good points everyone.

Lorenz

 

[GSV Three Minds in a Can]

I recently read of someone who, with effort in looking, was able to
buy printers (thereby including ink) on sale for less that the cost of
replacement ink,

You need to look at that carefully though - typically printers are sold
with special 'almost inkless' started cartridges .. just enough to keep
you going until the store opens the next day.

 

[GSV Three Minds in a Can]

Bitstring <[email protected]>, from the

I do teach the kids safe hex. I also regularly check their pc for
"funny" stuff. But kids are kids, and which kid can resist the
temptation of loading a cd with this fantastic game that their best
mate just copied for them?

If yours can, they are better than mine.

I solved that problem - I don't have any. 8>.

 

[Spalls Hurgenson]

Bitstring <[email protected]>, from the
wonderful person "[L.]" <[email protected]> said

Yes, it's possible (although not likely). Presumably the kids run as
administrators on their own PCs? If so they can probably get at the
hidden admin shares (C$ etc.) for your PC. You can disable those shares,
but only until you reboot. I'm not sure if you are more protected if the
kids don't actually have an account on your PC at all (and it may depend
on whether you are running XP Pro or something else).

As an aside, you can permanently disable the hidden administrative
shares that XP puts up by default. It's do it with all my computers
and have never had any problems but, as with all advice given here,
YMMV. It does, however, require you to muck about in the registry, so
be careful.

You need to open RegEdit and navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters

Create a new dword value (click EDIT on the menu, then NEW, then DWORD
VALUE) named :

AutoShareServer

(for servers) or:

AutoShareServer

(for workstations. I create both, just to be safe

The Value Data is 0 (that's a zero) in hex.

Make sure you typed everything correctly (and it's in the right
place), close RegEdit, and reboot. The shares should be gone
permanently

(to check, go to Control Panel->Administrative Tools->Computer
Management->click on the Shared Folders, then Shares. The only thing
that should be there is IPC$ and any folders or printers you purposely
shared. If C$ (or D$, or E$, depending on how many hard drives you
have) shows up, you mistyped the DWORD values.

You can also temporarily disable the hidden administrative shares here
but, as GSV pointed out, doing so makes them re-appear on next boot. )

 

[NormanM]

I'm thinking of setting up a small network with my work PCs and the PC
my kids use.

However I'm a bit apprehensive about the possibility that the kids PC
would get infected by some malware (let's say that they are a little
more promiscuous in their SW practices than I am) and damage my work
PCs.

On the other hand, the kids need access to my printers.

What I was thinking to do was to set up a network where their PC could
only access the printers on my work PCs, but not any of the folders or
drives.

Would you think that a virus or other malware could still travel and
infect my PC?

All PCs are protected by either KAV (the work PCs) or mcafee (the
kids).

TIA for all your advice

Get a router with a print server. Set up all computers without "File and
printer sharing for Microsoft Networks". Don't install "Client for Microsoft
Networks" either. Install the router, and install the print server software
on each computer. The printer is shared, no other shares are available on
the network.

But that will only minimize your exposure somewhat. Worms which look for RPC
and DCOM exploits can still be threat. You will need disable any, and all
network services besides the ones already mentioned. You might also want to
explore subnetting. Disable DHCP in the router, and assign each computer an
IP address manually. By assigning an appropriate subnet mask, you can divide
up the computers onto smaller subnets which won't, normally, be mutually
visible.

And remain ever vigilant. Frankly, I wouldn't keep anything important on a
computer on the same side of the router as the kids' computers. No online
banking, nothing at all like that. Keep the household finances on an
isolated computer.

 

[Jafo]

Get a router with a print server...

You might also want to explore subnetting. Disable DHCP in
the router, and assign each computer an IP address manually.
By assigning an appropriate subnet mask, you can divide up
the computers onto smaller subnets which won't, normally,
be mutually visible.

Bear with me here, because I've always had a little trouble
with the concept and the mechanics of subnetting: Would the
computers on the various subnets *all* be able to see the print
server? And if "yes", would they all also be able to see a
printer on a separate print server that's not a physical part
of the router?