IT Baseline Protection Manual S 3.19 Instructions concerning the correct use of the security functions in Peer-to-Peer networks
S 3.19 Instructions concerning the correct use of the security functions in Peer-to-Peer networks
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: IT Security Management, Administrators
Instructions concerning the correct use of security functions are particularly important in Peer-to-Peer networks under WfW and Windows 95, where the users themselves have to carry out security tasks. Each user must therefore be trained in advance regarding the following points:
Data exchange using shared directories
The user must be trained in the correct use of the sharing of resources and the correct cancellation of directory sharing. Particular emphasis should be placed on the possibility of concealing shared directories or printers by adding the character "$" so that other users cannot see that sharing has been granted. It should be pointed out that the incentive for attacks can be reduced if share names are used which do not provide information on the contents and if resources are only shared for as long as required.
The meaning of the options when sharing or connecting directories or printers should be made clear and the adherence to the various settings pointed out:
Users of Windows 95 and Windows NT must take note that every enabled share must explicitly be undone, otherwise it will still apply after a restart
The names of the access rights under WfW and Windows 95 are not self explanatory and have to be explained:
Within Windows 95 all users can choose between the rights "write-protected access", "all access rights" and "user-defined" if access protection is implemented at the user level. Users must then be notified that directories should never be approved with "all access rights". Ideally, they are user-defined with read and write privileges for other users
Awareness of security
The user should be instructed in the security-relevant controls he must implement. He must also be informed of how the network monitor and log functions are to be used.
The use and exchange of passwords should be explained in accordance with the security strategy.
Under WfW and Windows 95 the user must be informed that
passwords for access to resources of other computers are stored in the file [ username].pwl,
under WfW the resources of other WfW computers are entered in the file connect.dat, which are automatically connected when WfW is started,
the user's own resources are entered in the file shares.pwl, which are automatically shared when starting.
These files can be deleted by users without infringing the system integrity. This is particularly sensible for the file [username].pwl if passwords have accidentally been saved.
In the event that name conventions exist for the computers and users in the network, the users should be informed of these and any names which have already been allocated.
Additional controls:
Have all users of the WfW network been sufficiently trained?
Are certain aspects of the awareness training repeated at irregular intervals?