Recommended Posts

I have a total of three PCs going through a router and I often use them to share files etc, but due to a recent virus attack I would like to isolate one of the PCs from the network so that it can't spread viruses etc through the network.

I'm guessing that once isolated it should still be able to use the printer (which is also plugged into the router) and continue to access the internet as well.

Any help would be much appreciated.

thanks for the reply.

what i meant was that it no longer has the ability to send/receive information to the other computers as it did when I had the recent virus problem. I've tried to change the workgroup but it still seems to be able to see/view/change the other computers information.

hope this clears what i mean!

  popisdead uk said:
Take it out of the same domain/workgroup. That will stop it sharing files
And where did you get that tidbit of misinformation from??

What workgroup your in has NOTHING to do with file sharing, and to be honest either does the domain really -- as long as you auth to the machine with a valid account you can access resources. A domain just makes it easier to give permissions since there is a central userbase.

And this clearly does not isolate the machine from possible viruses or exploits to the ports they are listening on, ie the file sharing ports, etc. Not having a valid account to auth with will not always protect you from a virus/exploit - but it will protect you from that machines virus from infecting every file it has permission too, depending on what account its logged in as, etc.

So blocking the account the other machine logs in with from having file share access would provide some minor protection. But if using SFS, thats not possible -- would need to have pro with the ability to give different accounts different access to files/shares, etc. But that would not protect you from an exploit using the file sharing ports, etc.

If you router does not allow you to setup vlans and put access control lists between them. Then your going to need to run software filewalls on the machines or put them behind a nat compared to the other machine. You would then need to do a port forward to allow printer access. Quite often this is port 9100, it would depend exactly how your sharing your printer - be it connected to a machine or on a stand alone printer server device, or if the printer has its own network card, etc.

Treating a machine(s) as hostile on the same local network is what software firewalls are good for! If you run software firewalls on your machines -- just use them to block access from that one machine.

One way as mentioned to put a line of protection between that machine and your other machines is to put the other machines behind another nat router.

example layout;

post-14624-1218542661_thumb.png

But I would REALLY NOT suggest this -- since the double nat comes with quite a few of its own headaches. Your best bet is to get a router that supports lan to lan firewall rules. There are few out there -- but not recalling any model numbers off the top of my head.. Would have to look around for one that does -- but they are out there for sure. What router do you have now?

Believe me -- I would love to get off the soapbox about FUD -- but it seems no matter how many times you state FACT and discredit FUD, it still manages to stay around. And the misconceptions about what a workgroup is and does just never seems to go way -- Arrrghhh ;)

I would love to know what you thought the question was asking -- that suggesting a different workgroup or domain would isolate it.

  technics said:
I have a total of three PCs going through a router and I often use them to share files etc, but due to a recent virus attack I would like to isolate one of the PCs from the network so that it can't spread viruses etc through the network.

I'm guessing that once isolated it should still be able to use the printer (which is also plugged into the router) and continue to access the internet as well.

Any help would be much appreciated.

So you want to stop computer (1) from giving it's virus to computers (2) and (3) on the network, but still want it to spread the virus to the internet?

You do know they make good FREE anti-virus software don't you? Right here on Neowin.

  BudMan said:
Believe me -- I would love to get off the soapbox about FUD -- but it seems no matter how many times you state FACT and discredit FUD, it still manages to stay around. And the misconceptions about what a workgroup is and does just never seems to go way -- Arrrghhh ;)

I would love to know what you thought the question was asking -- that suggesting a different workgroup or domain would isolate it.

I honestly don't know mate. It was early this morning when I read it. I think I thought he meant, .... I have no idea. Really.

If I had read it properly I would have seen what he was trying to do, and I would have ignored it.

Follow up: Router that supports lan to lan firewall rules, yes I know this model is EOL, but its an example of what I was talking about with lan to lan rules on a home priced router.

post-14624-1218551467.jpg

Also if your router will run dd-wrt or openwrt you can setup vlans and use iptables to deny specific traffic between the vlans, etc. Not sure if tomato can do this?

