locked
What Do We About Security? RRS feed

  • Question

  • My WHS is setup and is working fine after many Password issues. Now I want to setup the Remote capability. I use RoboForm as my PWord orginizer. And just clicked on my logon page for my router from a remote location, not on my home LAN. And BAM the router page opened up giving me access to the whole Kingdom. Nice but kinda scarry, I've never attempted to get in before. Is the only thing keeping intruders out a Password? I'm sure it is so I better get a better one. After the ports are forwarded from the WHS to the router does this open the door to the rest of the LAN?

    What is the best way to secure my LAN and still have remote access? It seems to me I've read about putting one PC behind a router on the LAN and the rest of the LAN behind another router. In some way icolating the 2nd PC's. Does this make sence?

    Friday, March 9, 2007 4:47 PM

Answers

  • I'm not sure I fully understand all of your comments, but I'll try to get you on the right track.

    If you are able to connect to your router remotely, you need to disable this now.  There is a setting on the router that disables remote administration.

    Next, you need to configure your router to pass connections on TCP ports 443 and 4125 to your WHS server. This called port forwarding.  D-Link routers call it 'Virtual Server'.   (Port 80 for HTTP is optional,  But if you use HTTP for remote access, the communications are not encrypted, so I wouldn't open it up.)  The WHS server will need to be assigned a static IP address before you can do this.

    Disable remote access for all of you WHS accounts except one.  Put a really strong password on it because that is your primary line of defense.  (Yes, that will be the only thing that keeps intruders out.)  Adding layers of access control (secondary routers) theoretically makes your network more secure, but in reality it all boils down to password complexity: long with a mix of upper/lower case and numbers/symbols.  One strong password beats two weak ones.

    Friday, March 9, 2007 5:48 PM

All replies

  • Hi Ron,

    As most will tell you, once you have the keys to the treasure chest you can get every thing. With this said I would first change your password to contain other charters like @$%& ect.

    With your idea for putting your other computers behind another router is a good idea since the system will only show one other computer that's connected. The bad thing is that WHS will still know where they are and how to talk to them, if there setup on the server. It'll make the intruder work more to find the other computers, but in the long run, once some one gets the user name and password for the admin account, its time to change both.

    Once I get more time, I'll post what I found for holes in the software (meaning that I can take control of WHS and change the admin password with out knowing user name)

    Friday, March 9, 2007 5:33 PM
  • I'm not sure I fully understand all of your comments, but I'll try to get you on the right track.

    If you are able to connect to your router remotely, you need to disable this now.  There is a setting on the router that disables remote administration.

    Next, you need to configure your router to pass connections on TCP ports 443 and 4125 to your WHS server. This called port forwarding.  D-Link routers call it 'Virtual Server'.   (Port 80 for HTTP is optional,  But if you use HTTP for remote access, the communications are not encrypted, so I wouldn't open it up.)  The WHS server will need to be assigned a static IP address before you can do this.

    Disable remote access for all of you WHS accounts except one.  Put a really strong password on it because that is your primary line of defense.  (Yes, that will be the only thing that keeps intruders out.)  Adding layers of access control (secondary routers) theoretically makes your network more secure, but in reality it all boils down to password complexity: long with a mix of upper/lower case and numbers/symbols.  One strong password beats two weak ones.

    Friday, March 9, 2007 5:48 PM
  • Thanks, I logged in and checked and the remote access was not enabled so I'm not sure why I was able to get in. I logged in remotly several times before just to be sure it was letting me in. I used a PWord generator and changed to a strong PWord and now I'm unable to get in. But now I can't change anything on the router either. Oh well I can setup port forwarding tomorrow when I'm back on my LAN.
    Friday, March 9, 2007 7:07 PM