IT Baseline Protection Manual S 2.68 Implementation of security checks by the peer-to-peer network users
S 2.68 Implementation of security checks by the peer-to-peer network users
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: IT-user
As the major security measures in a Peer-to-Peer network can only be checked on a decentralised basis, the users are responsible for implementing security checks of this kind. The following checks should thus be carried out by the users at appropriate intervals:
Checking active connections: Using the program Network Monitor (in the program group NETWORK) under WfW, it is possible to check which computer currently has access to the user's own computer and what the nature of this access is. The program can be optionally installed in the program group ACCESSORIES, sub-menu SYSTEM PROGRAMS under Windows 95, or the control panel option "Server" under Windows NT.
For example:
In the event that unauthorised access by a computer to a directory or the printer is displayed, share is to be withdrawn. Any pending printing jobs can be interrupted using the print manager. The various actions are documented in the event protocol (see next illustration). In the event of unauthorised access to the output file, this should also be interrupted. It is recommended, however, to copy the contents of the window of the Network Monitor to the clipboard with the Print key as access to the output file is not documented.
Checking the protocol data: In the event that resources have been shared on a computer, the event protocol should be activated (in the program group CONTROL PANEL under Network for WfW, or in the program group ADMINISTRATION under User-Manager for Windows NT) and assessed on a regular basis (in the program group NETWORK under Network Monitor for WfW or in the program group CONTROL PANEL under Events for Windows NT). Windows 95 offers no standard procedure for logging events. Therefore, under Windows 95, the Network Monitor absolutely must remain open in case Peer-to-Peer functions need to be carried out despite this weakness.
It should be checked on a weekly basis, for example, whether unauthorised users accessed shared directories, whether there were errors in accessing shared directories or whether the system was started at unusual times. As these protocol data also contain person-related data, they should be deleted after assessment if storage is no longer required.
Example for a possible incident protocol:
Checking automatically shared resources: WfW and Windows 95 users should check on a random basis which of their resources are automatically shared after start-up of the system without their direct participation (for example, by checking after start-up which directories, printers and pages of the output file are then shared). If necessary, this share should be withdrawn. Inexplicable irregularities, such as the automatic sharing of a directory which the user himself did not share, should be reported to the administrator. These could be indications of Trojan horses which share directories without being detected. Should the user not be sure whether or what was shared, the file shares.pwl under WfW should be deleted, which contains the entries for automatic sharing. Under Windows 95, shares can be deleted with the help of the Explorer. This problem will not arise under Windows NT since only administrators can share resources.
A check of the allocation of rights is not possible in a Peer-to-Peer network directly as the person who knows the valid password also has the relevant rights. Only by using the complicated password change process can a consistent distribution of rights be ensured.