So you can accomplish what you want fairly simple with home priced network equipment to be sure. I do not believe the current web ui to dd-wrt supports lan to lan firewall rules? But can be done from the command line after a bit of reading for sure. Or I do believe you can run firewall builder on it. http://www.dd-wrt.com/wiki/index.php/Firewall_Builder which would give you a gui in building your rules.

Another option would be to run a linux distro as your router, ipcop I know allows for multiple segments and then rules between them. Any of the router distro's should be able to do something as basic as this.

What I would suggest is if your current router does not support either dd-wrt or lan to lan rules is since you would need to buy another router to use the double nat method anyway -- is purchase one that allows for lan to lan filtering, or one that supports 3rd party firmware that will allow you to do it.

thanks for that.. (just going out atm and will read your post when i return)

i just had a quick idea, which is probably very silly but thought i might ask anyway. would disabling/removing file and printer sharing for Microsoft networks in the local area connection properties help solve the problem i'm having?

thanks for that.. (just going out atm and will read your post when i return)

i just had a quick idea, which is probably very silly but thought i might ask anyway. would disabling/removing file and printer sharing for Microsoft networks in the local area connection properties help solve the problem i'm having?

On which machine? On the machine your worried about, or the other machines. If turn off file and print sharing on the machine your saying is hostile -- that does not prevent some type of infection from doing anything -- just that it would not be able to use the built in file and print sharing to do it.

But without know exactly which infection your looking to protect against.. You would need to understand its method of spreading to know if that could stop it.

Now doing it on the 3 other machines would prevent them from listing, and or anything from accessing file shares, etc.. EVEN yourself for you legit use, etc.. Its a pretty harsh fix -- and this does not mean that they would still be safe from any type of infection the other machine might pick up that uses say a rpc exploit, to compromise the other machines.

