S 4.58 Sharing of directories under Windows 95

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

For every computer running under Windows 95, a decision is required as to whether individual peer-to-peer functions should be enabled or disabled. For this purpose, file and printer functions can be enabled or disabled on an individual basis via the system guidelines under the menu item Control panel / Network / File and Printer Sharing. After that, user access to this option must be revoked.

If the file sharing is inactive, then the corresponding File Manager / Explorer functions are not available, although it is still possible to establish links with directories on other computers.

When configuring a Windows-for-Workgroups computer, the administrator also needs to consider the following points:

• By means of the system guidelines under Windows 95, unauthorised persons must be prevented from changing user names and computer names.

• The default setting "Save password in list " is to be deactivated on the appropriate menu.

• Computer and user names are to be assigned in accordance with organisational specifications. By means of the system guidelines, unauthorised persons must be prevented from changing user names and computer names.

• During the use of Schedule+, the right granted by default to view open and assigned time blocks must be deactivated for all unauthorised WfW users. Otherwise every user at the same post office will be able to view individual appointments in the time schedule.

If a post office is configured for use by several persons for the purpose of communications or joint appointment scheduling, a corresponding data backup should be performed at appropriate time intervals. This is required to prevent inadvertent or intentional deletion of the post office, which is not protected automatically under WfW.

Under Windows 95, it is possible to configure a remote administrative function which allows administrators to access individual workstations via the network. Before this option is activated, a check must be made as to whether it conflicts with the safety objectives of the organisation.

Activation of the remote administration function gives rise to the following threats:

• It is possible for unauthorised persons to try out IDs and passwords for this function

• an administrator can secretly access users' computers at any time.

If this feature for facilitating workstation management is required, a decision must be made as to whether administrators should use the same password for all workstations under their jurisdiction. A single password is easier to remember but, if detected, would allow intruders to access all workstations.

Additional controls:

• Is there any documentation indicating which directories on which computers have been shared for network access?

• Is the existing share profile adapted to changes in operational conditions?

• Is there any documentation indicating the computers on which remote administration has been configured?