You need to isolate the friendly machines from the hostile machine. This can be done with firewalls on each of the friendly machines, or with firewall between them (the lan to lan rules example) or by putting the friendly machines behind a nat to the network the hostile machine is on, etc. etc.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • My home system is a 5800X (upgraded from 2700X) with a 7800 XT. I can't comment as to why you feel so strongly about the differences, but I have used both Windows 10 and 11 for literally thousands of hours each; I'd guess over 10,000 hours on Windows 10 and maybe half that on Windows 11. Earlier builds of Windows 11 had some pretty big UI lag issues, which did annoy me, but not enough to go back to Windows 10. 23H2 and forward have corrected all those issues for me and I have no complaints at all at this time. Let me clarify what I meant by "Windows 11 runs perfectly fine." I don't mean it is merely acceptable; I mean that I don't perceive a difference between it and Windows 10. I chose the word "fine" because I don't believe that either 10 or 11 are perfect in that area and both have the rare UI hiccup, but in my experience, their responsiveness is at the same level.
    • WinToUSB 9.9 by Razvan Serea WinToUSB allows you to install and run a fully-functional Windows on external hard drive, USB flash drive or Thunderbolt drive. It is so easy and efficient, with just 3 steps and a few minutes, you can create your first portable Windows 11/10/8/7 or Windows Server directly from an ISO, WIM, ESD, SWM, VHD, VHDX file or CD/DVD drive, or you can clone currently running Windows installation to USB or Thunderbolt drive as portable Windows. WinToUSB also supports creating Windows installation USB drive from Windows 11/10/8/7 and Windows Server installation ISO, with it you can install Windows from the USB drive easily. Note: The WinToUSB Free Edition is solely intended for non-commercial, private, and personal use on home computers. It should be noted that technical support is not available for the free edition. Use of WinToUSB Free Edition within any organization or for commercial purpose is strictly prohibited. WinToUSB key features include: Creation of Windows To Go from ISO, WIM, ESD, SWM, VHD(X) or DVD drive.Improved Clone Windows 11/10/8/7 to USB/Thunderbolt drive as portable Windows. Creation of Windows To Go on Non-Certified Windows To Go USB drive. Encrypt Windows To Go with BitLocker to keep your data safe. Creation of Windows installation and bootable WinPE USB drive with BIOS & UEFI support. Download Official Windows 11/10/8.1 ISO file from Microsoft. Use any edition of Windows 11/10/8/7 and Windows Server 2022/2019/2016/2012/2010 to create Windows To Go USB drive. Windows To Go (Portable Windows) Creator WinToUSB allows you to install & run fully-functional Windows on an external HDD/SSD, USB flash drive or Thunderbolt drive, which means you can carry the portable Windows drive to anywhere and use it on any computer. Faster installation and cloning speed compared to competing products Support any edition of Windows 11/10/8/7 and Windows Server Creation of Windows To Go from ISO, WIM, ESD, SWM, VHD(X) or CD/DVD drive Clone currently running Windows to USB/Thunderbolt drive Creation of Windows To Go on Non-Certified Windows To Go drive Create BitLocker encrypted Windows To Go Workspace Create portable Windows for Intel-based Mac computers Support for creating VHD(X)-based Windows To Go Windows Installation USB Creator WinToUSB releases a feature called "Windows Installation USB Creator" which allows you to create a Windows installation USB drive from a Windows 11/10/8/7/vista/2022/2019/2016/2012/2008 installation ISO file with a few simple steps, with this feature you can create a bootable Windows installation USB drive to install Windows on both Traditional BIOS and UEFI computers by using the same USB drive. Bypass Windows 11 system requirements (TPM 2.0, Secure Boot, Minimum hardware and Microsoft account) Install Windows on both BIOS and UEFI computers by using the same USB drive Windows PE Bootable USB Creator This feature allows you to create a bootable Windows PE USB drive, it can help you transfer the contents of a Windows PE ISO file to a USB drive and make the USB drive bootable, and this feature supports the creation of a bootable WinPE USB driver that supports both Traditional BIOS and UEFI computers. WinToUSB 9.9 changelog: Added option to disable BitLocker automatic drive encryption when creating Windows installation USBs Fixed bug: setup.exe cannot bypass the Windows 11 system requirements Fixed bug: Cloned Windows ARM64 cannot start properly Fix other minor bugs Download: WinToUSB 9.9.0 | 28.7 MB (Freeware) Links: Home Page | Free vs Pro Comparison | Screnshots Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Maybe you don't realize this...but everything you said agreed with me. Yes, many tech outlets reported on Ryzen 9000 issues prior to 24H2, which I already addressed, and as I already said, that issue only existed for a few short months. Ryzen 9000 was released the same quarter of 2024 as 24H2. So again...months, not years. I also already said 24H2 showed some minor improvements on older Ryzen CPU. The article you posted agrees with me, and even says the improvements were only 3-5%, which is even more petty an amount than I estimated. If you want to fuss on the 3-5% numbers, then yes, I will grant you that was an issue for an extended amount of time. In my opinion, that is such a small amount it isn't worth fussing over, but you are welcome to a different option. However, if that was your point, then you didn't make that point in good faith, because you highlighted Ryzen 9000 so much, which had a FAR bigger and FAR shorter issue, it's really a very different conversation.
    • The vast majority of users do not care which iOS version they're using. They don't even know or bother updating to the latest version, unless they see the prompt. The version numbers is more for the power users and I don't think Apple renamed their OS for them.
  • Recent Achievements

    • Week One Done
      abortretryfail earned a badge
      Week One Done
    • First Post
      Mr bot earned a badge
      First Post
    • First Post
      Bkl211 earned a badge
      First Post
    • One Year In
      Mido gaber earned a badge
      One Year In
    • One Year In
      Vladimir Migunov earned a badge
      One Year In
  • Popular Contributors

    1. 1
      +primortal
      495
    2. 2
      snowy owl
      251
    3. 3
      +FloatingFatMan
      251
    4. 4
      ATLien_0
      228
    5. 5
      +Edouard
      191
  • Tell a friend

    Love Neowin? Tell a friend!